Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ScreenBeam_Conference_Windows.msi

Overview

General Information

Sample Name:ScreenBeam_Conference_Windows.msi
Analysis ID:1342019
MD5:622db211df1391e36131e016dcf4b456
SHA1:0c710b9daeee0b989ab3daa033325e7423f540f1
SHA256:6857ba1332bb238db99876920d901449091d1c6031a16a0e5b0e759ac1fab8eb
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sample is not signed and drops a device driver
Yara detected Generic Downloader
Drops executables to the windows directory (C:\Windows) and starts them
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates files inside the system directory
Queries device information via Setup API
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Creates driver files
Binary contains a suspicious time stamp
Registers a DLL
Contains functionality to read device registry values (via SetupAPI)
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6808 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ScreenBeam_Conference_Windows.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 5700 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2484 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F648D474375A48DA022532DC9F731B8A C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7660 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 5E45740EEBE07AEAE92F6AE88589C9E1 C MD5: E5DA170027542E25EDE42FC54C929077)
      • rundll32.exe (PID: 7700 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4287265 90 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 7732 cmdline: "DefMic.exe" --def MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 7868 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI72CD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4289250 100 ByomCustomAction!ByomCustomAction.CustomActions.VerifyDriverBusy MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 7896 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 8008 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • DefMic.exe (PID: 8068 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 8132 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 5448 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI978D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4298671 128 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 1196 cmdline: "DefMic.exe" --def MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 3156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 2640 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4302796 138 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 3512 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 7452 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 3496 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4304703 164 ByomCustomAction!ByomCustomAction.CustomActions.RemoveDriver MD5: EF3179D498793BF4234F708D3BE28633)
        • sbdrvmgr.exe (PID: 6292 cmdline: sbdrvmgr.exe" --remove "ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 3128 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 24E524746DDC70772B4CA7E228956C7E MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 1640 cmdline: C:\Windows\System32\MsiExec.exe -Embedding BCEC60AB9177671AE7619B486BDB0526 MD5: E5DA170027542E25EDE42FC54C929077)
      • rundll32.exe (PID: 2024 cmdline: rundll32.exe "C:\Windows\Installer\MSIC1B2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4309484 133 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 4000 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 3588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 3740 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 4556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 6100 cmdline: rundll32.exe "C:\Windows\Installer\MSICB1B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4311843 160 ByomCustomAction!ByomCustomAction.CustomActions.WaitForUnpairDeviceApp MD5: EF3179D498793BF4234F708D3BE28633)
      • rundll32.exe (PID: 1016 cmdline: rundll32.exe "C:\Windows\Installer\MSIEAFA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4319984 168 ByomCustomAction!ByomCustomAction.CustomActions.StopSBUCProcesses MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 5600 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 3272 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 3804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • DefMic.exe (PID: 5652 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 6024 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 3844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 6384 cmdline: rundll32.exe "C:\Windows\Installer\MSIF962.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4323687 220 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 6576 cmdline: "DefMic.exe" --def MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 6924 cmdline: rundll32.exe "C:\Windows\Installer\MSI114.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4325656 230 ByomCustomAction!ByomCustomAction.CustomActions.SetIsInstallingTrue MD5: EF3179D498793BF4234F708D3BE28633)
      • rundll32.exe (PID: 7128 cmdline: rundll32.exe "C:\Windows\Installer\MSI80C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4327421 437 ByomCustomAction!ByomCustomAction.CustomActions.IsDriverBusy MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 7152 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 6228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 7384 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 884 cmdline: rundll32.exe "C:\Windows\Installer\MSI10E7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4329687 452 ByomCustomAction!ByomCustomAction.CustomActions.DisableCampfilters MD5: EF3179D498793BF4234F708D3BE28633)
        • regsvr32.exe (PID: 7748 cmdline: regsvr32" /u /s "C:\Program Files\ScreenBeam\Conference\\app\Filters\x86\SBCamFilter32.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files\ScreenBeam\Conference\service\netstandard.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\eula.rtfJump to behavior
    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreenBeam Conference 1.0.5.1Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeamJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\ConferenceJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\appJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\appsettingsJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\appsettings\settings.jsonJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\eula.rtfJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\ScreenBeam.bmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\ScreenBeam.icoJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\deJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\de\MahApps.Metro.resources.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\FiltersJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avcodec-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avformat-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avutil-56.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libcrypto-1_1-x64.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libssl-1_1-x64.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\OnvifClientLibrary.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBCamFilter64.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBRTSPAudio64.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swresample-3.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swscale-5.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avcodec-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avformat-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avutil-56.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libcrypto-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libssl-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\OnvifClientLibrary.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBCamFilter32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBRTSPAudio32.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swresample-3.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swscale-5.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacdisable.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacenable.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Fizzler.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\HtmlToXamlConverter.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ImagesJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Camera 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Camera 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 02.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 02b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 02.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 02b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Devices 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Devices 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 02.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 02b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Go2Meeting.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\GoogleMeet_audio.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\GoogleMeet_video.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Hamburger 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Hamburger 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\ham_menu.svgJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\info-icon.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\panic_button.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\repair_icon.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\ScreenBeamLogo.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Settings 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Settings 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Source 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Source 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Teams_03.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\teams_settings.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\warning-orange.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Warning_blk.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Warning_red.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Webex_audio.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Webex_video.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Zoom_audio.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\zoom_settings.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Zoom_video.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\NLog.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\NLog.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\NLog.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\qf4net.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Svg.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Svg.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Buffers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Buffers.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Memory.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Memory.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audioJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\instrmv.cmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd6x.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd6x.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbcp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbcp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgrJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\serviceJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\NLog.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\NLog.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\NLog.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\qf4net.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\instrmv.cmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd6x.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd6x.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbcp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbcp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgrJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Windows.WinMDJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\CreateProcessAsUser.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Microsoft.Win32.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\netstandard.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.AppContext.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Concurrent.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.NonGeneric.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Specialized.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.EventBasedAsync.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.TypeConverter.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Console.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Data.Common.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Contracts.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Debug.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.FileVersionInfo.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Process.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.StackTrace.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tools.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TraceSource.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tracing.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Drawing.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Dynamic.Runtime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Calendars.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.ZipFile.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.DriveInfo.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Watcher.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.IsolatedStorage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.MemoryMappedFiles.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Pipes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.UnmanagedMemoryStream.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Expressions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Parallel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Queryable.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Http.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.NameResolution.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.NetworkInformation.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Ping.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Requests.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Security.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Sockets.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebHeaderCollection.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.Client.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ObjectModel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Reader.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.ResourceManager.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Writer.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.CompilerServices.VisualC.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Handles.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Numerics.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Formatters.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Json.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Xml.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Claims.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Algorithms.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Csp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Encoding.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.X509Certificates.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Principal.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.SecureString.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Text.RegularExpressions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Overlapped.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.Parallel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Thread.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.ThreadPool.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Timer.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ValueTuple.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.ReaderWriter.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XDocument.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlDocument.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlSerializer.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.XDocument.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.FoundationContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.UniversalApiContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Windows.WinMDJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\config1_base.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ipsee.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libcrypto-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libssl-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\MultiOnvifServer.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\runconfig.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ssl.caJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ssl.keyJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\user manual.pdfJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\zlibwapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\en-USJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\en-US\SBConference.Model.resources.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Interop.NetFwTypeLib.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\config2_base.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Direct3D9.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.DXGI.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Mathematics.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.MediaFoundation.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\BouncyCastle.Crypto.dllJump to behavior
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.pdb source: DefMic.exe, 0000000B.00000002.2358616725.00000000014B3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbuser\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\UsersC: source: DefMic.exe, 00000022.00000002.2560635486.0000000000B1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb$ source: DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Release\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: DefMic.exe, 0000000F.00000002.2369252046.0000000001547000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb0@` source: DefMic.exe, 00000008.00000002.2341656730.00000000005FE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Common.pdb_1 source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\DefMic.pdbKa source: DefMic.exe, 00000031.00000002.2702795588.0000000001210000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358616725.00000000014B3000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.0000000001230000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\agent\_work\66\s\build\ship\x64\SfxCA.pdb source: MSIEAFA.tmp.1.dr, 41b4a0.msi.1.dr
    Source: Binary string: Microsoft.Xaml.Behaviors.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\DefMic.pdbLE source: DefMic.exe, 00000022.00000002.2560635486.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIEAFA.tmp-\DefMic.pdb source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Model.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: m,C:\Windows\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341640246.00000000004FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358174906.0000000000FBA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2368994597.00000000012FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2473367417.000000000057A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2491830264.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560280400.000000000096A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2664605125.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2678828012.000000000136A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702148715.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738513481.00000000010FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSI80C.tmp-\DefMic.pdb(XM source: DefMic.exe, 00000035.00000002.2738938251.00000000013D0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: XamlAnimatedGif.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\DefMic.pdbdoZ&8 source: DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358616725.00000000014B3000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.0000000001230000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb source: System.Reflection.Primitives.dll.1.dr
    Source: Binary string: mC:\Windows\Installer\MSIF962.tmp-\DefMic.pdb source: DefMic.exe, 00000031.00000002.2702148715.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: enkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.00000000015A7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb&& source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb/jIj ;j_CorExeMainmscoree.dll source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000008.00000000.2336358790.00000000000A2000.00000002.00000001.01000000.00000007.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358616725.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2369252046.0000000001557000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000B1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.0000000001241000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: StreamPlayback.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: MahApps.Metro.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: Osymbols\exe\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341640246.00000000004FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: SBConfDiag.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.PDB source: DefMic.exe, 0000000B.00000002.2358616725.00000000014B3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: mC:\Windows\Installer\MSIEAFA.tmp-\DefMic.pdb source: DefMic.exe, 00000028.00000002.2664605125.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2678828012.000000000136A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb{ source: DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ControlzEx.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: Release\DefMic.pdb/jI source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\Installer\MSIC1B2.tmp-\DefMic.PDBY source: DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: DefMic.exe, 00000008.00000002.2341656730.0000000000613000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358616725.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2369252046.0000000001528000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2476040225.0000000000699000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.0000000001210000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738938251.00000000013D0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbrB source: DefMic.exe, 0000000F.00000002.2369252046.0000000001547000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UnpairDeviceApp.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: Microsoft.Xaml.Behaviors.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbe source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Common.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: SBConference.Model.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbR source: DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSI80C.tmp-\DefMic.pdb source: DefMic.exe, 00000035.00000002.2738938251.00000000013D0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbc source: DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.dr
    Source: Binary string: ScreenBeamConference.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\DefMic.pdb~v source: DefMic.exe, 00000028.00000002.2665361074.0000000000A00000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdbj&h source: DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb$*>* 0*_CorDllMainmscoree.dll source: System.Reflection.Primitives.dll.1.dr
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb^ source: DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdbC source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.dr
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbp-\DefMic.PDB source: DefMic.exe, 00000035.00000002.2738513481.00000000010FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb` source: DefMic.exe, 00000031.00000002.2702795588.00000000011FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer\msi-installer\ByomCustomAction\ByomCustomAction\obj\x64\Release\ByomCustomAction.pdb source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E137000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A954FDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B39608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.000002370472E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EA84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C5499B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F54000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSIA7CA.tmp-\DefMic.PDB source: DefMic.exe, 00000017.00000002.2491830264.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb.L source: DefMic.exe, 00000035.00000002.2738938251.00000000013D0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: 41b4a0.msi.1.dr
    Source: Binary string: ControlzEx.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E137000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A954FDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B39608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.000002370472E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EA84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C5499B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F54000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbbmg. source: DefMic.exe, 00000035.00000002.2738938251.00000000013BB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbb source: DefMic.exe, 0000000F.00000002.2369252046.0000000001528000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000D92000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UnpairDeviceApp.pdb^ source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbb,s source: DefMic.exe, 00000022.00000002.2560635486.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rlib.pdb source: DefMic.exe, 0000002C.00000002.2679502416.00000000015A7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dows\dll\mscorlib.pdbc1 source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIEAFA.tmp-\DefMic.pdbF/ source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\DefMic.pdbpdbMic.pdbb source: DefMic.exe, 00000031.00000002.2702795588.0000000001230000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: symbols\exe\DefMic.pdb source: DefMic.exe, 0000000B.00000002.2358174906.0000000000FBA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2368994597.00000000012FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2491830264.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560280400.000000000096A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2678828012.000000000136A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702148715.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738513481.00000000010FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbQ source: DefMic.exe, 00000014.00000002.2476040225.0000000000699000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ScreenBeamConference.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341640246.00000000004FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb} source: 41b4a0.msi.1.dr
    Source: Binary string: Wsymbols\exe\DefMic.pdb source: DefMic.exe, 00000014.00000002.2473367417.000000000057A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbI source: DefMic.exe, 0000000B.00000002.2358616725.00000000014AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: enkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbo source: DefMic.exe, 0000000B.00000002.2358616725.00000000014C3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ase\DefMic.pdb source: DefMic.exe, 00000031.00000002.2702795588.0000000001241000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbII source: DefMic.exe, 00000017.00000002.2492339195.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Service.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: StreamPlayback.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.pdb}\ source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbC source: DefMic.exe, 00000008.00000002.2341656730.0000000000613000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIEAFA.tmp-\DefMic.pdbes source: DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.dr
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.pdb source: DefMic.exe, 00000014.00000002.2473367417.000000000057A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: FbDefMic.pdbe source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbFv source: DefMic.exe, 00000028.00000002.2665361074.0000000000A00000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.pdbs source: DefMic.exe, 0000000F.00000002.2369252046.0000000001547000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\DefMic.pdbpdbMic.pdb source: DefMic.exe, 00000014.00000002.2476040225.0000000000699000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dows\exe\DefMic.pdb source: DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.PDBZC source: DefMic.exe, 0000000F.00000002.2369252046.0000000001547000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\NetFirewall.pdb; source: 41b4a0.msi.1.dr
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb-_lU source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dows\dll\mscorlib.pdbY8 source: DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdb+1OT) source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341656730.0000000000613000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358616725.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2369252046.0000000001528000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2476040225.0000000000699000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.0000000001210000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738938251.00000000013D0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb.G source: DefMic.exe, 0000000B.00000002.2358616725.000000000147D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb source: DefMic.exe, 0000002C.00000002.2679502416.0000000001563000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbbe source: DefMic.exe, 0000000F.00000002.2369252046.0000000001514000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Windows\Installer\MSI80C.tmp-\DefMic.pdb source: DefMic.exe, 00000035.00000002.2738513481.00000000010FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbmp-\DefMic.PDB source: DefMic.exe, 00000022.00000002.2560280400.000000000096A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2664605125.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2678828012.000000000136A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702148715.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.IsolatedStorage\4.0.2.0\System.IO.IsolatedStorage.pdb source: System.IO.IsolatedStorage.dll.1.dr
    Source: Binary string: SBConference.ViewModel.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E137000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A954FDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B39608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.000002370472E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EA84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C5499B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F54000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.ViewModel.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSI978D.tmp-\DefMic.PDB source: DefMic.exe, 00000014.00000002.2473367417.000000000057A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: XamlAnimatedGif.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.pdbu source: DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.pdbTE source: DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbll> source: DefMic.exe, 0000000F.00000002.2369252046.0000000001557000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbbO source: DefMic.exe, 00000017.00000002.2492339195.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSI6AAE.tmp-\DefMic.PDB source: DefMic.exe, 00000008.00000002.2341640246.00000000004FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbV source: DefMic.exe, 00000008.00000002.2341656730.00000000005FE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Service.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: SBConference.Common.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb_ source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConfDiag.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: mC:\Windows\Installer\MSIC1B2.tmp-\DefMic.pdb source: DefMic.exe, 00000022.00000002.2560280400.000000000096A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbsr source: DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: eenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb source: DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: b77a5c561934e089\mscorlib.pdb source: DefMic.exe, 00000028.00000002.2665361074.0000000000A00000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbh source: DefMic.exe, 00000031.00000002.2702795588.00000000011FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\ScreenBeam\Projects\sb-conference-installer\byom-rtsp-client\sbdrvmgr\sbdrvmgr\obj\x64\Release\sbdrvmgr.pdb source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, sbdrvmgr.exe, 0000000D.00000000.2360005041.0000023469FF2000.00000002.00000001.01000000.0000000C.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2713086925.00000167ACFE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2713220847.00000167ACFE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730735302.0000014E893D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000
    Source: Binary string: \??\C:\Windows\mscorlib.pdbA source: DefMic.exe, 00000014.00000002.2476040225.0000000000699000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Common.pdb_1 source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbb7 source: DefMic.exe, 00000008.00000002.2341656730.00000000005FE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSI72CD.tmp-\DefMic.PDB source: DefMic.exe, 0000000B.00000002.2358174906.0000000000FBA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2368994597.00000000012FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: MSI4EE.tmp.1.dr, 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbb source: DefMic.exe, 0000000B.00000002.2358616725.000000000147D000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.0000000001563000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdb- source: DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MahApps.Metro.pdbx& source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbbO>K0 source: DefMic.exe, 00000014.00000002.2476040225.000000000066C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdberDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\Lo source: DefMic.exe, 00000017.00000002.2492339195.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbf source: DefMic.exe, 0000000F.00000002.2369252046.0000000001547000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XDocument\4.0.11.0\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.1.dr
    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbc source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb8 source: DefMic.exe, 00000028.00000002.2665361074.00000000009EC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbb source: DefMic.exe, 0000000F.00000002.2369252046.0000000001547000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: b77a5c561934e089\mscorlib.pdb source: DefMic.exe, 00000022.00000002.2560635486.0000000000B1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb0 source: DefMic.exe, 00000014.00000002.2476040225.000000000066C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.PDBs source: DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIC1B2.tmp-\DefMic.pdb source: DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdbdE source: DefMic.exe, 00000022.00000002.2560635486.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb8>^0 source: DefMic.exe, 00000014.00000002.2476040225.000000000066C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: osymbols\exe\DefMic.pdb source: DefMic.exe, 00000028.00000002.2664605125.00000000006FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.pdbN1 source: DefMic.exe, 0000000B.00000002.2358616725.00000000014B3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.pdb source: DefMic.exe, 00000017.00000002.2491830264.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\NetFirewall.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOat source: DefMic.exe, 0000000B.00000002.2358616725.00000000014C3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.pdb source: DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb[a source: DefMic.exe, 00000031.00000002.2702795588.0000000001210000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.PDBs source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.PDBJ source: DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIEAFA.tmp-\DefMic.PDB2GE source: DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIEAFA.tmp-\DefMic.PDB2/ source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Primitives\4.0.3.0\System.IO.FileSystem.Primitives.pdb source: System.IO.FileSystem.Primitives.dll.1.dr
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb0! source: DefMic.exe, 00000017.00000002.2492339195.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: DefMic.exe, 0000000F.00000002.2369252046.0000000001514000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.00000000011FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb3 source: 41b4a0.msi.1.dr
    Source: Binary string: dows\exe\DefMic.pdbU source: DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIF962.tmp-\DefMic.PDB source: DefMic.exe, 00000031.00000002.2702795588.0000000001230000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000008.00000002.2341640246.00000000004FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000008.00000000.2336358790.00000000000A2000.00000002.00000001.01000000.00000007.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358616725.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358174906.0000000000FBA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2368994597.00000000012FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2369252046.0000000001557000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2473367417.000000000057A000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2491830264.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560280400.000000000096A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000B1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2664605125.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2678828012.000000000136A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702148715.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.0000000001241000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.pdb source: DefMic.exe, 0000000B.00000002.2358174906.0000000000FBA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2368994597.00000000012FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdbR&0 source: DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: m.pdb source: DefMic.exe, 00000008.00000002.2341640246.00000000004FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358174906.0000000000FBA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2368994597.00000000012FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2473367417.000000000057A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2491830264.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560280400.000000000096A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2664605125.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2678828012.000000000136A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702148715.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738513481.00000000010FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: rlib.pdb6bX source: DefMic.exe, 0000002C.00000002.2679502416.00000000015A7000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

    Networking

    barindex
    Yara detected Generic Downloader
    Source: Yara matchFile source: C:\Program Files\ScreenBeam\Conference\service\netstandard.dll, type: DROPPED
    Source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.drString found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: ScreenBeam_Conference_Windows.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, 41b4a0.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: ScreenBeam_Conference_Windows.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, 41b4a0.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: ScreenBeam_Conference_Windows.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, 41b4a0.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: ScreenBeam_Conference_Windows.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, 41b4a0.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
    Source: ScreenBeam_Conference_Windows.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, 41b4a0.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
    Source: ScreenBeam_Conference_Windows.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, 41b4a0.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: ScreenBeam_Conference_Windows.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, 41b4a0.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: 41b4a0.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: ScreenBeam_Conference_Windows.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, 41b4a0.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
    Source: rundll32.exe, 0000000A.00000002.2374280377.0000022E8C655000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2567253367.0000023702CAC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000002.2568580475.0000023702CAC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000002.2708216146.0000017568661000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2705231355.000001756865D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2731018664.0000014E893CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msdn.mic
    Source: rundll32.exe, 0000001C.00000002.2510570716.0000024B37C21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msdn.microh
    Source: rundll32.exe, 0000001C.00000002.2510570716.0000024B37C21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msdn.microso
    Source: rundll32.exe, 0000000A.00000002.2374280377.0000022E8C655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msdn.microsoft
    Source: ScreenBeam_Conference_Windows.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, 41b4a0.msi.1.drString found in binary or memory: http://ocsp.digicert.com0
    Source: ScreenBeam_Conference_Windows.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, 41b4a0.msi.1.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
    Source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0K
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
    Source: ScreenBeam_Conference_Windows.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, 41b4a0.msi.1.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org
    Source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E137000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A954FDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B39608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.000002370472E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EA84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C5499B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F54000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
    Source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E137000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A954FDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B39608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.000002370472E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EA84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C5499B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F54000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
    Source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E137000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A954FDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B39608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.000002370472E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EA84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C5499B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F54000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
    Source: vacscbkd.inf0.1.drString found in binary or memory: http://www.screenbeam.com
    Source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
    Source: rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.screenbeam.com
    Source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
    Source: rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
    Source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIC027.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\41b49e.msiJump to behavior
    Source: C:\Windows\System32\rundll32.exeCode function: 7_3_00007FFD9B6E12C07_3_00007FFD9B6E12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 7_3_00007FFD9B6E37517_3_00007FFD9B6E3751
    Source: C:\Windows\System32\rundll32.exeCode function: 7_3_00007FFD9B6E15187_3_00007FFD9B6E1518
    Source: C:\Windows\System32\rundll32.exeCode function: 10_3_00007FFD9B6C12C010_3_00007FFD9B6C12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 10_3_00007FFD9B6C375110_3_00007FFD9B6C3751
    Source: C:\Windows\System32\rundll32.exeCode function: 10_3_00007FFD9B6C151810_3_00007FFD9B6C1518
    Source: C:\Windows\System32\rundll32.exeCode function: 19_3_00007FFD9B6C12C019_3_00007FFD9B6C12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 19_3_00007FFD9B6C375119_3_00007FFD9B6C3751
    Source: C:\Windows\System32\rundll32.exeCode function: 19_3_00007FFD9B6C151819_3_00007FFD9B6C1518
    Source: C:\Windows\System32\rundll32.exeCode function: 22_3_00007FFD9B6C4A4822_3_00007FFD9B6C4A48
    Source: C:\Windows\System32\rundll32.exeCode function: 22_3_00007FFD9B6C12C022_3_00007FFD9B6C12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 22_3_00007FFD9B6C4E6A22_3_00007FFD9B6C4E6A
    Source: C:\Windows\System32\rundll32.exeCode function: 22_3_00007FFD9B6C375122_3_00007FFD9B6C3751
    Source: C:\Windows\System32\rundll32.exeCode function: 22_3_00007FFD9B6C151822_3_00007FFD9B6C1518
    Source: C:\Windows\System32\rundll32.exeCode function: 28_3_00007FFD9B6D12C028_3_00007FFD9B6D12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 28_3_00007FFD9B6D375128_3_00007FFD9B6D3751
    Source: C:\Windows\System32\rundll32.exeCode function: 28_3_00007FFD9B6D151828_3_00007FFD9B6D1518
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeCode function: 29_2_00007FFD9B5F12E929_2_00007FFD9B5F12E9
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeCode function: 29_2_00007FFD9B5F05E029_2_00007FFD9B5F05E0
    Source: C:\Windows\System32\rundll32.exeCode function: 33_3_00007FFD9B6B12C033_3_00007FFD9B6B12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 33_3_00007FFD9B6B375133_3_00007FFD9B6B3751
    Source: C:\Windows\System32\rundll32.exeCode function: 33_3_00007FFD9B6B151833_3_00007FFD9B6B1518
    Source: C:\Windows\System32\rundll32.exeCode function: 38_3_00007FFD9B6E39B938_3_00007FFD9B6E39B9
    Source: C:\Windows\System32\rundll32.exeCode function: 38_3_00007FFD9B6E375138_3_00007FFD9B6E3751
    Source: C:\Windows\System32\rundll32.exeCode function: 38_3_00007FFD9B6E151838_3_00007FFD9B6E1518
    Source: C:\Windows\System32\rundll32.exeCode function: 38_3_00007FFD9B6E12DE38_3_00007FFD9B6E12DE
    Source: C:\Windows\System32\rundll32.exeCode function: 39_3_00007FFD9B6C12C039_3_00007FFD9B6C12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 39_3_00007FFD9B6C375139_3_00007FFD9B6C3751
    Source: C:\Windows\System32\rundll32.exeCode function: 39_3_00007FFD9B6C151839_3_00007FFD9B6C1518
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeCode function: 46_2_00007FFD9B63080846_2_00007FFD9B630808
    Source: C:\Windows\System32\rundll32.exeCode function: 48_3_00007FFD9B6E12C048_3_00007FFD9B6E12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 48_3_00007FFD9B6E375148_3_00007FFD9B6E3751
    Source: C:\Windows\System32\rundll32.exeCode function: 48_3_00007FFD9B6E151848_3_00007FFD9B6E1518
    Source: C:\Windows\System32\rundll32.exeCode function: 51_3_00007FFD9B6B375151_3_00007FFD9B6B3751
    Source: C:\Windows\System32\rundll32.exeCode function: 51_3_00007FFD9B6B151851_3_00007FFD9B6B1518
    Source: C:\Windows\System32\rundll32.exeCode function: 51_3_00007FFD9B6B12F051_3_00007FFD9B6B12F0
    Source: C:\Windows\System32\rundll32.exeCode function: 52_3_00007FFD9B6C12C052_3_00007FFD9B6C12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 52_3_00007FFD9B6C375152_3_00007FFD9B6C3751
    Source: C:\Windows\System32\rundll32.exeCode function: 52_3_00007FFD9B6C151852_3_00007FFD9B6C1518
    Source: C:\Windows\System32\rundll32.exeCode function: 57_3_00007FFD9B6D12C057_3_00007FFD9B6D12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 57_3_00007FFD9B6D375157_3_00007FFD9B6D3751
    Source: C:\Windows\System32\rundll32.exeCode function: 57_3_00007FFD9B6D151857_3_00007FFD9B6D1518
    Source: System.Globalization.Extensions.dll.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: ScreenBeam_Conference_Windows.msiBinary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x86.exe vs ScreenBeam_Conference_Windows.msi
    Source: ScreenBeam_Conference_Windows.msiBinary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs ScreenBeam_Conference_Windows.msi
    Source: ScreenBeam_Conference_Windows.msiBinary or memory string: OriginalFilenameviewer.exeF vs ScreenBeam_Conference_Windows.msi
    Source: ScreenBeam_Conference_Windows.msiBinary or memory string: OriginalFileNameaipackagechainer.exeh vs ScreenBeam_Conference_Windows.msi
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ScreenBeam_Conference_Windows.msi"
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F648D474375A48DA022532DC9F731B8A C
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 5E45740EEBE07AEAE92F6AE88589C9E1 C
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4287265 90 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI72CD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4289250 100 ByomCustomAction!ByomCustomAction.CustomActions.VerifyDriverBusy
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI978D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4298671 128 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4302796 138 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4304703 164 ByomCustomAction!ByomCustomAction.CustomActions.RemoveDriver
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exe sbdrvmgr.exe" --remove "ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 24E524746DDC70772B4CA7E228956C7E
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding BCEC60AB9177671AE7619B486BDB0526
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC1B2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4309484 133 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSICB1B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4311843 160 ByomCustomAction!ByomCustomAction.CustomActions.WaitForUnpairDeviceApp
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIEAFA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4319984 168 ByomCustomAction!ByomCustomAction.CustomActions.StopSBUCProcesses
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF962.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4323687 220 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIF962.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Windows\Installer\MSIF962.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI114.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4325656 230 ByomCustomAction!ByomCustomAction.CustomActions.SetIsInstallingTrue
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI80C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4327421 437 ByomCustomAction!ByomCustomAction.CustomActions.IsDriverBusy
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI80C.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\Installer\MSI80C.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI10E7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4329687 452 ByomCustomAction!ByomCustomAction.CustomActions.DisableCampfilters
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32" /u /s "C:\Program Files\ScreenBeam\Conference\\app\Filters\x86\SBCamFilter32.dll
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F648D474375A48DA022532DC9F731B8A CJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 5E45740EEBE07AEAE92F6AE88589C9E1 CJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 24E524746DDC70772B4CA7E228956C7EJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding BCEC60AB9177671AE7619B486BDB0526Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4287265 90 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSettingJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI72CD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4289250 100 ByomCustomAction!ByomCustomAction.CustomActions.VerifyDriverBusyJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI978D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4298671 128 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSettingJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4302796 138 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcessesJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4304703 164 ByomCustomAction!ByomCustomAction.CustomActions.RemoveDriverJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exe "DefMic.exe" --defJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe "DefMic.exe" --listJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5Jump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe "DefMic.exe" --listJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5Jump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exe sbdrvmgr.exe" --remove "ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC1B2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4309484 133 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSICB1B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4311843 160 ByomCustomAction!ByomCustomAction.CustomActions.WaitForUnpairDeviceApp
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIEAFA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4319984 168 ByomCustomAction!ByomCustomAction.CustomActions.StopSBUCProcesses
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF962.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4323687 220 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI114.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4325656 230 ByomCustomAction!ByomCustomAction.CustomActions.SetIsInstallingTrue
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI80C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4327421 437 ByomCustomAction!ByomCustomAction.CustomActions.IsDriverBusy
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI10E7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4329687 452 ByomCustomAction!ByomCustomAction.CustomActions.DisableCampfilters
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIF962.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI80C.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32" /u /s "C:\Program Files\ScreenBeam\Conference\\app\Filters\x86\SBCamFilter32.dll
    Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.logJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI69BF.tmpJump to behavior
    Source: classification engineClassification label: mal52.troj.evad.winMSI@92/407@0/0
    Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\win.iniJump to behavior
    Source: C:\Windows\System32\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\System32\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\System32\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
    Source: C:\Windows\System32\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\System32\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\System32\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\System32\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\System32\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\System32\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\Installer\MSIF962.tmp-\DefMic.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
    Source: C:\Windows\System32\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\System32\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\Installer\MSI80C.tmp-\DefMic.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
    Source: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\System32\rundll32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4287265 90 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3804:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3588:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeamJump to behavior
    Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
    Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
    Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
    Source: C:\Windows\System32\msiexec.exeAutomated click: Accept
    Source: C:\Windows\System32\msiexec.exeAutomated click: Install
    Source: C:\Windows\System32\msiexec.exeAutomated click: Install
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreenBeam Conference 1.0.5.1Jump to behavior
    Source: ScreenBeam_Conference_Windows.msiStatic file information: File size 102195712 > 1048576
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeamJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\ConferenceJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\appJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\appsettingsJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\appsettings\settings.jsonJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\eula.rtfJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\ScreenBeam.bmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\ScreenBeam.icoJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\deJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\de\MahApps.Metro.resources.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\FiltersJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avcodec-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avformat-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avutil-56.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libcrypto-1_1-x64.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libssl-1_1-x64.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\OnvifClientLibrary.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBCamFilter64.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBRTSPAudio64.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swresample-3.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swscale-5.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avcodec-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avformat-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avutil-56.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libcrypto-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libssl-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\OnvifClientLibrary.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBCamFilter32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBRTSPAudio32.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swresample-3.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swscale-5.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacdisable.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacenable.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Fizzler.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\HtmlToXamlConverter.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ImagesJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Camera 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Camera 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 02.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 02b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 02.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 02b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Devices 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Devices 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 02.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 02b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Go2Meeting.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\GoogleMeet_audio.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\GoogleMeet_video.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Hamburger 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Hamburger 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\ham_menu.svgJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\info-icon.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\panic_button.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\repair_icon.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\ScreenBeamLogo.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Settings 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Settings 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Source 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Source 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Teams_03.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\teams_settings.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\warning-orange.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Warning_blk.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Warning_red.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Webex_audio.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Webex_video.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Zoom_audio.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\zoom_settings.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Zoom_video.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\NLog.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\NLog.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\NLog.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\qf4net.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Svg.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Svg.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Buffers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Buffers.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Memory.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Memory.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audioJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\instrmv.cmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd6x.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd6x.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbcp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbcp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgrJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\serviceJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\NLog.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\NLog.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\NLog.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\qf4net.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\instrmv.cmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd6x.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd6x.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbcp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbcp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgrJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Windows.WinMDJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\CreateProcessAsUser.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Microsoft.Win32.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\netstandard.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.AppContext.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Concurrent.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.NonGeneric.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Specialized.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.EventBasedAsync.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.TypeConverter.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Console.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Data.Common.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Contracts.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Debug.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.FileVersionInfo.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Process.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.StackTrace.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tools.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TraceSource.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tracing.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Drawing.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Dynamic.Runtime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Calendars.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.ZipFile.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.DriveInfo.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Watcher.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.IsolatedStorage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.MemoryMappedFiles.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Pipes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.UnmanagedMemoryStream.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Expressions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Parallel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Queryable.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Http.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.NameResolution.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.NetworkInformation.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Ping.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Requests.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Security.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Sockets.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebHeaderCollection.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.Client.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ObjectModel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Reader.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.ResourceManager.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Writer.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.CompilerServices.VisualC.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Handles.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Numerics.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Formatters.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Json.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Xml.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Claims.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Algorithms.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Csp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Encoding.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.X509Certificates.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Principal.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.SecureString.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Text.RegularExpressions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Overlapped.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.Parallel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Thread.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.ThreadPool.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Timer.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ValueTuple.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.ReaderWriter.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XDocument.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlDocument.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlSerializer.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.XDocument.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.FoundationContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.UniversalApiContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Windows.WinMDJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\config1_base.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ipsee.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libcrypto-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libssl-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\MultiOnvifServer.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\runconfig.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ssl.caJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ssl.keyJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\user manual.pdfJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\zlibwapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\en-USJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\en-US\SBConference.Model.resources.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Interop.NetFwTypeLib.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\config2_base.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Direct3D9.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.DXGI.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Mathematics.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.MediaFoundation.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\BouncyCastle.Crypto.dllJump to behavior
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.pdb source: DefMic.exe, 0000000B.00000002.2358616725.00000000014B3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbuser\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\UsersC: source: DefMic.exe, 00000022.00000002.2560635486.0000000000B1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb$ source: DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Release\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: DefMic.exe, 0000000F.00000002.2369252046.0000000001547000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb0@` source: DefMic.exe, 00000008.00000002.2341656730.00000000005FE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Common.pdb_1 source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\DefMic.pdbKa source: DefMic.exe, 00000031.00000002.2702795588.0000000001210000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358616725.00000000014B3000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.0000000001230000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\agent\_work\66\s\build\ship\x64\SfxCA.pdb source: MSIEAFA.tmp.1.dr, 41b4a0.msi.1.dr
    Source: Binary string: Microsoft.Xaml.Behaviors.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\DefMic.pdbLE source: DefMic.exe, 00000022.00000002.2560635486.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIEAFA.tmp-\DefMic.pdb source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Model.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: m,C:\Windows\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341640246.00000000004FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358174906.0000000000FBA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2368994597.00000000012FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2473367417.000000000057A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2491830264.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560280400.000000000096A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2664605125.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2678828012.000000000136A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702148715.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738513481.00000000010FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSI80C.tmp-\DefMic.pdb(XM source: DefMic.exe, 00000035.00000002.2738938251.00000000013D0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: XamlAnimatedGif.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\DefMic.pdbdoZ&8 source: DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358616725.00000000014B3000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.0000000001230000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb source: System.Reflection.Primitives.dll.1.dr
    Source: Binary string: mC:\Windows\Installer\MSIF962.tmp-\DefMic.pdb source: DefMic.exe, 00000031.00000002.2702148715.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: enkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.00000000015A7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb&& source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb/jIj ;j_CorExeMainmscoree.dll source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000008.00000000.2336358790.00000000000A2000.00000002.00000001.01000000.00000007.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358616725.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2369252046.0000000001557000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000B1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.0000000001241000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: StreamPlayback.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: MahApps.Metro.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: Osymbols\exe\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341640246.00000000004FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: SBConfDiag.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.PDB source: DefMic.exe, 0000000B.00000002.2358616725.00000000014B3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: mC:\Windows\Installer\MSIEAFA.tmp-\DefMic.pdb source: DefMic.exe, 00000028.00000002.2664605125.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2678828012.000000000136A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb{ source: DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ControlzEx.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: Release\DefMic.pdb/jI source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\Installer\MSIC1B2.tmp-\DefMic.PDBY source: DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: DefMic.exe, 00000008.00000002.2341656730.0000000000613000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358616725.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2369252046.0000000001528000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2476040225.0000000000699000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.0000000001210000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738938251.00000000013D0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbrB source: DefMic.exe, 0000000F.00000002.2369252046.0000000001547000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UnpairDeviceApp.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: Microsoft.Xaml.Behaviors.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbe source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Common.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: SBConference.Model.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbR source: DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSI80C.tmp-\DefMic.pdb source: DefMic.exe, 00000035.00000002.2738938251.00000000013D0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbc source: DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.dr
    Source: Binary string: ScreenBeamConference.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\DefMic.pdb~v source: DefMic.exe, 00000028.00000002.2665361074.0000000000A00000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdbj&h source: DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb$*>* 0*_CorDllMainmscoree.dll source: System.Reflection.Primitives.dll.1.dr
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb^ source: DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdbC source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.dr
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbp-\DefMic.PDB source: DefMic.exe, 00000035.00000002.2738513481.00000000010FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb` source: DefMic.exe, 00000031.00000002.2702795588.00000000011FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer\msi-installer\ByomCustomAction\ByomCustomAction\obj\x64\Release\ByomCustomAction.pdb source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E137000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A954FDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B39608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.000002370472E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EA84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C5499B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F54000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSIA7CA.tmp-\DefMic.PDB source: DefMic.exe, 00000017.00000002.2491830264.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb.L source: DefMic.exe, 00000035.00000002.2738938251.00000000013D0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: 41b4a0.msi.1.dr
    Source: Binary string: ControlzEx.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E137000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A954FDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B39608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.000002370472E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EA84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C5499B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F54000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbbmg. source: DefMic.exe, 00000035.00000002.2738938251.00000000013BB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbb source: DefMic.exe, 0000000F.00000002.2369252046.0000000001528000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000D92000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UnpairDeviceApp.pdb^ source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbb,s source: DefMic.exe, 00000022.00000002.2560635486.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rlib.pdb source: DefMic.exe, 0000002C.00000002.2679502416.00000000015A7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dows\dll\mscorlib.pdbc1 source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIEAFA.tmp-\DefMic.pdbF/ source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\DefMic.pdbpdbMic.pdbb source: DefMic.exe, 00000031.00000002.2702795588.0000000001230000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: symbols\exe\DefMic.pdb source: DefMic.exe, 0000000B.00000002.2358174906.0000000000FBA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2368994597.00000000012FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2491830264.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560280400.000000000096A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2678828012.000000000136A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702148715.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738513481.00000000010FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbQ source: DefMic.exe, 00000014.00000002.2476040225.0000000000699000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ScreenBeamConference.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341640246.00000000004FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb} source: 41b4a0.msi.1.dr
    Source: Binary string: Wsymbols\exe\DefMic.pdb source: DefMic.exe, 00000014.00000002.2473367417.000000000057A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbI source: DefMic.exe, 0000000B.00000002.2358616725.00000000014AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: enkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbo source: DefMic.exe, 0000000B.00000002.2358616725.00000000014C3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ase\DefMic.pdb source: DefMic.exe, 00000031.00000002.2702795588.0000000001241000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbII source: DefMic.exe, 00000017.00000002.2492339195.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Service.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: StreamPlayback.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.pdb}\ source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbC source: DefMic.exe, 00000008.00000002.2341656730.0000000000613000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIEAFA.tmp-\DefMic.pdbes source: DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.dr
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.pdb source: DefMic.exe, 00000014.00000002.2473367417.000000000057A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: FbDefMic.pdbe source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbFv source: DefMic.exe, 00000028.00000002.2665361074.0000000000A00000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: ScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.pdbs source: DefMic.exe, 0000000F.00000002.2369252046.0000000001547000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\DefMic.pdbpdbMic.pdb source: DefMic.exe, 00000014.00000002.2476040225.0000000000699000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dows\exe\DefMic.pdb source: DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.PDBZC source: DefMic.exe, 0000000F.00000002.2369252046.0000000001547000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\NetFirewall.pdb; source: 41b4a0.msi.1.dr
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb-_lU source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dows\dll\mscorlib.pdbY8 source: DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdb+1OT) source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341656730.0000000000613000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358616725.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2369252046.0000000001528000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2476040225.0000000000699000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.0000000001210000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738938251.00000000013D0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb.G source: DefMic.exe, 0000000B.00000002.2358616725.000000000147D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb source: DefMic.exe, 0000002C.00000002.2679502416.0000000001563000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbbe source: DefMic.exe, 0000000F.00000002.2369252046.0000000001514000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Windows\Installer\MSI80C.tmp-\DefMic.pdb source: DefMic.exe, 00000035.00000002.2738513481.00000000010FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbmp-\DefMic.PDB source: DefMic.exe, 00000022.00000002.2560280400.000000000096A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2664605125.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2678828012.000000000136A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702148715.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.IsolatedStorage\4.0.2.0\System.IO.IsolatedStorage.pdb source: System.IO.IsolatedStorage.dll.1.dr
    Source: Binary string: SBConference.ViewModel.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E137000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A954FDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B39608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.000002370472E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EA84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C5499B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F54000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.ViewModel.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSI978D.tmp-\DefMic.PDB source: DefMic.exe, 00000014.00000002.2473367417.000000000057A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: XamlAnimatedGif.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.pdbu source: DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.pdbTE source: DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbll> source: DefMic.exe, 0000000F.00000002.2369252046.0000000001557000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbbO source: DefMic.exe, 00000017.00000002.2492339195.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSI6AAE.tmp-\DefMic.PDB source: DefMic.exe, 00000008.00000002.2341640246.00000000004FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbV source: DefMic.exe, 00000008.00000002.2341656730.00000000005FE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Service.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: SBConference.Common.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb_ source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConfDiag.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: mC:\Windows\Installer\MSIC1B2.tmp-\DefMic.pdb source: DefMic.exe, 00000022.00000002.2560280400.000000000096A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbsr source: DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: eenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb source: DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: b77a5c561934e089\mscorlib.pdb source: DefMic.exe, 00000028.00000002.2665361074.0000000000A00000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbh source: DefMic.exe, 00000031.00000002.2702795588.00000000011FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\ScreenBeam\Projects\sb-conference-installer\byom-rtsp-client\sbdrvmgr\sbdrvmgr\obj\x64\Release\sbdrvmgr.pdb source: rundll32.exe, 00000007.00000003.2330426876.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330505212.0000023BB82E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349319753.0000022E8C5E0000.00000004.00000020.00020000.00000000.sdmp, sbdrvmgr.exe, 0000000D.00000000.2360005041.0000023469FF2000.00000002.00000001.01000000.0000000C.sdmp, rundll32.exe, 00000013.00000003.2445553925.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2445464431.00000172549C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484237836.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484304682.000001A9533F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503291452.0000024B37B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551480958.0000023702BFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576638967.000001B02CE50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656579461.0000027C52E50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693262627.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693357854.00000175685A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2713086925.00000167ACFE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2713220847.00000167ACFE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730735302.0000014E893D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000
    Source: Binary string: \??\C:\Windows\mscorlib.pdbA source: DefMic.exe, 00000014.00000002.2476040225.0000000000699000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Common.pdb_1 source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbb7 source: DefMic.exe, 00000008.00000002.2341656730.00000000005FE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSI72CD.tmp-\DefMic.PDB source: DefMic.exe, 0000000B.00000002.2358174906.0000000000FBA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2368994597.00000000012FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: MSI4EE.tmp.1.dr, 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbb source: DefMic.exe, 0000000B.00000002.2358616725.000000000147D000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.0000000001563000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdb- source: DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MahApps.Metro.pdbx& source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbbO>K0 source: DefMic.exe, 00000014.00000002.2476040225.000000000066C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdberDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\Lo source: DefMic.exe, 00000017.00000002.2492339195.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbf source: DefMic.exe, 0000000F.00000002.2369252046.0000000001547000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XDocument\4.0.11.0\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.1.dr
    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbc source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb8 source: DefMic.exe, 00000028.00000002.2665361074.00000000009EC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbb source: DefMic.exe, 0000000F.00000002.2369252046.0000000001547000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: b77a5c561934e089\mscorlib.pdb source: DefMic.exe, 00000022.00000002.2560635486.0000000000B1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb0 source: DefMic.exe, 00000014.00000002.2476040225.000000000066C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.PDBs source: DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIC1B2.tmp-\DefMic.pdb source: DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdbdE source: DefMic.exe, 00000022.00000002.2560635486.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb8>^0 source: DefMic.exe, 00000014.00000002.2476040225.000000000066C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: osymbols\exe\DefMic.pdb source: DefMic.exe, 00000028.00000002.2664605125.00000000006FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.pdbN1 source: DefMic.exe, 0000000B.00000002.2358616725.00000000014B3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.pdb source: DefMic.exe, 00000017.00000002.2491830264.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\NetFirewall.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOat source: DefMic.exe, 0000000B.00000002.2358616725.00000000014C3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.pdb source: DefMic.exe, 00000014.00000002.2476040225.00000000006A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb[a source: DefMic.exe, 00000031.00000002.2702795588.0000000001210000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.PDBs source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.PDBJ source: DefMic.exe, 00000017.00000002.2492339195.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIEAFA.tmp-\DefMic.PDB2GE source: DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIEAFA.tmp-\DefMic.PDB2/ source: DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Primitives\4.0.3.0\System.IO.FileSystem.Primitives.pdb source: System.IO.FileSystem.Primitives.dll.1.dr
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb0! source: DefMic.exe, 00000017.00000002.2492339195.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: DefMic.exe, 0000000F.00000002.2369252046.0000000001514000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.00000000011FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb3 source: 41b4a0.msi.1.dr
    Source: Binary string: dows\exe\DefMic.pdbU source: DefMic.exe, 00000022.00000002.2560635486.0000000000B11000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIF962.tmp-\DefMic.PDB source: DefMic.exe, 00000031.00000002.2702795588.0000000001230000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb source: rundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000008.00000002.2341640246.00000000004FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000008.00000000.2336358790.00000000000A2000.00000002.00000001.01000000.00000007.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358616725.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358174906.0000000000FBA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2368994597.00000000012FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2369252046.0000000001557000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2473367417.000000000057A000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2491830264.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2492339195.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560280400.000000000096A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560635486.0000000000B1F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2664605125.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2665361074.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2678828012.000000000136A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2679502416.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702148715.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702795588.0000000001241000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738938251.00000000013F1000.00000
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.pdb source: DefMic.exe, 00000008.00000002.2341656730.0000000000633000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: 41b4a0.msi.1.dr
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.pdb source: DefMic.exe, 0000000B.00000002.2358174906.0000000000FBA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2368994597.00000000012FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdbR&0 source: DefMic.exe, 0000002C.00000002.2679502416.0000000001576000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: m.pdb source: DefMic.exe, 00000008.00000002.2341640246.00000000004FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000B.00000002.2358174906.0000000000FBA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000F.00000002.2368994597.00000000012FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000014.00000002.2473367417.000000000057A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000017.00000002.2491830264.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000022.00000002.2560280400.000000000096A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000028.00000002.2664605125.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002C.00000002.2678828012.000000000136A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000031.00000002.2702148715.0000000000EFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000035.00000002.2738513481.00000000010FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: rlib.pdb6bX source: DefMic.exe, 0000002C.00000002.2679502416.00000000015A7000.00000004.00000020.00020000.00000000.sdmp
    Source: MSIAF3D.tmp.0.drStatic PE information: real checksum: 0x3d808 should be: 0x902c2
    Source: MSI72CD.tmp.0.drStatic PE information: real checksum: 0x3d808 should be: 0x902c2
    Source: MSI6AAE.tmp.0.drStatic PE information: real checksum: 0x3d808 should be: 0x902c2
    Source: MSIA7CA.tmp.0.drStatic PE information: real checksum: 0x3d808 should be: 0x902c2
    Source: MSI978D.tmp.0.drStatic PE information: real checksum: 0x3d808 should be: 0x902c2
    Source: SharpDX.Mathematics.dll.1.drStatic PE information: 0x89A0B71B [Tue Mar 3 16:00:27 2043 UTC]
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32" /u /s "C:\Program Files\ScreenBeam\Conference\\app\Filters\x86\SBCamFilter32.dll

    Persistence and Installation Behavior

    barindex
    Sample is not signed and drops a device driver
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbkd.sysJump to behavior
    Drops executables to the windows directory (C:\Windows) and starts them
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exe
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSIF962.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSI80C.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exe
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.FoundationContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.UniversalApiContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Windows.WinMDJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Windows.WinMDJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF962.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC1B2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swscale-5.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Overlapped.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6C23.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\OnvifClientLibrary.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Thread.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIB401.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Parallel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.XDocument.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avcodec-58.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.ThreadPool.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avutil-56.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.ZipFile.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.NameResolution.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libcrypto-1_1.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI114.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.IsolatedStorage.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI10E7.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI10E7.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Specialized.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.UniversalApiContract.winmdJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Requests.dllJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shi6D39.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC027.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.X509Certificates.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmdJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbkd.sysJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shiC140.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE49F.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Security.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Direct3D9.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4EE.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Interop.NetFwTypeLib.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC0D5.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.SecureString.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Text.RegularExpressions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6C43.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Dynamic.Runtime.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI114.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSICB1B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF962.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSICB1B.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\HtmlToXamlConverter.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC183.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\NLog.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.MemoryMappedFiles.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI114.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI80C.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI10E7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Http.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.Buffers.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC1B2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI114.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI16A5.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Expressions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Writer.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIB461.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.Parallel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC114.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacdisable.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSICB1B.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBRTSPAudio64.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI69BF.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libcrypto-1_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\en-US\SBConference.Model.resources.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICADB.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIEAFA.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI80C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6A9B.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF962.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.Client.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TraceSource.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avutil-56.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Fizzler.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6C63.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.NetworkInformation.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICB1B.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.NonGeneric.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI114.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6D10.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Sockets.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIEAFA.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIEAFA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.ReaderWriter.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tools.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XDocument.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlSerializer.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avformat-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\netstandard.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacenable.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Xml.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Ping.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libssl-1_1.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\BouncyCastle.Crypto.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swresample-3.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\NLog.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbcp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbcp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Windows.WinMDJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libssl-1_1.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.FileVersionInfo.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF962.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\qf4net.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBCamFilter32.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEAFA.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F9A.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Csp.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.FoundationContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Contracts.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Microsoft.Win32.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI978D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI10E7.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6A5C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Reader.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avformat-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Debug.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\de\MahApps.Metro.resources.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI80C.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\CreateProcessAsUser.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI114.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6DB0.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6D5F.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libssl-1_1-x64.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Drawing.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF962.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC1B2.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Mathematics.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebHeaderCollection.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.EventBasedAsync.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tracing.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Calendars.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Claims.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI10E7.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Handles.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI80C.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.ObjectModel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\qf4net.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBCamFilter64.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbcp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Pipes.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Principal.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEABA.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Console.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avcodec-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Numerics.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSICB1B.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Encoding.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Timer.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.MediaFoundation.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Data.Common.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC0B4.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.TypeConverter.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Svg.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6D8F.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Windows.WinMDJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Process.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSICB1B.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI80C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIB431.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.ValueTuple.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Queryable.dllJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\viewer.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.DXGI.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC1B2.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.UnmanagedMemoryStream.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\OnvifClientLibrary.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Concurrent.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.ResourceManager.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\MultiOnvifServer.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\vcruntime140.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbcp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swresample-3.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\zlibwapi.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.AppContext.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libcrypto-1_1-x64.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.DriveInfo.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.StackTrace.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlDocument.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Formatters.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Watcher.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBRTSPAudio32.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swscale-5.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF962.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Algorithms.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.Memory.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI10E7.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF962.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSICB1B.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC1B2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC1B2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC0B4.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI114.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSICB1B.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI80C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI16A5.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC114.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF962.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSICB1B.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEAFA.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3F9A.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI114.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI10E7.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICADB.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIEAFA.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI80C.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI10E7.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF962.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC1B2.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI10E7.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC027.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI80C.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI114.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE49F.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICB1B.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4EE.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC0D5.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI114.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF962.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC1B2.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIEAFA.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI114.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSICB1B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIEAFA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF962.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSICB1B.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI10E7.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI80C.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC183.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF962.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEABA.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI114.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI80C.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI10E7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI10E7.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\eula.rtfJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ScreenBeamJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ScreenBeam\ConferenceJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ScreenBeam\Conference\ScreenBeam Conference.lnkJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exe TID: 7740Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\rundll32.exe TID: 7800Thread sleep count: 533 > 30Jump to behavior
    Source: C:\Windows\System32\rundll32.exe TID: 7804Thread sleep count: 360 > 30Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exe TID: 7824Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\rundll32.exe TID: 7904Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\rundll32.exe TID: 7940Thread sleep count: 2123 > 30Jump to behavior
    Source: C:\Windows\System32\rundll32.exe TID: 7944Thread sleep count: 1379 > 30Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe TID: 7984Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe TID: 8064Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe TID: 8116Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe TID: 7172Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 332Thread sleep time: -2767011611056431s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 6992Thread sleep count: 739 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 7256Thread sleep count: 129 > 30
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exe TID: 7288Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 7416Thread sleep time: -4611686018427385s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 7404Thread sleep count: 890 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 7404Thread sleep count: 860 > 30
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exe TID: 7472Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exe TID: 3488Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 6692Thread sleep time: -2767011611056431s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 3428Thread sleep count: 537 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 5472Thread sleep count: 296 > 30
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exe TID: 1888Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 2920Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 944Thread sleep count: 1194 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 5272Thread sleep count: 604 > 30
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exe TID: 2540Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exe TID: 1804Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 4284Thread sleep time: -4611686018427385s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 6044Thread sleep count: 1464 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 5164Thread sleep count: 2253 > 30
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe TID: 1928Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe TID: 5100Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe TID: 3696Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe TID: 6304Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 6564Thread sleep time: -2767011611056431s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 6628Thread sleep count: 307 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 6628Thread sleep count: 563 > 30
    Source: C:\Windows\Installer\MSIF962.tmp-\DefMic.exe TID: 6796Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 7160Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 6708Thread sleep count: 1006 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 6660Thread sleep count: 623 > 30
    Source: C:\Windows\Installer\MSI80C.tmp-\DefMic.exe TID: 7344Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exe TID: 1244Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 7816Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 7768Thread sleep count: 544 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 7784Thread sleep count: 442 > 30
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF962.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swscale-5.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Overlapped.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\OnvifClientLibrary.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6C23.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Thread.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Parallel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.XDocument.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avcodec-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.ThreadPool.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avutil-56.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.ZipFile.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.NameResolution.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libcrypto-1_1.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI114.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.IsolatedStorage.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Specialized.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.UniversalApiContract.winmdJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.Requests.dllJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi6D39.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.X509Certificates.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmdJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiC140.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE49F.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.Security.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Direct3D9.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Interop.NetFwTypeLib.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC0D5.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4EE.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.SecureString.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Text.RegularExpressions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6C43.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Dynamic.Runtime.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICB1B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\HtmlToXamlConverter.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC183.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\NLog.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.MemoryMappedFiles.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI80C.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI114.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI10E7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.Http.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.Buffers.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC1B2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI114.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Expressions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Writer.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB461.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.Parallel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICB1B.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacdisable.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBRTSPAudio64.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libcrypto-1_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Linq.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\en-US\SBConference.Model.resources.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICADB.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEAFA.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF962.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6A9B.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.Client.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TraceSource.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avutil-56.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Fizzler.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6C63.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.NetworkInformation.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Collections.NonGeneric.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.Sockets.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEAFA.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEAFA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Xml.ReaderWriter.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tools.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XDocument.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avformat-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlSerializer.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Collections.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\netstandard.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacenable.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Xml.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.Ping.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libssl-1_1.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\BouncyCastle.Crypto.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swresample-3.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\NLog.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbcp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbcp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SharpDX.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\Windows.WinMDJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libssl-1_1.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.FileVersionInfo.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\qf4net.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBCamFilter32.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3F9A.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Csp.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.FoundationContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Contracts.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\Microsoft.Win32.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI10E7.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6A5C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Reader.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avformat-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Debug.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\de\MahApps.Metro.resources.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\CreateProcessAsUser.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6DB0.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libssl-1_1-x64.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Drawing.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF962.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC1B2.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Mathematics.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebHeaderCollection.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.EventBasedAsync.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tracing.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Calendars.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Claims.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Handles.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI80C.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.ObjectModel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\qf4net.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBCamFilter64.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbcp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.Pipes.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Principal.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEABA.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Console.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avcodec-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Numerics.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Encoding.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Timer.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SharpDX.MediaFoundation.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Data.Common.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC0B4.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.TypeConverter.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Windows.WinMDJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Svg.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICB1B.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Process.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI80C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB431.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.ValueTuple.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Queryable.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SharpDX.DXGI.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC1B2.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.UnmanagedMemoryStream.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\OnvifClientLibrary.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Concurrent.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\MultiOnvifServer.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\vcruntime140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Resources.ResourceManager.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbcp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swresample-3.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\zlibwapi.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.AppContext.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libcrypto-1_1-x64.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.DriveInfo.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.StackTrace.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlDocument.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Formatters.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Watcher.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBRTSPAudio32.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swscale-5.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Algorithms.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.Memory.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI10E7.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIF962.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSI80C.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 533Jump to behavior
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 360Jump to behavior
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 2123Jump to behavior
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 1379Jump to behavior
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 739
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 890
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 860
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 537
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 1194
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 604
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 1464
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 2253
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 563
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 1006
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 623
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 544
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 442
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeCode function: 29_2_00007FFD9B5F1D11 SetupDiGetDeviceRegistryPropertyW,29_2_00007FFD9B5F1D11
    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIF962.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSI80C.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: 41b4a0.msi.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
    Source: C:\Windows\System32\rundll32.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exe "DefMic.exe" --defJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe "DefMic.exe" --listJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5Jump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe "DefMic.exe" --listJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5Jump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exe sbdrvmgr.exe" --remove "ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIF962.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI80C.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32" /u /s "C:\Program Files\ScreenBeam\Conference\\app\Filters\x86\SBCamFilter32.dll
    Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
    Source: rundll32.exe, 00000034.00000002.2747664605.0000014E8941D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\ByomCustomAction.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\ByomCustomAction.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSIC1B2.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSIC1B2.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exeQueries volume information: C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exe VolumeInformation
    Source: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exeQueries volume information: C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSICB1B.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSICB1B.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSIEAFA.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSIEAFA.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeQueries volume information: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe VolumeInformation
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeQueries volume information: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exeQueries volume information: C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe VolumeInformation
    Source: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exeQueries volume information: C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF962.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF962.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\Installer\MSIF962.tmp-\DefMic.exeQueries volume information: C:\Windows\Installer\MSIF962.tmp-\DefMic.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI114.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI114.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI80C.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI80C.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\Installer\MSI80C.tmp-\DefMic.exeQueries volume information: C:\Windows\Installer\MSI80C.tmp-\DefMic.exe VolumeInformation
    Source: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exeQueries volume information: C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI10E7.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI10E7.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exeCode function: 29_2_00007FFD9B5F1D11 SetupDiGetDeviceRegistryPropertyW,29_2_00007FFD9B5F1D11
    Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
    1
    Replication Through Removable Media    		1
    Windows Management Instrumentation    		11
    Windows Service    		11
    Windows Service    		133
    Masquerading    		OS Credential Dumping1
    Query Registry    		1
    Replication Through Removable Media    		1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
    Default AccountsScheduled Task/Job1
    Registry Run Keys / Startup Folder    		12
    Process Injection    		1
    Disable or Modify Tools    		LSASS Memory11
    Security Software Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataSIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
    Domain AccountsAt1
    DLL Side-Loading    		1
    Registry Run Keys / Startup Folder    		21
    Virtualization/Sandbox Evasion    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyData Encrypted for ImpactDNS ServerEmail Addresses
    Local AccountsCronLogin Hook1
    DLL Side-Loading    		12
    Process Injection    		NTDS21
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureTraffic DuplicationProtocol ImpersonationData DestructionVirtual Private ServerEmployee Names
    Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Regsvr32    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
    Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Rundll32    		Cached Domain Credentials11
    Peripheral Device Discovery    		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
    External Remote ServicesSystemd TimersStartup ItemsStartup Items1
    Timestomp    		DCSync1
    File and Directory Discovery    		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
    Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    DLL Side-Loading    		Proc Filesystem23
    System Information Discovery    		Cloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
    Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
    File Deletion    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1342019 Sample: ScreenBeam_Conference_Windows.msi Startdate: 13/11/2023 Architecture: WINDOWS Score: 52 118 Yara detected Generic Downloader 2->118 9 msiexec.exe 253 353 2->9         started        13 msiexec.exe 23 2->13         started        process3 file4 102 C:\Windows\Installer\MSIF962.tmp, PE32+ 9->102 dropped 104 C:\Windows\Installer\MSIEAFA.tmp, PE32+ 9->104 dropped 106 C:\Windows\Installer\MSIC1B2.tmp, PE32+ 9->106 dropped 114 197 other files (6 malicious) 9->114 dropped 122 Sample is not signed and drops a device driver 9->122 15 msiexec.exe 9->15         started        17 msiexec.exe 9->17         started        19 msiexec.exe 2 9->19         started        22 msiexec.exe 9->22         started        108 C:\Users\user\AppData\Local\...\MSIB461.tmp, PE32 13->108 dropped 110 C:\Users\user\AppData\Local\...\MSIB431.tmp, PE32 13->110 dropped 112 C:\Users\user\AppData\Local\...\MSIB401.tmp, PE32 13->112 dropped 116 15 other files (none is malicious) 13->116 dropped signatures5 process6 file7 24 rundll32.exe 15->24         started        28 rundll32.exe 15->28         started        30 rundll32.exe 15->30         started        38 4 other processes 15->38 32 rundll32.exe 8 17->32         started        34 rundll32.exe 17->34         started        36 rundll32.exe 9 17->36         started        40 2 other processes 17->40 78 C:\Users\user\AppData\Local\Temp\viewer.exe, PE32 19->78 dropped 80 C:\Users\user\AppData\Local\...\shi6D39.tmp, PE32 19->80 dropped 82 C:\Users\user\AppData\Local\...\shiC140.tmp, PE32 22->82 dropped process8 file9 86 5 other files (2 malicious) 24->86 dropped 120 Drops executables to the windows directory (C:\Windows) and starts them 24->120 46 4 other processes 24->46 88 5 other files (2 malicious) 28->88 dropped 48 2 other processes 28->48 90 5 other files (2 malicious) 30->90 dropped 50 2 other processes 30->50 92 5 other files (none is malicious) 32->92 dropped 42 DefMic.exe 1 32->42         started        52 3 other processes 32->52 94 5 other files (none is malicious) 34->94 dropped 54 2 other processes 34->54 96 5 other files (none is malicious) 36->96 dropped 44 DefMic.exe 2 36->44         started        84 C:\Windows\Installer\...\DefMic.exe, PE32 38->84 dropped 98 19 other files (none is malicious) 38->98 dropped 56 2 other processes 38->56 100 10 other files (none is malicious) 40->100 dropped 58 2 other processes 40->58 signatures10 process11 process12 60 conhost.exe 42->60         started        62 conhost.exe 44->62         started        66 4 other processes 46->66 68 2 other processes 48->68 70 2 other processes 50->70 72 3 other processes 52->72 74 2 other processes 54->74 64 conhost.exe 56->64         started        76 2 other processes 58->76

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacenable.exe0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\MultiOnvifServer.exe0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmd0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmd0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Windows.WinMD0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\de\MahApps.Metro.resources.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbcp.exe0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sys0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbcp.exe0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sys0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64\wdmdrvmgr.exe0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86\wdmdrvmgr.exe0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://james.newtonking.com/projects/json0%URL Reputationsafe
    http://msdn.mic0%Avira URL Cloudsafe
    http://msdn.microsoft0%Avira URL Cloudsafe
    http://msdn.microh0%Avira URL Cloudsafe
    http://msdn.microso0%Avira URL Cloudsafe
    http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://wixtoolset.org/releases/rundll32.exe, 00000007.00000003.2330165824.0000023BB9D04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E137000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A954FDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B39608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.000002370472E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EA84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C5499B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F54000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      http://wixtoolset.orgrundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://www.newtonsoft.com/jsonschemarundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000007.00000003.2330165824.0000023BB9D04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E137000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A954FDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B39608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.000002370472E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EA84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C5499B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F54000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://www.newtonsoft.com/jsonrundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://www.nuget.org/packages/Newtonsoft.Json.Bsonrundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgorScreenBeam_Conference_Windows.msi, 41b4a0.msi.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://msdn.microsorundll32.exe, 0000001C.00000002.2510570716.0000024B37C21000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://msdn.micrundll32.exe, 0000000A.00000002.2374280377.0000022E8C655000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2567253367.0000023702CAC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000002.2568580475.0000023702CAC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000002.2708216146.0000017568661000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2705231355.000001756865D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2731018664.0000014E893CE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://msdn.microsoftrundll32.exe, 0000000A.00000002.2374280377.0000022E8C655000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://wixtoolset.org/news/rundll32.exe, 00000007.00000003.2330165824.0000023BB9D04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E137000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256405000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A954FDF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B39608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.000002370472E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EA84000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C5499B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F54000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.screenbeam.comvacscbkd.inf0.1.drfalse
                    		high
                    https://support.screenbeam.comrundll32.exe, 00000039.00000003.2752871416.000002AFAAC22000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://james.newtonking.com/projects/jsonrundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://msdn.microhrundll32.exe, 0000001C.00000002.2510570716.0000024B37C21000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://github.com/JamesNK/Newtonsoft.Jsonrundll32.exe, 00000007.00000003.2330165824.0000023BB9D38000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2349149465.0000022E8E16B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2444880338.0000017256439000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000003.2484093154.000001A955013000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2503132896.0000024B3963C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000021.00000003.2551286490.0000023704762000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000026.00000003.2576256838.000001B02EAB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2656378973.0000027C549CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2693046202.0000017569F88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000033.00000003.2712857702.00000167AEAD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2730481065.0000014E8AE5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2752871416.000002AFAAC56000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox Version:38.0.0 Ammolite
                        Analysis ID:1342019
                        Start date and time:2023-11-13 23:28:09 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 11m 32s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:59
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample file name:ScreenBeam_Conference_Windows.msi
                        Detection:MAL
                        Classification:mal52.troj.evad.winMSI@92/407@0/0
                        EGA Information:
                        • Successful, ratio: 3.3%
                        HCA Information:
                        • Successful, ratio: 98%
                        • Number of executed functions: 426
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .msi
                        • Close Viewer

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target DefMic.exe, PID 1196 because it is empty
                        • Execution Graph export aborted for target DefMic.exe, PID 3512 because it is empty
                        • Execution Graph export aborted for target DefMic.exe, PID 4000 because it is empty
                        • Execution Graph export aborted for target DefMic.exe, PID 5600 because it is empty
                        • Execution Graph export aborted for target DefMic.exe, PID 5652 because it is empty
                        • Execution Graph export aborted for target DefMic.exe, PID 6576 because it is empty
                        • Execution Graph export aborted for target DefMic.exe, PID 7152 because it is empty
                        • Execution Graph export aborted for target DefMic.exe, PID 7732 because it is empty
                        • Execution Graph export aborted for target DefMic.exe, PID 7896 because it is empty
                        • Execution Graph export aborted for target DefMic.exe, PID 8068 because it is empty
                        • Execution Graph export aborted for target rundll32.exe, PID 1016 because there are no executed function
                        • Execution Graph export aborted for target rundll32.exe, PID 2024 because there are no executed function
                        • Execution Graph export aborted for target rundll32.exe, PID 2640 because there are no executed function
                        • Execution Graph export aborted for target rundll32.exe, PID 3496 because there are no executed function
                        • Execution Graph export aborted for target rundll32.exe, PID 5448 because there are no executed function
                        • Execution Graph export aborted for target rundll32.exe, PID 6100 because there are no executed function
                        • Execution Graph export aborted for target rundll32.exe, PID 6384 because there are no executed function
                        • Execution Graph export aborted for target rundll32.exe, PID 6924 because there are no executed function
                        • Execution Graph export aborted for target rundll32.exe, PID 7128 because there are no executed function
                        • Execution Graph export aborted for target rundll32.exe, PID 7700 because there are no executed function
                        • Execution Graph export aborted for target rundll32.exe, PID 7868 because there are no executed function
                        • Execution Graph export aborted for target rundll32.exe, PID 884 because there are no executed function
                        • Execution Graph export aborted for target sbdrvmgr.exe, PID 3272 because it is empty
                        • Execution Graph export aborted for target sbdrvmgr.exe, PID 3740 because it is empty
                        • Execution Graph export aborted for target sbdrvmgr.exe, PID 6024 because it is empty
                        • Execution Graph export aborted for target sbdrvmgr.exe, PID 7384 because it is empty
                        • Execution Graph export aborted for target sbdrvmgr.exe, PID 7452 because it is empty
                        • Execution Graph export aborted for target sbdrvmgr.exe, PID 8008 because it is empty
                        • Execution Graph export aborted for target sbdrvmgr.exe, PID 8132 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtSetInformationFile calls found.
                        • VT rate limit hit for: ScreenBeam_Conference_Windows.msi

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Config.Msi\41b49f.rbs

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):396895
                        Entropy (8bit):6.6457488976582475
                        Encrypted:false
                        SSDEEP:6144:4My4xsB95xMzgFkesmW1XAOKoUSUU++VWRAItCcoc:Zy4xC95xMMFd8JUSWRAIUcoc
                        MD5:AE46AA2C4C22507E09ABBBD887F31951
                        SHA1:F6ED30B38680A9C44D1C943DDD80C4D384AEB2E1
                        SHA-256:67CAA6D695D5172A0EEC7732D7D84B7D5C1CAC8FDE3D5FE495AD3C8ABF7D3DDD
                        SHA-512:BDC0748231C60007BC7F95A57E591D71CBD092C35C9EDBABDB8514B95BC036356D10D42851F16A4F2625EA4D56171CBFBDE7DA9BD051C671932940353FEBE4B5
                        Malicious:false
                        Preview:...@IXOS.@.....@.mW.@.....@.....@.....@.....@.....@......&.{C600486B-812F-49ED-B0CB-A3F08D96350E}..ScreenBeam Conference!.ScreenBeam_Conference_Windows.msi.@.....@.....@.....@......ScreenBeam.exe..&.{A2531866-B2EC-411C-9FA0-D7A27AEA7C46}.....@.....@.....@.....@.......@.....@.....@.......@......ScreenBeam Conference......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{7199D981-9853-484B-8139-2C2B34F1FA2A}&.{C600486B-812F-49ED-B0CB-A3F08D96350E}.@......&.{EC32DB67-553E-42DB-8AB0-D93C26D64C7E}&.{C600486B-812F-49ED-B0CB-A3F08D96350E}.@......&.{85245CA4-064E-4C9A-A44A-343774C760F3}&.{C600486B-812F-49ED-B0CB-A3F08D96350E}.@......&.{041A7DD2-445F-4C98-9186-26507D7F21CB}&.{C600486B-812F-49ED-B0CB-A3F08D96350E}.@......&.{842B369E-7954-42CE-9AB2-483659A134B0}&.{C600486B-812F-49ED-B0CB-A3F08D96350E}.@......&.{83A516A4-A4ED-41F1-9664-F5C300DB76DF}&.{C600486B-812F-49ED-B0CB-A3F08D96350E}.@......&.{D6B39E0

                        C:\Program Files\ScreenBeam\Conference\ScreenBeam.bmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PC bitmap, Windows 98/2000 and newer format, 128 x 128 x 32, cbSize 65674, bits offset 138
                        Category:dropped
                        Size (bytes):65674
                        Entropy (8bit):1.2805694815835584
                        Encrypted:false
                        SSDEEP:48:ShnSIinOAsEqANIz8SmIpCvlPPlU7ppLkzDPDQLXK6BWL3FoX5vD6qN88+:mlin5/NE2N2ppLkXPQX21ODPv+
                        MD5:58B1F585FF6CF1FFBECD9E063D15663F
                        SHA1:DE69F2894AA800DA0A6B2AD5564478352FC213B2
                        SHA-256:5821322E5650C78A47E986C99507E58F79B507C8BD33C35E39FC799BDA9A963C
                        SHA-512:D67164A9725CA4A3DF88FB102512AB8B27B56D5E7441105F03ACA6466214E5CE414BB49C7BBBCDD187CF7BD42742BD1BDA474FDD16F5E0CB1E0A10CCC6C3F991
                        Malicious:false
                        Preview:BM............|............. .........#...#...........................BGRs..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\ScreenBeam.ico

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MS Windows icon resource - 1 icon, 64x64, 32 bits/pixel
                        Category:dropped
                        Size (bytes):16958
                        Entropy (8bit):2.3402736777188395
                        Encrypted:false
                        SSDEEP:96:a+Ngz9wjTeE7144BQ2DFFnEbHIcXExGErQa2Nvv4wG:acgz9qaE7144BQ2DPEzEMErQaAX4L
                        MD5:D75CA2815FA84BC36C36D18B6AD9048F
                        SHA1:5353AE1430AC909C25484047713712520C3A2AE2
                        SHA-256:3B156EDE48A466BDEC4FF5F230B2841899DF2B0A4ED7A645CFF72F7DC3CBC318
                        SHA-512:008A5D9B83143AC59ECF5CC2654C2597199052B0876225CF32102188F192DC7CAA87F3D7DC76E03C76AB682884198DD6A5CC3DC3AF6993DD9A7C47AB85832496
                        Malicious:false
                        Preview:......@@.... .(B......(...@......... ......@........................................._...................................................................................................................................................................................................................j...................................8...................................................................................................................................................................................................................................J.......................T................................................................................................................|bT.......................................................................................................................e...............5................................................................................................................pSD.L(..W5#.......................................

                        C:\Program Files\ScreenBeam\Conference\app\BouncyCastle.Crypto.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):2246936
                        Entropy (8bit):5.7763570518985095
                        Encrypted:false
                        SSDEEP:49152:AFSSSusJVEDm2CNrmynmTF3P++3UEOkK59Vz4oukkb3KZ5b:AFSSSusJeDm2WrmynmTF3m+EH
                        MD5:C9B1395F3324FC526BC0BA0127BEEB6B
                        SHA1:23845B79831430F1335FBB1873270D3CAD7BE217
                        SHA-256:920122AC520239D6611C094F428391F7D5E71F3E32E8D53DB241E44CC13BFECF
                        SHA-512:0B567F896B11DC32DFB489A8384C0367D23045633D75D5044A537AA142F0E6D6A085019FA23541000CA9A24A3DDF10F754E8520F83F08358CAA07B151DCBA943
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...aI.V...........!......!.. ......>.".. ... "...@.. .......................`"......s".......................................".S.... ".`............ "..)...@"...................................................... ............... ..H............text...D.!.. ....!................. ..`.rsrc...`.... ".......".............@..@.reloc.......@".......".............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):252696
                        Entropy (8bit):6.355013468716543
                        Encrypted:false
                        SSDEEP:6144:R6bRKhjsomR8PpY82VG7gP2rxp+7vVNviPF1WANK+5E:R6YyeC
                        MD5:6DFD1D318BF27D019E208F7C33647D35
                        SHA1:38FF2C5A5C55C9E51F99BE4DE179379AE8B010F6
                        SHA-256:3FB6F9F47484725B39906045EE3333D360355C3DBCD97BD22026640EF7F61B5C
                        SHA-512:71EFB8A91A0268F386B41FFFD86D5AFB206174088EA810D8BA5BA8E2283CF3562EF83DB7CFCB74B4178F1D5FBCB4441F25ACD0BD310E1C2BE85A476B8A22C71C
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... .......h....`.....................................O........................)..........0...8............................................ ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......4 ..4p..........h...H5............................................(C...*..(C...*^.(C..........%...}....*:.(C.....}....*:.(C.....}....*2.~....(D...*6.~.....(E...*F.~....(D...t&...*6.~.....(E...*F.~....(D....'...*J.~......'...(E...*F.~....(D....(...*J.~......(...(E...*F.~....(D....)...*J.~......)...(E...*F.~....(D........*J.~..........(E...*F.~....(D...t*...*6.~.....(E...*F.~....(D...t*...*6.~.....(E...*F.~....(D...t*...*6.~.....(E...*F.~....(D....+...*J.~......+...(E..

                        C:\Program Files\ScreenBeam\Conference\app\ControlzEx.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MSVC program database ver 7.00, 512*1647 bytes
                        Category:dropped
                        Size (bytes):843264
                        Entropy (8bit):5.758644766369451
                        Encrypted:false
                        SSDEEP:12288:UmM/3QPubNiFGNnvG2TF6HeYNg9mM/3QPubNiyg2TF:l+3QmMFGNnvnTFSeYNj+3QmMypTF
                        MD5:3C429F78E96B6C009A11E64711C8D147
                        SHA1:92C0896C60437E5A3655214ED8EC507C21B8B372
                        SHA-256:D1632349A5BED60C6CD6118A5559C794C6CD6B6E30A33B4AF0B00F2ABC867E31
                        SHA-512:2972DF0E51F07E22AF84D9E76B3DA405188E6F5508346E844AA7197865EA68DBA79158284761888F109AE03A9BC94CF7E7F8E1CF3A46EA3D00B05FC0F57F5B55
                        Malicious:false
                        Preview:Microsoft C/C++ MSF 7.00...DS...........o...........l...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\ControlzEx.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):172506
                        Entropy (8bit):4.677612844082003
                        Encrypted:false
                        SSDEEP:3072:3WA8J2D7EiLCG8GkJiy1UTvKSe6MBGjy6CV4qIuLCbD6vFx03Bt3Xvt3fU:3WA827EiLCG8GUpU9CV4qIuLqez8JV3M
                        MD5:5157BF5DABBEC676D862F0A008F0A352
                        SHA1:970DFA0A6E4C4CCE6D6E51D19F3BAA217D3C826E
                        SHA-256:88BBCE0EB7059680C253DB0B2F8DB11D284D1E5BDF44B7DD329E25E270B2A18E
                        SHA-512:A341CF11652D9B6D75E04D52FAE99A72ECB317BC683D3836B1AA8D9968EC454B8DF496ECE70E88DA4CE1A4F6CEA3D789F210BDC27923197F105A4DEDC2E88240
                        Malicious:false
                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>ControlzEx</name>.. </assembly>.. <members>.. <member name="T:ControlzEx.Automation.Peers.TabControlExAutomationPeer">.. <summary>.. Automation-Peer for <see cref="T:ControlzEx.Controls.TabControlEx" />... </summary>.. </member>.. <member name="M:ControlzEx.Automation.Peers.TabControlExAutomationPeer.#ctor(System.Windows.Controls.TabControl)">.. <summary>.. Initializes a new instance... </summary>.. </member>.. <member name="M:ControlzEx.Automation.Peers.TabControlExAutomationPeer.CreateItemAutomationPeer(System.Object)">.. <inheritdoc />.. </member>.. <member name="T:ControlzEx.Automation.Peers.TabItemExAutomationPeer">.. <summary>.. Automation-Peer for <see cref="T:System.Windows.Controls.TabItem" /> in <see cref="T:ControlzEx.Controls.TabControlEx" />...

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x64\OnvifClientLibrary.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):736536
                        Entropy (8bit):6.146947416574167
                        Encrypted:false
                        SSDEEP:6144:1XTxgGpJxna4ZAVct9dwZpnjHAHS1M3a9Omuju9gQiK9pJczINMyLUO7HEYZ:5y4+cXdwfMHSzOm6ypJeINBbt
                        MD5:DA5E21B1F6C601038AA1A98C119BB5FB
                        SHA1:90E60A41F7BB78DC6078B3A0A104041823748718
                        SHA-256:49EAAF4D4A2E18355841838290C45096A0766A5F58734FD915EF882CEB193217
                        SHA-512:A6FFE0D0A091B04FC554831FF9C18264D0DBBDCA63B872A0EDCD3CA8774612D700804B857D31FE9A44699988369944C5F241C35777D48A2074308B170B0B713D
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..B..B..B.......B...C..B.X.C..B.Q....B...A..B...G..B...F..B..D...B..C.M.B.X.K..B.X.B..B.]...B.X.@..B.Rich.B.................PE..d.....5_.........." .....^..........T_.......................................p......v.....`......................................... |..............P...................)...`..0.......p............................................p..x............................text....].......^.................. ..`.rdata.......p.......b..............@..@.data..............................@....pdata..............................@..@.gfids.......@......................@..@.rsrc........P......................@..@.reloc..0....`......................@..B........................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBCamFilter64.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):220952
                        Entropy (8bit):6.3576830341664365
                        Encrypted:false
                        SSDEEP:3072:irhj/qfa2x0qDE5NmergYEEf0nbAJu0/VoVA5+/CyEvpfBIrnaScWMxi:u7qfapz5NmergbsJpVo4+qyEvpfBIWc
                        MD5:7BB97B4195FD37B7D4D15787252B66D8
                        SHA1:7F08E5FE9D53A5FE5094F6B19D365478D2E04742
                        SHA-256:AA559B69A2575A1CB9267DD57C5BC5AC2EF8614747485CBD5638857E4099FC60
                        SHA-512:2D93F6CC3F66562D1932030F7687BBCBB5A0AB2BD0065DE6F1900731E8D3206AE273207FE8552420E35FBEB4DB8D1FE15DAB48045F6484B58F71B2805940F97B
                        Malicious:false
                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......|..8...8...8...1...6......:....F.;......;.............4....PO.<.....;....PJ.(...8.......PQ.9...8...&.....'.....9....~.9...8...9.....9...Rich8...................PE..d....:De.........." .........h............................................................ .........................................P....... ........p..X....0...&...6...)..............T...........................@................................................text...~........................... ..`.rdata........... ..................@..@.data...............................@....pdata...&...0...(..................@..@.gfids..D....`.......(..............@..@.rsrc...X....p.......*..............@..@.reloc...............2..............@..B........................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBRTSPAudio64.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):128280
                        Entropy (8bit):6.420890710619966
                        Encrypted:false
                        SSDEEP:1536:oUfgtL9+VqiKW+JTKHX2tvJW5MqTJfFFfEu5ol7X2Um6c7Nm7SekCn+L4oE7QzPx:W9nJNJW5MqTFcu4X2UaGln7M
                        MD5:3364049D7D74F9011EA575578D1102D1
                        SHA1:887C63358673BED20A002170A63A34B4FD8F4CA3
                        SHA-256:9F708C78A00FF261911183C20C3EDF6A2F60860BC814F518A8791BC1591BB6AD
                        SHA-512:1A5C4AFBD043922CA4798C98CC1F2BDE76677E282CA28CB43E8C17E819365441D3CEB3A80DFD67F3586EEBAB97607CB986797832B2AED066DBB824F614180E13
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2..da..da..da...a..da..e`..da7y.a..da..g`..da..a`..da..``..dat&.a..dat&.a..da..ea..da..da..da>.m`..da;..a..da>.f`..daRich..da........................PE..d...Z:De.........."......F...........E.........@....................................eG....`.................................................................`...........)......`...@...p............................................`..@............................text....D.......F.................. ..`.rdata...d...`...f...J..............@..@.data...P...........................@....pdata.......`......................@..@.gfids..8...........................@..@.rsrc...............................@..@.reloc..`...........................@..B................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avcodec-58.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):63853336
                        Entropy (8bit):6.731108060475891
                        Encrypted:false
                        SSDEEP:393216:vZUUv1DLIy8a6qJWDa2g+qloXyxE8JebXXpiom2QAmS2dho:vLdIyW+UwoyG5DpkFdho
                        MD5:5104050AEB83801103BCC34883F74A76
                        SHA1:7A49B6096064B3AE48CA3E8DF734572D68C5D3DD
                        SHA-256:846B07563F19ECAE4AB7F1312626556B8FA7F4CE02563C14D44ACC9E51EB21E6
                        SHA-512:0442E2C2C0645E965D8AADA40F3714A745E5B2CEE4AC5726C1397A256FF0E723F33E9E6DA88FE024262807A2FB1DD198FDD58EBEA501AA620860667AF44437D3
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...$..6..&....+.P........................................P.......@....`... .........................................r........U...0..........0h...*...)...@...............................V..(....................................................text.....6.......6.................`.``.data.........6.......6.............@.`..rdata...{...<...{...<.............@..@.rodata.l:...`...<...B..............@.`@.pdata..0h.......j...~..............@.0@.xdata..L..........................@.0@.bss....`.+...........................p..edata..r........ ..................@.0@.idata...U.......V..................@.0..CRT................................@.@..tls......... ......................@.@..rsrc........0....... ..............@.0..reloc.......@.......$..............@.0B........................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avformat-58.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):14810392
                        Entropy (8bit):6.598065367956613
                        Encrypted:false
                        SSDEEP:196608:1PWnEwrmp+eNN9frDN/kAOJV/lzfEapne1A:1PWnt3e7ZrDN/kAOveav
                        MD5:D4E64D63A5D1599F9589823E2EF6E60D
                        SHA1:FD149350455D8A44BDC5283B8D65A75C639391A9
                        SHA-256:C06D92C5A84C158ABDD72A80B5162FDBFB5B98B26D17B28B2DC6A7DA6293E119
                        SHA-512:585C064921651E393666C38F353F53AE8A82D8042B6589BB6EF918349CBD3059A656AB1D64F322FBA6F1344648D86CB9A5621F840F5BF078D2E51AEFAB374906
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...$............P........................................`............`... ......................................p..t.......Hl... ...................)...0...!..............................(...................|................................text...x...........................`..`.data....2.......4..................@.`..rodata.............................@.0..rdata....1.......1.................@.p@.pdata..............................@.0@.xdata...V.......X..................@.@@.bss....`....P........................`..edata..t....p....... ..............@.0@.idata..Hl.......n...<..............@.0..CRT....`...........................@.@..tls................................@.@..rsrc........ ......................@.0..reloc...!...0..."..................@.0B........................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avutil-56.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):1300248
                        Entropy (8bit):6.473556847638268
                        Encrypted:false
                        SSDEEP:12288:agv//dfzgfczGYxgt0K8nKKqv74N4VmTUtzRbMsp5bJmAnAygYJR3fQp4RsaMquj:L7hzGYxg+twRbMspLmAFx/3OgNsz
                        MD5:4BB6723FA612315AAE9A8F8E125D4CBA
                        SHA1:5F9B63F93298C88F7D194BF9618B67E8D638E209
                        SHA-256:E939E9FA07E1B0DF168132896095877001738FD28FA02918FB4EB07DA88ABE62
                        SHA-512:3E4727CDC8E8F7925515C74F3506B300203DF6F4CDD3B5638CBB40C8D287CBB514F04D32A6498564A69BBCAC088F589542812680A589883A9FA03942CA68B920
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...$.`........!.P........................................ 5...........`... ......................................`4..?....4..%....4.x....0..\........)....5..............................g..(.....................4.`............................text...h^.......`..................`.P`.data...@....p.......d..............@.`..rdata...............l..............@.`@.pdata..\....0......................@.0@.xdata..0...........................@.0@.bss....0. ..`........................`..edata...?...`4..@...*..............@.0@.idata...%....4..&...j..............@.0..CRT....`.....4.....................@.@..tls..........4.....................@.@..rsrc...x.....4.....................@.0..reloc........5.....................@.0B................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libcrypto-1_1-x64.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):3310872
                        Entropy (8bit):6.132749718963277
                        Encrypted:false
                        SSDEEP:49152:QEVwASOnMIU6iW5GtlqTv2bAAO370ULehMxsI44Rk7ja0RyP6TvA+XfU1CPwDv3j:Dj+W3Z2aUVTvAz1CPwDv3uFh+
                        MD5:ECF8F8E4852F606E912B483927FDAEC5
                        SHA1:2ECEA0EC1952761B4E16D8E9C58FA4200F25FFCD
                        SHA-256:A7B4264CF29AFD26B0350AE7863EA90B5231C8F122D87EEDD7C51B0FF30A1C09
                        SHA-512:DEED3B843B415A628563ADBDC82194A9117316423C6475C8BCEDE58DD5351C187A9F9179832D2975887282552A43013C4E4795A52BEF02962E63D30951364789
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;...........v.-.m..D...}..D...|..D...u..D...u......t...........b.........~...A.~....~..Rich...........................PE..d....u.^.........." ......"..........n........................................3.....o.2...`..........................................h-.mg...:2.@.....2.|....`0.....\2..)....2..O....*.8.............................*..............02..............................text...7."......."................. ..`.rdata..=.....".......".............@..@.data....y..../..,..../.............@....pdata.. ....`0......./.............@..@.idata..."...02..$....1.............@..@.gfids.. ....`2.......1.............@..@.00cfg.......p2.......1.............@..@.rsrc...|.....2.......1.............@..@.reloc..tw....2..x....1.............@..B........................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libssl-1_1-x64.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):668952
                        Entropy (8bit):5.566040596897661
                        Encrypted:false
                        SSDEEP:12288:IY1P32jyJMze8mAcZjAoBcY+s31L9uK4hR4FPdWKRMccMwJ/s9U2lvz:We8mlbBcY+KhYrhMwJYU2lvz
                        MD5:49A7F81AD6F67CEF1DD4BEBD25057453
                        SHA1:1E2D3397E08D17DEBFEE08B777A30665B38969F7
                        SHA-256:A5F1825308725F359DA8D526D8615731C1AC759589EA4AD337789830D33E571B
                        SHA-512:E23833F0C4FF3752CBFF3A2F0EBAB305365A9D88A5FE3A0DB8D8CF8BDFB6AB1D7A276866FB755C766A4104BB84F93ABB0C232C702E3588DABCC1DB7AA5D366F4
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]N..< K.< K.< K.D.K.< K.b!J.< K.Z!J.< K.b#J.< K.b%J.< K.b$J.< KEb!J.< K.<!K4= KEb$J.< KEb J.< K@b.K.< KEb"J.< KRich.< K................PE..d....u.^.........." .........\......}$.......................................p............`..............................................N..8........@..s....`...P.......)...P..T....$..8...........................0%..................8............................text............................... ..`.rdata...0.......2..................@..@.data....M.......D..................@....pdata...Z...`...\...0..............@..@.idata...V.......X..................@..@.gfids.. .... ......................@..@.00cfg.......0......................@..@.rsrc...s....@......................@..@.reloc.......P......................@..B................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swresample-3.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):443160
                        Entropy (8bit):6.598000302664962
                        Encrypted:false
                        SSDEEP:6144:BQ+kly145LnrfH/XqqPGFTci1WC2li9XFSJr12y0d4GhtcuoD:KnlyaPfXPuT1HyJrYd+
                        MD5:410B6337E5997CCF23713E5F3720FBD9
                        SHA1:413F691233ABB31D64FE99365113952365A5ED56
                        SHA-256:07CD290EED13E75390A306545CE8F07134D94408F62F46276F3099BF99E430BC
                        SHA-512:7A3C2682BB40F302E56C3B0F23F5C4D6EF0714452AAA2671BFE36C853CCE76E81DCEF0A44BEA797CE5AD64228D85D211614CF7AFEEFD9E70C0F14C4EFCEBD33E
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...$.........R..P...............................................g/....`... ...................................... .......0.......`.......p..L........)...p..@............................Q..(...................@2...............................text...............................`.P`.data...............................@.`..rdata.............................@.`@.pdata..L....p.......D..............@.0@.xdata... ......."...Z..............@.0@.bss.....Q............................`..edata....... .......|..............@.0@.idata.......0......................@.0..CRT....X....@......................@.@..tls.........P......................@.@..rsrc........`......................@.0..reloc..@....p......................@.0B................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swscale-5.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):579352
                        Entropy (8bit):6.596789157635653
                        Encrypted:false
                        SSDEEP:12288:4GvN1RaVaB3ct9DY6m0D0plE+Mb222+j5t9opFrybN1kmONjkvUY:4GvNiww+hMb2219opFrybN1kmONjkMY
                        MD5:2C039D95140CA9EF8C09327F55949E5C
                        SHA1:481815DD897B72288FE7D3BD08EB7EBC467B439D
                        SHA-256:6C1D9ACF9AE47A709D916EDD7442174EFBB45D470FDBDC5BB321D6E054FFD95F
                        SHA-512:41BCBDE87875FF3E349D53593D23D5CB0F2D24F5ED4C2B3B110EC855FC08A166C28A8DB57C9395D6BD463501277FD9AA0AA8655F1BB3FBA8FBDCA48C53774126
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...$............P.....................................................`... ......................................`.......p...............`..<'.......)...................................5..(....................q...............................text...............................`.P`.data...............................@.P..rdata...a.......b..................@.`@.pdata..<'...`...(...8..............@.0@.xdata..H5.......6...`..............@.0@.bss....`.............................`..edata.......`......................@.0@.idata.......p......................@.0..CRT....X...........................@.@..tls................................@.@..rsrc...............................@.0..reloc..............................@.0B................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x86\OnvifClientLibrary.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):617752
                        Entropy (8bit):6.365340533890444
                        Encrypted:false
                        SSDEEP:12288:C5iNe9qJewEisecAEJrt6D/vlDcjRW+puJtKbcnM:C5iT41isecAEJrt6D/vlQjRWRJtKbcM
                        MD5:946BFCF474EB9FC8FCF99B4D20A2CA15
                        SHA1:AF49C7DC06839535F2BA2E7BEB85F944251A3D28
                        SHA-256:B27F0CC87ED2EF8E08F3197459F0AFFCD324BA731488D8AB21E3111EACB3B5BA
                        SHA-512:4D78C883DB69CC6D114F85C276F1DB6AD8E4C166274194C0631C5BB457E734532CB04C139604F5BD634102B255D8CE017654A3715FA65A0393240A3C8A9A8A50
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............dtG.dtG.dtG...G.dtG.:uF.dtG,:uF.dtG%.G.dtG.:wF.dtG.:qF.dtG.:pF.dtGf..G.dtG.duG.dtG,:}F.dtG,:tF.dtG):.G.dtG,:vF.dtGRich.dtG........PE..L.....5_...........!...............................................................P.....@.........................p......\y.......0...............D...)...@..4O..`...p...............................@...............(............................text.............................. ..`.rdata..R...........................@..@.data................l..............@....gfids....... ......................@..@.rsrc........0......................@..@.reloc..4O...@...P..................@..B........................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBCamFilter32.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):207128
                        Entropy (8bit):6.66883142794804
                        Encrypted:false
                        SSDEEP:3072:nyrTSxfuvVlCcUfVVVVu1YFoT+V0y7DCcW1VoV+vIVKeUTP6cOAaxM5:yWcaVzuJT+37DOVocLeUTP75
                        MD5:C746A984CA314B12B71B4AF0000DAD95
                        SHA1:CDE77D77BF30175A482F5C9963ADBB52D5311E8E
                        SHA-256:9982C3C518F869EC552BA0C53F94221D7D421842E943BB2F64411A3C192456E3
                        SHA-512:8EF06C3FEFE5070F67E352673B31EED2296B2EB4F54DF067E7B04D671B98BD58D463088A75D7FB9A2421024CF134159D60B7E0C1F5DC18F46A691C1C5D363C33
                        Malicious:false
                        Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......}.a.9.._9.._9.._0._).._...^;.._..._:.._...^0.._...^/.._...^2.._.]._=.._.]._8.._...^;.._9.._'.._.]._(.._9.._.._...^&.._...^8.._..._8.._9.._8.._...^8.._Rich9.._........................PE..L....:De...........!.................O....... ...............................@.......b..................................................X................)... ..........T...........................X...@............ ..X............................text............................... ..`.rdata....... ......................@..@.data...............................@....gfids..d...........................@..@.rsrc...X...........................@..@.reloc....... ... ..................@..B........................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBRTSPAudio32.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):102680
                        Entropy (8bit):6.754214306887709
                        Encrypted:false
                        SSDEEP:1536:pPv93vGQqmcKJbPhs4UZ2o4SM44VAajjHkzTNlEuWQ8OmHIpQ4GkqErwo4tmO6XM:pN34mcKJbZCeAyDkKQ8Lsn4tmxXnM
                        MD5:AD4BBE00AFDC64E8C0379B5B0128D287
                        SHA1:CFA94DEF8E6F5E481CAE171C84D33BB76E705190
                        SHA-256:54A3869804B898B50A7A768689D006FC8D4ADE71E04723D00A1044DD6C5D7D11
                        SHA-512:1B15DBB93EC24C4DA955FD3EC9C0C037D5C361F8B6C3AA62F30AE535ED6F9448B93E469D3C2AA7663DC399CA3BD5909CE6C918D1AA9E27892F6121E2941CB91F
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#.Q#.Q#.Q*./Q1.Q...P!.Q.J{Q!.Q...P&.Q...P?.Q...P..Q..sQ".Q..wQ2.Q#.Q..Q#.Q5.Q...P<.Q..CQ".Q...P".QRich#.Q........................PE..L...9:De..................................... ....@..........................0............@..................................R.......................h...)... .......K..p...........................`L..@............ ...............................text.../........................... ..`.rdata...A... ...B..................@..@.data........p.......R..............@....gfids..P............T..............@..@.rsrc................V..............@..@.reloc....... .......X..............@..B........................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avcodec-58.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):31070488
                        Entropy (8bit):6.655668966562144
                        Encrypted:false
                        SSDEEP:393216:YVbJv2NcGjFg23Xs0qUANf0//O5U0zvhkHxc3gSEkSa0Lpb/GdMX:YbKjHCkO5U0zpkHxcHwYdM
                        MD5:CBE359C3094675AEEE0AB063D4DC37B8
                        SHA1:59D5777CC98BE5C1430F8A61FFBD5CD7EF526093
                        SHA-256:916A8CA04C234C82BC54A4BCA8CCEBF70904EEEBFD54848B821C4AB7ED6EA1A9
                        SHA-512:A6D3556F780A718F5B9B088F33E55513B89870E0A311319094B23D651FFE3BA500CA79CE5E715719F49168F7030A69C847537889D4FFF677818CADB237454AD4
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....d|..6................|..............................0v...........@... .......................n......0o..3....o.P................)....o.............................$.......................d7o..............................text...T.y.......y.................`..`.rodata.......y.......y.............`.p`.rotext.......z.......z............. .P`.data...P.....|......h|.............@.p..rdata...jS..p...lS..:..............@..@.bss..................................`..edata........n.....................@.0@.idata...3...0o..4...(..............@.0..CRT....,....po......\..............@.0..tls..........o......^..............@.0..rsrc...P.....o......`..............@.0..reloc........o......d..............@.0B................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avformat-58.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):5892888
                        Entropy (8bit):6.443007330378985
                        Encrypted:false
                        SSDEEP:98304:/yFLLyoBzl9R5Vr3jEx06Jz2kBtDR4BsZ/rSukHuCn73jTyReZZFloHEnKEECn9k:/yFnyoRl9R5lAx06JDBtF4BsZ/rSukHM
                        MD5:352BE34A89BE5E87ECD35846535F909B
                        SHA1:07BC5210178DA4638ADDD98CE1D12705243F646D
                        SHA-256:76AFD610F5066F46A96943DD9F703D68E66A78C3E17FFC0DA17198AF17BABAF9
                        SHA-512:666187AC2380C3C0C4756BFC99177AB92F123D13A3A0F3668DCCEC9559A031CFFFC19D41942FA49EF3A74041642A60A38ACA1F230ED6AACA73597BBC945C697B
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#......E...Y...............F..............................@Z.......Z...@... ......................@W......`W..H....W.`.............Y..)....W.H^..........................l.V..................... jW.X............................text.....E.......E.................`.p`.data...D.....F.......E.............@.`..rdata..4.....F.......F.............@.`@.bss.... -....W.......................`..edata.......@W.......V.............@.0@.idata...H...`W..J....W.............@.0..CRT....,.....W......ZW.............@.0..tls..........W......\W.............@.0..rsrc...`.....W......^W.............@.0..reloc..H^....W..`...bW.............@.0B................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avutil-56.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):679192
                        Entropy (8bit):6.51520188212085
                        Encrypted:false
                        SSDEEP:12288:n+T88wHM+RsWJWYYzVzJnCOO5/vY75Ash6HM+RAJgAniCkT:n+oPHM+RsCRYGDY9Ash6MJgAg
                        MD5:A777389C9B9A8952911DB1639C038CB7
                        SHA1:5C8C172D2B6A8B5AC0809A30DB53602091956EED
                        SHA-256:24111A0E0DB9D534010E7CA3844C2D345AE216A252B147E46D9D2D24913D5798
                        SHA-512:AD637AE95006098C8FE4B3927489562B5141D32CE08632182287A06F13A60822E9EAA99783EDB133A7D2CA04F281687CE0FA2CC08F8F190868FA8191C2D5F7B2
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........0............................................................@... .........................7<...........@..H............4...)...P...@...........................z.......................................................text...............................`.P`.data...(...........................@.P..rdata.. ...........................@.`@.bss....`.............................`..edata..7<.......>..................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.........0......................@.0..rsrc...H....@......................@.0..reloc...@...P...B..................@.0B................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libcrypto-1_1.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2434328
                        Entropy (8bit):6.265976088328645
                        Encrypted:false
                        SSDEEP:49152:rQ1VVA2kTpvTDuW8VNd1CPwDv3uFh+0nU:rQ1Vu5DuW8fd1CPwDv3uFh+0
                        MD5:10CC3AE29E29C94C17847C3B59B0985C
                        SHA1:903121559C914956CF09DA7EA94FA48AC1AED62D
                        SHA-256:D1622CA8216A037125D6491FB71C6EBD1E1088C60598D47A68E3FFC7DC2040EC
                        SHA-512:1B486F98963027DE71FB037C93B22A576F2C4B23FCABD15E675C547F780AEFC58AE3A1165FF997940EBBBC287AE9C0F92B3E644E92DF6AFD18A1250C876A0ADE
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#..eg..6g..6g..6n.L6s..6\..7e..6\..7m..6\..7m..6\..7l..6...7l..6g..6...6g..6q..6..7...6..7f..6.. 6f..6..7f..6Richg..6................PE..L....o.^...........!................E.........................................%.......%...@...........................!.hg...U$.T.....$.|.............$..)....$..... g!.8...........................Xg!.@............P$..............................text.............................. ..`.rdata..............................@..@.data....Y....#.......#.............@....idata..J....P$.......#.............@..@.gfids..%....p$.......$.............@..@.00cfg........$.......$.............@..@.rsrc...|.....$.......$.............@..@.reloc..D.....$.......$.............@..B........................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libssl-1_1.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):515352
                        Entropy (8bit):5.814323355789225
                        Encrypted:false
                        SSDEEP:12288:BJ8sR6fYGsTRZ9vpHvG9ZiBgp/GidLzVaU2lvzXE51:B/Xsf8WaU2lvzXE51
                        MD5:C1705F69D98EE4F6D3DD65DEE192C249
                        SHA1:4AB1B976B5D0E09B24FDCB4F43D8782CABC46ADA
                        SHA-256:5FF3135EAC23E76E34C55447B4CCE0C8F8586F75F24BE8F3F27A0F31EFE6BE44
                        SHA-512:BAAA3C2B9C2CD014F2740E497AE8552E2A56C971AE42343E5B010CD9957E5CBD76951CD221DD0EFD116FBEFC009187707079169A73D1DA916D24ABC3D77B73DE
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.7..xd..xd..xd.b.d..xd.Dye..xd.|ye..xd.D{e..xd.D}e..xd.D|e..xd9Dye..xd..ydL.xd9D|e..xd9Dxe..xd<D.d..xd9Dze..xdRich..xd........................PE..L....o.^...........!.........0......................................................T|....@..............................N...Z..........s................).......3......8...............................@............P...............................text...y........................... ..`.rdata...i.......j..................@..@.data....;.......6..................@....idata..3A...P...B...*..............@..@.gfids..%............l..............@..@.00cfg...............n..............@..@.rsrc...s............p..............@..@.reloc...:.......<...x..............@..B................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swresample-3.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):334104
                        Entropy (8bit):6.680889467643291
                        Encrypted:false
                        SSDEEP:6144:DNfWE1yQKJdyKqIi3AhrX49fCWM1xiWs7hjy+NY9S+yCod7yHVWjtEjPFpHEP/nN:DNfWE1yQKJdyKqIi3AhrX49fsxuu89C0
                        MD5:70F766D41BF2677E91832AB22A8BB183
                        SHA1:3A220D1DA5C5EC568BF47059F22BD98D9C153748
                        SHA-256:CD2AD93D68BC78FD3F3BD2BBB95B64115AEADC88F95F73A8B7C79379B71FFFEE
                        SHA-512:BFEDB3E65DEA1E744C4E8BC719428DE2813A558549494C4A4F509D2C0A2B0BA9BA91D670298AB2FDB6BCA7B9F380652F0CAA650C7EB9307C4AC7B1606A80EAA6
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....P.......T...........`......................................._....@... ......................@.......P..t.......h................)..........................................................pQ.. ............................text....O.......P..................`.P`.data........`.......T..............@.`..rdata...g...p...h...X..............@.`@.bss.....S............................`..edata.......@......................@.0@.idata..t....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..rsrc...h...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swscale-5.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                        Category:dropped
                        Size (bytes):524056
                        Entropy (8bit):6.610798249190617
                        Encrypted:false
                        SSDEEP:12288:lvwyqf/9FGgiw8ed+wya6khNyY6DRmx51JT6cZijgkiiMiiiiiKNrrrrrrrrjkiD:lYLf/9FGgiw8ed+wya6khNyY6DRmx51n
                        MD5:1A940250E90ECA736FA367BCD3489CD5
                        SHA1:1E632F232EDB01845E629047E49A5B5622FB4C48
                        SHA-256:7EF4FEDC784332680064BA3F533905B1A4D467D754BB5228BEEA1F1B2A160447
                        SHA-512:72A72EACAE64FDFA89CAE5D210F6A5CCC585C8B8D51E69D77D5011BB426CA7890E160946613CF4DE8478A2209DB6E5B590111C6D15CDFC62B08A873915EF9451
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....X...................p......................................].....@... ......................P.......`..........X................)......,#..................................................<a...............................text....W.......X..................`.P`.data...H....p.......\..............@.P..rdata..(?.......@...^..............@.`@.bss....d.............................`..edata.......P......................@.0@.idata.......`......................@.0..CRT....,....p......................@.0..tls................................@.0..rsrc...X...........................@.0..reloc..,#.......$..................@.0B................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacdisable.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):22808
                        Entropy (8bit):6.65086808192375
                        Encrypted:false
                        SSDEEP:384:uwmfOy4CLLTkOJFIQUojDV78IYiQ32ZaKSAM+o/8E9VF0Ny8SNZL:Xmf14CLnkAvtYiQQaKSAMxkEiAL
                        MD5:B088CDCCF5332B2A515780300CBD76F9
                        SHA1:CC8DEC31EF2E06366D169E898A13C4233860F743
                        SHA-256:C65A8ED45F99ECB56BDF27248EF19203974F54F291602B075F6480CDBD02B4C8
                        SHA-512:9DA0B6C18438371B07514D64A28F0BE09F3075186EEE3FD92C06CC3C30D9305A733F754B08762010E68F783732463A9E26E136A7A14336A9F8D0BCDA3BEAAB65
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B..v,.v,.v,....v,.(-.v,.(/.v,.().v,.((.v,.e...v,.v-..v,./(%.v,./(..v,.Rich.v,.........................PE..L....9De.....................................0....@.......................................@.................................D9.......................0...)...p......`5..T............................5..@............0...............................text...}........................... ..`.rdata..^....0......................@..@.data........P.......*..............@....gfids.. ....`.......,..............@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacenable.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):22808
                        Entropy (8bit):6.652238390266638
                        Encrypted:false
                        SSDEEP:384:EwmfOyUCLLTkOJFIQ/dRjDV7QIYiQ30YSAM+o/8E9VF0NyI9f:xmf1UCLHkAvV5YiQzSAMxkEg
                        MD5:FC9DBAD2EED787E71BB30ACA98277FF4
                        SHA1:C416E12B05BD1D340C209B2DA2147BDCB3990416
                        SHA-256:FF7412460CFC44D355C65B18CF473252D8692438CDAABA760C8213DF30AA148F
                        SHA-512:B535672D84569F2224DF1815B1FE1C3E0037A5ABE3E57595A5757B95CB631274AE90D2352B46E3548841E666212CF80F7FC8F42FE3E32AE904F06C3811EF21C4
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B..v,.v,.v,....v,.(-.v,.(/.v,.().v,.((.v,.e...v,.v-..v,./(%.v,./(..v,.Rich.v,.........................PE..L....9De.....................................0....@.................................. ....@.................................D9.......................0...)...p......`5..T............................5..@............0...............................text...}........................... ..`.rdata..^....0......................@..@.data........P.......*..............@....gfids.. ....`.......,..............@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Fizzler.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):45336
                        Entropy (8bit):6.158509010136436
                        Encrypted:false
                        SSDEEP:768:/EWL7brtn44Esp4/S3d4WiQCijG6FWd3VmigYOIlSRYiQxAMxkE1H:/ECrt4I4/S3dHFyyW1O/R7QZx5H
                        MD5:06EF2515979AA339B82877C407A4AC2E
                        SHA1:1B1A6A98C031A8D70A130D1465A96658772A7C01
                        SHA-256:1EBCB3AF887D51ACFE5A5A62415A82DE9D0AAD0F50A2BE587D509955A2743536
                        SHA-512:DD684D2A9756D385A3E80D83A1C7D45AB97106685FA1B69E049334AEDB841ABBA0FB349084B37253D11CC6E10E6E29B8D84BE6890696EDFD0E198BEECA28BDD4
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..~............... ........... ...............................G....@.....................................O........................)..............8............................................ ............... ..H............text....|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......PH..LR............................................................(....*..s....*..s....*"..(....*..{....*"..}....*..(....(....,..r...p(....*..(....r...p(....(....*...(....o ...(......(....ry..p(....(....*...(.....%-.&r...ps!...z(....(....*J.r...p.("...(....*2.r...p(....*J.r...p.("...(....*J.r...p.("...(....*J.r;..p.("...(....*N.r...p..(#...(....*N.r...p..(#...(....*N.rM..p..(#...(....*N.r...p..(#...(....*N.rL..p..(#...(....*N.r...p..(#...(....*2.r"..p(....*2.rx..p(...

                        C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):107800
                        Entropy (8bit):7.332087363522266
                        Encrypted:false
                        SSDEEP:1536:qn5VJM3T5szyxa9PuIKb8wmtyYVzH0cfNbQSi/GoP4YNjZ34U7QDxY:qWsEa9GIdyAUKWeYNl34UMu
                        MD5:67807C6E295ECEF84681E1231BD88115
                        SHA1:7B731096B43F851468528917E2D8AF16E6BE656E
                        SHA-256:B7AFAB694E6EE7C0E5D999F755CCE85543FEA884680B8018322104E220E43467
                        SHA-512:D12F2212BC47B983050D8643195AE4D2A544B05888D1AEA1AECE65D9ADFCCABC6204ABECAABC55DD8F147ABF24EF3968C9D2E98895BDC80822E4D9D1B8080EB1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.g..........." ..0..p.............. ........... ..............................z|....`.....................................O....................|...)..............p............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............z..............@..B........................H........O..|w..................,.......................................V!.)1......s.........*...0..$........u......,...o....*.u......,...o....*.0..&........u......,....o ...*.u......,....o!...*...0..&........u......,....o"...*.u......,....o#...*B.(Y...-.(....*.*..{!...*"..}!...*>.{....o.......*.0..9........(*.....($.....(......,..o%...-..,..o&...-..,..o%...*.*.*....0...........s'...}.....((....(....-..s....+.(....}......{....o....(....}.....(!....{...........s)...o.....{....

                        C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):130362
                        Entropy (8bit):4.60579511535411
                        Encrypted:false
                        SSDEEP:1536:9rmrlEFROJHshjRXELhwgUgVJDcqpFEnzPTE9ab2ATsoJcYbOQDfrP7:lmjJy
                        MD5:92ACD7769E2EDA756AFB18746CA7F875
                        SHA1:801DE8CCB30816A499EEB307B2077614C54FEB2C
                        SHA-256:CFD36E262B2F28FC37088965CDC82E58F2D18CBF469242451B1CE7811929AA62
                        SHA-512:A96D6249A5B6C23381012E88AA6DB5390FD180FE03E8F3D45C1AC17292EB2CC7135244A6AF474BFC63253A258F622739FF4203A3E0E020D2090077A425B52F6B
                        Malicious:false
                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Hardcodet.NotifyIcon.Wpf</name>.. </assembly>.. <members>.. <member name="T:Hardcodet.Wpf.TaskbarNotification.BalloonIcon">.. <summary>.. Supported icons for the tray's balloon messages... </summary>.. </member>.. <member name="F:Hardcodet.Wpf.TaskbarNotification.BalloonIcon.None">.. <summary>.. The balloon message is displayed without an icon... </summary>.. </member>.. <member name="F:Hardcodet.Wpf.TaskbarNotification.BalloonIcon.Info">.. <summary>.. An information is displayed... </summary>.. </member>.. <member name="F:Hardcodet.Wpf.TaskbarNotification.BalloonIcon.Warning">.. <summary>.. A warning is displayed... </summary>.. </member>.. <member name="F:Hardcodet.Wpf.TaskbarNotification.BalloonIcon.Error">.. <summ

                        C:\Program Files\ScreenBeam\Conference\app\HtmlToXamlConverter.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):85272
                        Entropy (8bit):5.825544424160974
                        Encrypted:false
                        SSDEEP:1536:/tshsMzA488PhOOUtUeOQiUDMM7o+fxrexgyn7ehoYfypP5JlV+ZkTjjuK4M0EnP:/Whs4A48AhWUehougjf4M0EnGlS/M
                        MD5:7131D772D53A0605E12F44D5D5FEFE1B
                        SHA1:8DF296DED453C641BDFE92B65BAD92F5FE4B66D5
                        SHA-256:6E2588031E441A94A17618047CB902532D210597F74613D6EFC32570798C9285
                        SHA-512:518B95D82DBE2D386D417FD7A75B771ACC8EA07EF8730236CFD7C5E5144C09C35B772E149E8C846BC315BDEF92E80328B4E8AC25421EFD060649E9F0834EA5B0
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....U.........." ..0..............9... ...@....... ...............................#....`..................................9..O....@..,............$...)...`.......8............................................... ............... ..H............text........ ...................... ..`.rsrc...,....@......................@..@.reloc.......`......."..............@..B.................9......H.......D................................................................0..'...........o".....r...p(g.....-..+....,..,..r...p.(....+....9.......%...%..;.o........8..........%...%..:.o.........i.@........o....o..........o....(h...o...........(........ YD..B...... Xb~=B...... ..N'5[.. ....5).. ...;...... .#..;...... ....;y...8...... 72R.;...... ?.. ;0..... ..N';....8...... .p.05).. S{:,;>..... ....;...... .p.0;....8...... .O.45... E..1;z..... .O.4;....8...... ..m8;...... Xb~=

                        C:\Program Files\ScreenBeam\Conference\app\Images\Camera 01.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 270 x 141, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):3792
                        Entropy (8bit):7.887872121533211
                        Encrypted:false
                        SSDEEP:96:K/ezW07/wGkJ1K2sSc6ajjoEvfeKDIsqz4Td3bY:K/ezW0rwGkLK2sSczoEnTqCBbY
                        MD5:C0EB03BD8E13870C565F248DBE9ED151
                        SHA1:0FA4A9C75226C7B2518ABDE64DD86A7AC763275D
                        SHA-256:BD5B34736676BDAE09096204173C7AB70DCED1E2B34BF7B9FDBD1335FB27AEE5
                        SHA-512:C7D15675F272DB28BFFDBEFAB6F8B701855865EF7FBEDC1F44AAF7A56227A9D5279D59AB00FDD30BDCD050C9D3C03AC0FC98E26D24C6F58FE3E628B6B400C2EA
                        Malicious:false
                        Preview:.PNG........IHDR.............F.g....pHYs...........~.....IDATx...u.L...+...0..x..PA.....*.T.......R.v..;..._.l.pl..Is........x..9.g...I...Y/I.>.B....B......j8HWM.Tc.1.g.I.\@$..ySBH..!".. .6..c6.^$Ir..)..D...$I..p...:.J.A. ..lD<....p.H2.`.r....l.0j...C..-..B..or...>T.1.g}..+^/..-Kqph.0F.hd<...........>/.O..!.C.z.....;..q-(..t..y...<N.....i..q.../..!.-.Sx.@.75>..kw..c.c6.......XL..tR.......@.'F5D..p.^....p..(.]..X..).K.......g.|w]...U.\.O.Az.......3Y..-.....^...xUf...R46P#..!-.k......<...........!-...x.....*P...o....]....r.yn......o..A.5..;=...0....).XJ......7....v...c.[,=... ..d....A.b......'.@...n9.......)d...v...k.. r...g......7..\{..C..D8.N$n,.,...t..G...y.!.._.M.A.HP..m#.b..q;....W.4....8...Hq%..."...c...........=....}.5.......w ..[.O.^.phC.7.Az.UG<......[>._ 4.G.l..Rz..O,.).iD.......... ?b.q.."n...........wR....# .e...Z.r...au./.... u...}..3....J8.p;...W.5j.n..F..@h.......=l6......5n#.$.5.7..G.<.....%..\W.:y.B..F..).9J.....h.#k.."XO>......

                        C:\Program Files\ScreenBeam\Conference\app\Images\Camera 01b.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 270 x 142, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):3849
                        Entropy (8bit):7.913354664814746
                        Encrypted:false
                        SSDEEP:96:MwOPIaDxEIwm+R0wss6Vdxv53GW0etLNlUwgCLkz:M4wZwmu0g6jB5350epDUQkz
                        MD5:D588CD052DDEF0FBE7445AF3DDA6460C
                        SHA1:22A72DE52921597B37F39116F6DE38BD9B31E0BE
                        SHA-256:4E9EBA27AB7A940105559D2E6C2C75F81D13DB14868E17FA510255AB90EE04CB
                        SHA-512:8560B3BDF3CD428AFB9E23D734CF2609110DC1DB0FF9DA9D087AACB6C54F45EAB2DFA706806B192EFA0077F10B47FE44D34895A06DC07DD9963C40959C7E6EF7
                        Malicious:false
                        Preview:.PNG........IHDR..............v......pHYs...........~.....IDATx..r.V...=.i_...+.=.n.........6M.+.t....LUL........C]A.......v..B.(..;........D..y^|...eY.\...K..@)..%..a..z._g...WlL8 .Gxh..o....:.+..x\5%$..#I..Rj..z....B.r....F.y...,.I.i.bB..V.-....b-.I..(..J......zn w6...._N.l...E...@.............B..r......Q8 .z.t...!;.Rjh....E......k.+[...AHg1..^..4$..k{..!.-.x..`.B.N6.p.....O._p.p.t6.-*...R.$g.a..+...7Y..3.@....-.P.W...{....Qe]...<6....s.$...!.......of....'.4._,.z>....a!..$i...G.}WLO_..<...8.h....fO-O..6<Z....Z.;..i[.[QI...hu....4.z6...s.>....1D.%..-....H_..I.8..i>...p.i.U.d.e=.#.....rC.m..1..4...T.....m....nm.z..+.+...{...5.k}.../..X.6...{.W...e..*.D.x}..m..$.....N.L,>3.j..(.G.o~|hs3I.).....F.}...B.0.ID`M_..h.........i..P.0lc.9......}..........xH.....m...s...@".2.>.C%...F.8...,y...o...>C<.{^.'..?W/m..ol`..&.,.e!.C....\.....y.H..y.y9...5.C.s'..AY?.u(..h...=.`...@`. 8+.4..t..b.7.>t.:n_.!^.6.A.P....b1q..Wa`..."bk......$,V..._....Dc....=........

                        C:\Program Files\ScreenBeam\Conference\app\Images\Conf 01.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 222 x 178, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):3091
                        Entropy (8bit):7.748757104260975
                        Encrypted:false
                        SSDEEP:96:Ozr3tf7ZmN+YsCUvG6Xe0JP1nTcHxzcdDyk:Of3tf76RsFNP1TcHdcH
                        MD5:762CB6652C46433C45923C206A084D36
                        SHA1:17C7535D398938AC7ECE0B282F7DC2546671F88C
                        SHA-256:2C2296A114FD628439AABF48407F8CD8E004EF050AD80738FF2153174826D839
                        SHA-512:CF939CC195BC551719FA9908826EF8E9E5E5B594BFB2801FD96DD7C9FC1FE78438AAE101B4267B311268FE1E21140D61906EA7A94B8DDEA2AF5300F55159AED8
                        Malicious:false
                        Preview:.PNG........IHDR.............-Qq.....pHYs...........~.....IDATx....q.F...'..T`..1.....A...T`..K...z}8.. b..+.X.nV.@.Q...v......C ~...7...f..(3cL&.....HS)g].Y9.7p.^^.sc.1..7.....s...^...mi.y..Z...S..v.//.w.8J8..[..C.'Z...........YK..>..<..-.O...`......W.....sO../l.&.i..~...G^.:....../......s.5..:.l={.jJ..;.....Y/..\o ..=.x2^.....F:c..M..3..?..Z..._._......^n.....iV....L.....U.\'9......A..y^.K...)xU..%xkB...da.p9...Vz3]..........'.O.x.....].....4[....&M3W..s.4s.k..x@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P...==yQN.1.1?f..._......Eyj..4.d.....Ei.....4.f....W..jF,/.wyQ^.c..c...]..........[..^...+%p}..c..E...=.k.3......K.....s*USD../N..U..j*"D."#m..........!x.Yx>#..../"yQ.=T1.}..%>./..:C.d....K......<@.....<@..

                        C:\Program Files\ScreenBeam\Conference\app\Images\Conf 01b.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 222 x 178, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):3352
                        Entropy (8bit):7.781478018163998
                        Encrypted:false
                        SSDEEP:48:Hybzkz9CNucIWyG2QWoolFbISVkcarNQrFdQWr2LuU8NSuNyGwTCBPP:SPkXc/0tlFK/6rfQWr2K3N2GwGNP
                        MD5:E1DC2FDCC0BEBDA25870370810AEC056
                        SHA1:449DD99E8E57DAB2B3F7BDA5A526D9438216DDEA
                        SHA-256:0FC418DF00D31D577D5118F7E99C521D3E9B34E3E2B018ADF6BF196E2CFC6BF6
                        SHA-512:89D3B1549C0FCC051BF8D742E3878CDEEC41B40C9605C1E24787C7033F56579A33F5FA9F22BB9B480F0D5D2DCC3C325B45F7D5B565120E87BDFAD096588EEE85
                        Malicious:false
                        Preview:.PNG........IHDR.............-Qq.....pHYs...........~.....IDATx...Oh.....gBon.{.oVh.)`..B.K.u..i......P..|J.-UJ.-=D....".....J....w..Kq.u.O.Hr.WyF].gf....~`...h.......>..y.]$Y~ND..u..F.0=........U.,_..5.Y....4.....q..is4...nCDn..@.m..&.|a..$Y......3..<......=...J{...[..{...i.v...zq..+e.{..I.....j.N(..."t.`.j.N8..$..E..m...f...=.^..0.Y.....,..{.W.uB...f.......n_.c:M...sNgn]..i......s...k.....4.v9r.h.,_......7.8.*...-..x>A..._.,..~...o../.T=....f`E3..Q....p}.-~..R...|...._..t..:...X..:a..m..j.....0.... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..........$..'".".|sb..E..K../..N. x......7*....~.d..".....]MO%Y~!..D...Ms..s..[..v! x.r......+...F.....G.....|...I..;...:..$.o...M.I....v.........D...0..y$...Hi.

                        C:\Program Files\ScreenBeam\Conference\app\Images\Conf 02.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 222 x 148, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):2663
                        Entropy (8bit):7.8546722798230695
                        Encrypted:false
                        SSDEEP:48:bloa1dM5gHSWa2YbzMdWPT9AVVgDgbgpHUE527KO2l/+Gv7xM+kqWiAVs8GD:bloaXMqyVFbzLPT9ajbREc7KO29JM+kM
                        MD5:595E7237E9B0781E215FF9AC84277812
                        SHA1:3892A426B859C01F72AE5896D0EABB8EA880D2FC
                        SHA-256:E55EC67772DD38BD805FBEF833D89E9D59AB60C5A6FF5C5D3681FB18B57CF254
                        SHA-512:A727B47A9D82FC188E337B7B6B431542001E018282DE835B15EEE0B039D5F68E35FE8E99D50CCC2B22D3F26D09706A3EC36B1D62141F44186BF9551BC9DA75D3
                        Malicious:false
                        Preview:.PNG........IHDR.....................pHYs...........~.....IDATx...MN.H...h.{.....iV..h.N.j6p...9...*9.p.....}.INP.....".q.1..a..a..IH..$3..t..<??.Wi...c..1.~.~...@..,.1...cL>.%.m^.S..,?3..c..`...1....p.a..)p......F.6'M..5xi..+....@#O..b..o.^..Kyc.........|>K..~.6x.Z^.^........T.............iLW...Z9N..rk......H.<)?...i\w......,g..{.....@.....J...'..-..L.>NZ.m..s(..4..Zl...Ba.:.0e...h.~.;[..f...W}........gI....._.m-...2.y5.%,9..S.s..>.....Y.zb...i>K.....:o....^......2......K.B.='........ x@.........< ....@.......... x@.........< ....@.......... x@.....W.t.%..=..k6...X:Pk9.....z.f..NNN.8..pi..s\..CgXN...W......jz..z.Y.R....?0......*.p.s.E[ ..H../..q>.2......[.(jj..W..ll- ..hM..........r..1 xpfg'.,...."y..X.Z.i....hI...N#|.N..>..W..e..b...lF..X...tU.4..-..F..lS../.4..2^m.....U.]N.......W*....i]..?..p>K...].}..}=......y..u..P.Sl.*.<.{....R.z...kkv.....,W....,Y.Y~RY.8).k.1.|..I.-.......-ke..'..x..*............m.~(...............z.@..-U...Z..;...^....V...

                        C:\Program Files\ScreenBeam\Conference\app\Images\Conf 02b.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 221 x 148, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):3184
                        Entropy (8bit):7.8630900763236635
                        Encrypted:false
                        SSDEEP:48:drWWpxOzppKlElCWBUd1ag5x1FgtWOrfZDGvNXGVruN5P19aLRFzsIMaXB8cbjbw:5WWiq0IqgrgtRRulGxY5P1Ozs8xVbjM
                        MD5:F9D12845496D41C905CDFE83184D5FE0
                        SHA1:C944C50F5F18733EE9B14AF920B82C520BEF7413
                        SHA-256:4ACF83EB735FE18D1F966B6C041E1F21645CA49E98688AD7DD3B62E75B8C159F
                        SHA-512:74177A75F62ABCD2A4180DC548BE047C5B48A647D4256F9C8CAC747B4F6C6B9FCFA35F88AE5A3CE954D92A06A992FD573761409F989EBA1BD4A0A145C4734518
                        Malicious:false
                        Preview:.PNG........IHDR...............,.....pHYs...........~...."IDATx...}..g....\.I%.D.....)\..sA.B.^.8.V<..L.......%T.E.5..Bs...R.....S....W.......PmK.D.z......<......<..<.......^fw..~..<..R...........o3q.L.z....5.`......CB..4....q..6).\........Q.....].....8.^\.h..].(]......L...D......c.v.a.$......T....n..V.5Q!...n......Gd......5.}.E.c...i...KB.%j..#.j...,X...j.i.7Q)..a0.LM7..&*.....o.r...9/..DM6.C....\2./?.+..q...d/<Q.Hm5".}..Y:g....D..&xZ. f.I..*J.n .k.....%.Gd(..}.x..a.2lx.(.G.@_2.dP.C:tk..x..|".........'-2y1pD.M...F......8.Lr1.n.%....#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r...N....]..2\s.v.:*....U...*...f:,.5.`.J.....@/..'...E....*CGVI..z.o........^.`P........r{..#u. CGVD..5...-.DW..m....x.........0t.....a.W;j.k}fo.(Q..p.N5.[/..(Q..{..~...8'5m-0tdL.@F..K........D}.sY.CGF.....[S.Z>...(Q?...(CG......R...$...b...}..{^b:x.|..c.(.......}...<5...;Q p.d.....s.^..f....8/...k....%.c.`.j(J.@...(Q;\...2.4<L.e].....J.V.8...a.^.?o..

                        C:\Program Files\ScreenBeam\Conference\app\Images\Connect 01.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 253 x 179, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):2772
                        Entropy (8bit):7.851913113424136
                        Encrypted:false
                        SSDEEP:48:G+UxoQP8H/vKEr5eICimez65udPQcAAWraa1laOfe+aAbJjPvtuJRXXvjkkDP2Fk:GH+RH/3eICimezGudPQDraawD+aAdNuB
                        MD5:74A7E29DFA61300BE1EFD9F16511C472
                        SHA1:D4D077D4F160C4BC1F8A783A41BF73C3C90CF473
                        SHA-256:70301841B123395675665F7B9A4A95ED658E6E499655C9B9F9123B11B6C59271
                        SHA-512:A6A661850B4CD0D71543B38D87F0B65C8F6D76CA0F497267927B9D5740A415816C94EF3AA5062545570F9988503C0A2CFF9BF6978D0C3268E32F034F7034D5DB
                        Malicious:false
                        Preview:.PNG........IHDR.............Bg......pHYs...........~.....IDATx....q.....F.R.. J..1x7SA....LW`..H.\...@... b.b......-S......~f8...$...v......bR.M{i...sc.U.....I^.UY,..}D.^B>1...:...|<.cZc.b.7....Mk.~c....U.y{4.........zi....>.U....`U..!}_...M;3.|>....so..Ve.<.+.7.u.K.NW.p...d...;C/....?..aZ......?.x ...j..z....K....ql...xf...M.t...B..,}{..i.%.6@g~.q:.t......a_.....(...".C..~n..kK/..?.?.N..FU....{.S.D.i.?.V..y..F.....,...cU..SU.3i..#..Mn.......<.|$.x.R7.m...|...7.\>....~E...F....>.....qC..T..}.f.W'..k5..E@......P.$p..A...z...e.$.$...(=.......~.....=.B.`H.=.....!.2..P.....z@.B.(C..e.=.....!.2..P.........k..%{..F..Jv1..z....2.M.GU..... ..!-w..J9....i....gL.>.}.S.T......!.8.B.....=..-.w.ze.}&$.#.. ........qF<B.$u.K..?.%0....?..i'rZP..|,{......"..$..........{.S.^.o.c.B. 2...`D....n^L.!..?..i......Jn..UYp. ..........;.:.tt....n....;.l......D....M.;.D.{......i4..w.n...{.<k..../..wHF.?.../UY..c.i.....#2.?..i.;.S..m.o..C.;.Ui.SVk._0.cac.n..

                        C:\Program Files\ScreenBeam\Conference\app\Images\Connect 01b.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 253 x 179, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):2861
                        Entropy (8bit):7.836636045012349
                        Encrypted:false
                        SSDEEP:48:G+z4CjGMOWHLHvpYObJBFm2V3qgnUcfyGXqyvZYRjKiMWmj/iIklqF7:G69OyLSeDhqwUc5Z7WzqV
                        MD5:925415B41EE4AC0784F3303E037ABC1A
                        SHA1:F2D643686EC728B8362FEC0CABB9A2F3D815CC1B
                        SHA-256:0B048F9F820EE144C174A80E36D8628778C2332D625DFE6F73E42BADA6772DA4
                        SHA-512:961E67F904ECE58E0A65D9F7035DD3F892087940AF33713D8E1BAC99F30853B472272295A1C9D6FFF92D404E048CFA9BC74A8D2AD5BA6BC5C2C17EB58F00A4D5
                        Malicious:false
                        Preview:.PNG........IHDR.............Bg......pHYs...........~.....IDATx...?o$I...WN.vy.h.!!......Q....aG../.9.2.}...o.q.!.aG.'$B.'A.Z.....D.:=..w....y.....S......fu]K.EU?...(?....e...k.....'"2.?.^2`<....D......W.6...LD..Z2`..EdQ..U..S..a?.J..4\..0.G....U..K.y..R.iy]..Y*%......"..VK...........}Q.v?.z..t........H.. G.w_..F..k....a....?.;..N;..~.........$.b....y.g......>...[.q..;........[.k-.>p,.ZD.tz...S.]....@}..A.,.l5..q].....j.y.g..........t..B;.|..g..#o.Y.[..$.0A..]..z../..>..g.H..s.Z..gw..5.L'.....sz...pF.a......'...2.F;..l.vX.{.......U...C>Y..&3.....B`[.6.....7.$.M.....H....!.1..0.....z..B..C..c.=`....!.1..0.....z..B..C..c.......u..'....7.c..'Y..].>!z...+t.5wT..wzK.gg&?H.....JS..=V.!sw..n..C.....}.O..>...1.~$.V.k.9...!.;...<...>8.. B.CEU..$.m..y..M.~...v...c.c..!;z.".[VT......z.......u..p.(.....*.f.4...J.T.:!.[.......o....Y.}...ig.....Z;............v.q48.#.........C".....k....>.......CiIz.b..}D.K.N.\..t.%(....D..}..h.c'.}<+...*.l../....y..U=..iG.S..

                        C:\Program Files\ScreenBeam\Conference\app\Images\Connect 02.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 270 x 180, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):4883
                        Entropy (8bit):7.914101756064351
                        Encrypted:false
                        SSDEEP:96:b6A83M4XnLKWlUDfwHhm5n3/eDsdVqDXVkaEcqVsvTywA2RTt9I/X:2gVUUDfUm5veDCyCXc+svlAuD4
                        MD5:DA5EB66ECA9B3E5F4F445D3B619632D3
                        SHA1:86937DB672C9C0EBA708E7AF84973766328B69D6
                        SHA-256:810918B484FBDE0576A12C3C69B15EB429038241D7A73608C2A3C276859EEA12
                        SHA-512:FE884FD67472D7C3D59280CBBB4923939407707F7A91022B9EBA3F817744793F948D435543F23B89398E94CBE16394FD2B24E0232A869351A2F892C6F03850C9
                        Malicious:false
                        Preview:.PNG........IHDR.............e.......pHYs...........~.....IDATx..Mn.H.......@..n.A..Z..`F.>..X^.:..".... ..Z^...O0......]..~..2..".....B.n[")....W...lH.l.E.z.VoD..<FQ..M......#I.I.E.(..Q......q.m.E.Q..g..~._.H8.4Sb..X....0T....$..6d.E.I/GE.?(...M..!}g..........!..S[..4^....$..DQ... D.O.i....*....!....".....?P4...,I.e...p..J.5..4..|..mUp.........0...my.8.E.>.....#X.A.dq`_...$...!$..R....CL..).am\.....z=..\..H.T..S..\.<#(...R..OL...).d(`....Hx......8..`%.1E....4...e'<..",.p|.....1..|B.?.cc...O8...0...B....\.Ih..5<..p...:.Pkpm(..1..?B.V.S^0....Ag(!?...........(...1..B....!D...."..A..C. ...p.B.P8.!b(...1..B....!D...."..A..C. ........4.........M...(.../..$.3(.G.B..^..9.....I...u..Ykv.'mC......]...C....$...I.!.@...L.[......*...".,..l.s\'1....hN..ua...%...j....(.-S..3..U.D.Q@.......d.`....-.m..B.a.G.$i.....D....l.4..7$........*.D...q.0.f\.....|.....2.Z.....!I.)....[=`B..1d6sy.].#7..){..c!.XF...C.r1.-......,O..5^.,....J..I.}.Mcn_.3(.....[..'...........$.c..

                        C:\Program Files\ScreenBeam\Conference\app\Images\Connect 02b.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 270 x 181, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):4970
                        Entropy (8bit):7.918801585601483
                        Encrypted:false
                        SSDEEP:96:2r4vQ7uUlkbxDAzBD0YjfvoJUCHbE80PClwBTwxcZWty:64v1UODmBD0QvoJUCHQ89lwBTwKOy
                        MD5:806C821E92A332E9027999A80CA6951E
                        SHA1:5365566E77705238BAC426A2E396B83C54976049
                        SHA-256:384A13D89ADD5A0144C9722D3ABA7893E45B4495E800DF557BDE5C7E84C8B792
                        SHA-512:75D771C510758D7F4B2A75980040ED74326B63F2CE4BE8524EC4CA10E3C083FFF176A95E909A812A122043461F3EF1F5DE98027A704021B7C06D8D71241794B0
                        Malicious:false
                        Preview:.PNG........IHDR.....................pHYs...........~.....IDATx..?..X.._...A......]r.....i......&+(.........i......$+$..MJh6..]....FP.........~..g.~.~$k....v......E."...... .N.RCl...y..(.6J..Rj1.......[.A.M.R....(ZH.J..|..t.$.....\)u\.^.....R.....k.W.p.a4..J....l..u>..tzr..V.>!G...!..^.w..... ..J.......r...]..{....A..}.}............!v.....;.p..B...a..}..8...%..O.0..z*o..K..aw........a..L...R....HwH.ULK<T..G.K.N.N8.0.+.~g...H..\....Xv\Z<\W.Q.%K,.:....}[$.,*.7B.....Z..|.k.}...P...E`Yk..Zx.c.N.=.......*....x.T...@..-*d..,Xv\....s..C....#....H.wi...j...%.$.z.T8..A.._.K.!yP8.!b(...1..B....!D...."..A..C. ...p.B.P8.!b(...1..B....!D....".=...h.80h..ku.....^(..."1.H.,...}...F)...,....E....f.b..m.x..1.].. .n ".6.&..p.@J,..(.E.To....h..$)...B0BP...4`..........B.....Q...s<..z..a...I.!R(..i.`.y..z......K.b..8..}.A..9...H4..}^.a.a[..Z.%..h.+....M.,.....s........%.P8,..........-..... q...".$..:.&....Q.........V.+.HK..s.....Q, .."r.A.s.'IC...|......U9....f..'...mMm.

                        C:\Program Files\ScreenBeam\Conference\app\Images\Devices 01.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 567 x 129, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):6725
                        Entropy (8bit):7.937534717511396
                        Encrypted:false
                        SSDEEP:192:2+EjDf5Uv6WEYBKP/Biu5os+SCxOUOKUWpo:X8DfBOKPJhUxZG
                        MD5:48EBA9C316231F11C1998893BE69BF0C
                        SHA1:90A3A211DCC79071BF2578B141741249A04949EB
                        SHA-256:25C37F6ED819BB05A22FA1846618C7D54C78CBAD856E03E71FB1CB5939FC3B19
                        SHA-512:3C12AA33D1701FD3CF809B26DA8F64D776C23C2C9EF5E91E63E2C922B558407DA71629E9BB5BFF58777A3220E16A91BCFB0CFC10D52E3F86D598A74738E03FBE
                        Malicious:false
                        Preview:.PNG........IHDR...7.........<$......pHYs...........~.....IDATx..n.J....pN...V.m.v. ...J...z.(W`.."_..j.....C_....]....D.. .........p.|~.. ._J.>..y.W?~.HB%.7I..I.......I.<..q..."..B.S..7.43.N..f.$.:I.%..!..2,..7Y^..$Y$Irn....y'.....B...B.+..q.=.......BD..M.d...@...9.).o.<....MH.@..u.}..m.HX..;.7Y^.B.j.~.e'..8]{z=B.....7Yh.x...E.....;.<'.y.$_j...d..>l...,/../;Z..&.t.......dq9..D|WLk.....KG....t"n ln...s.P...p .L...=2X.).4.,..8.uy....@.M.......(j...{dP.|DJ9.u>.d....8.... ."l.s.-B...........c........;/t.M.W..3...JX+4n .....oX(.$.|E.'!...._c].^{|.U..i..ZB:........R.Lm.>.5h..s.+^jn.....)J.a....u..0..l)g......=....#........|_....`mP..t.Zv.......+..X3b.-.8$jP.QX.t*n... 8L..v$..25..9....7.;Y^,-.......D8.~..o.miN...%.3...}..<rc..mm.d.B;..'...._.?..5:b4....9...."..n..]..?.oZ...?5.f.....w.}.x....#.....vZK.R..dn..K}.)...:...;.7.[.u. .lZ6c'{...N{...0.......E.>rL.....?..!........wD..Z..........C(n...Y.]\.p5...G~Kn..(.+....x...XwL.|......u.`.......B....9.A.gf

                        C:\Program Files\ScreenBeam\Conference\app\Images\Devices 01b.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 568 x 129, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):7061
                        Entropy (8bit):7.941053016684348
                        Encrypted:false
                        SSDEEP:192:66peFSyCa4BGXRW1KccnFMF+0okbJMElBFIn19Bwsg:66pq/XRW1KluvlB21fwsg
                        MD5:8D0FC1A1FCEB9CCE3A3BFE72EFEA4472
                        SHA1:23EC34BDEA36CD6DDEB3E1C01B64BFA116E8E3F2
                        SHA-256:22409C98257A8C94F09200884ABAEB688948F1F5381E493D39A06802432805F8
                        SHA-512:FA31F204952C8EFF34F4F2AEB913926577DB49FC15DBB9A1D7A65D4E8F6E7DC485DD231ED65FECBE6DAFC8373902780605CC5D370A1B0FF6F8D024D3534F07E1
                        Malicious:false
                        Preview:.PNG........IHDR...8........../.b....pHYs...........~....GIDATx..O.$Y^._....P...U..A.P5x.d...C.,v...8U..EA...".T.,. lg/...Ja.=.T..1@.,\."L..eA..x.Ng.Q....~.;:;3..^....@.P..."2....M.<W1.f..R...>....(...B.!..V.Y>RJ.K.....R"t.......!...(A..4.w.R..6......#....KC$..BH..!pJ....).(t.!..;.."...Rj&..<'...4..!n.Zl.X@.L....o 6m..f....K]c....{[^3n..YM.........&2.e..&pp.N.Rw=..B)5...g..K.. j.!lvxW.p...b.....gV.....~...V..... x.6.x.(rHL.Y>..ik...qqO..I......d:L..]..N..".DA..b..P..c.H/I.\....>.....W....)..!...rl....0...&.$.a..}.>..|...B.0&B....+......i..c.'.. .y.B..5...dK.x..bl...|.3.....e3.QB:Ei...[...J..B......I.,|..D}.NZ.0.....nn. .N`k...E...<M..\..5W...T,E..kr.....5.HHc(n.d......=i..:,......Xo......jf...@..1.E+.i..n...G...H.T..E_,8ur./Q..x..A..a./.V...l...8.(..d:......h..{.........</CK...S..T.{.r:L.,.i...E.b:L..A.R.wZ.@}.....,..{..r......h..4..c.e.....6.....d...7'by.j..7....t....-X.M9.H"$h......\..S.`.G..e.r..!^(..3A.6.P..BG6h..O...Z$t.L.......].M..u.1Mv

                        C:\Program Files\ScreenBeam\Conference\app\Images\Display 01.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 563 x 325, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):2540
                        Entropy (8bit):6.029624423166828
                        Encrypted:false
                        SSDEEP:24:3JQDjGsqI+5N/34s0edxb3Q2CjQRc0Yp2TsooCHasqh8nqbEDlOK:3ls65h34sHxbQ2at0Y1ooCH5iIpOK
                        MD5:5D31BEF0D0FB9881CC6B132DE1101745
                        SHA1:DF96187E5237134AA9DCC93CFAFA66627357A287
                        SHA-256:49E3EE10632BBD9A521AC129B83A6EB212AB2A3113F0C8FD1F8956E3B4436231
                        SHA-512:635B7A45065F9CBB97FA1A5FB12C1825DB39CD2E92B84F432D61259F92B68A33168A81A52C9564EA8E5461F9449451494C6583D734ED7F8AC5DA5CC899A6789D
                        Malicious:false
                        Preview:.PNG........IHDR...3...E.......l.....pHYs...........~.....IDATx....Q.....*..D.".....8....#0..E m....7....2...:.g.0......<U.T.hP7.o..t._.....@....}...^)e.>.J)...7~:...{).r^J.f....'.{2...}...;..~TW...R..t2.......b.S..R.{?j....kO../....1.&15b>.j..Hj..m3.yV....a...R^.r..7.[.....z././n)...A...n.P..i....{.....&ki^=..B..xA..../.`....`.<.4.Mf.....j.L..>..b8.2...9k..N...C...%...a....i.dN]:.`.../.........!...v./k.i.......;.u...._......V.vok........%..m..c......-..1..5.#}..1.cl.....Zk..x.....d..w.3.e4.G8..trga..@.3j...z.(...d...j....g.........;9=.0Z...:..i......Z......r.....o..D..x.6.9.<i.y..M.'w.....-..81.J.....\zj....5.........>.....:...2f..rCb...Z[...d.....\>..SOO...h.Yf....zum{..3../M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M....

                        C:\Program Files\ScreenBeam\Conference\app\Images\Display 01b.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 564 x 324, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):2534
                        Entropy (8bit):6.187458781872805
                        Encrypted:false
                        SSDEEP:48:nPbQUi5pmkex74IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIU:nPbQUN5+IIIIIIIIIIIIIIIIIIIIIIIu
                        MD5:C50A9E7C951E3A00869A77173F05C5CC
                        SHA1:C308112B2685F993BC89D0FD242566C09C902A1E
                        SHA-256:3937FF6FD2AB14A64E1E71D209BBA6D6CD26314BE2A0A048F181F06FAA435C8A
                        SHA-512:B94FE6BB48F097D8CBC4EF6AA24F3F9B04629807FD826D0CF77F25FA1792ADF9D391D5738F8A346D13E768EBCB96BCE5FACEF4868382A1F847008F3F845801B9
                        Malicious:false
                        Preview:.PNG........IHDR...4...D.....0A._....pHYs...........~.....IDATx...?V.G...j=...4>....lR9.L..{.s..7.F...;2:...............3..~...^..C.t.|_uuU7.C...f...z....|...q>..yw1.U.,h...2.G........}....RN...t...)h...r\Jy+b..=.q..~9.......4.~8.1......].9..4;....jI.....6..]..]..b..\Ge~.3..#..........:Wf...ow....|._8z..{....8.s......?.7..;.9.......rV.d.........&.jk.,........&.m.CSW...;..<3?mZ].V..gT.......q....I..9..3..3.......E?..c..........|.-.p.{=..{..............O.V.c_.:B..Y)...}....r.m....|_..0...[(...w..94S...w,11..\W..............?.ywk....u.~.c...y9..'L_Fh.d...U....Q......6..GNG.'...wSO(...a..>5..W.3U.|....x4....4.....3wn....Im..Q....4nB.m&..EKK\5..wS.[.D...%^....uyss(..].....-..h......0...h....''h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'

                        C:\Program Files\ScreenBeam\Conference\app\Images\Display 02.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 418 x 41, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):1018
                        Entropy (8bit):7.592402450098522
                        Encrypted:false
                        SSDEEP:24:MAaGMBkeGB0mVARASA51bFEgiPBQ4XRUoo2NKh/WN:hXMke05yA7bugIQ4XvooY/Y
                        MD5:7374E2A43CB40C3A927B5F9959149901
                        SHA1:111FB872A39B6C082CA43CE575178461BB594530
                        SHA-256:9E3493FC9CF003474CC8E2E65814F3BC1FF8821C9E18F975B2B62C696D12FFE9
                        SHA-512:3BB01E810E49DC70008CFDC4471F72BFBD81E924B652A096235F2105965B22397DCA8C55EA9326FD6DFBD9DAB216D9D020E36AE1E96D8990E83B6AE86F013520
                        Malicious:false
                        Preview:.PNG........IHDR.......).....w.-.....pHYs...........~.....IDATx....M.P.....=l.L@:Ao-....0A...LP:.a..e....`.d.T...N|.}mB+5......'.~...=Z.V.W..."r......B......9......O".Dd.?!.......M....D.Q..."2.....h.(".Rk.ey...).....AD...-Bom..,/4..Py..+,u9'M....o..T.....<.`O...Mw.u.x6!...[[..R."..#...oa..... ..bM...V...nc.D..T....`.......3B...hd..Z..h......4qG......,"w.U.@3..h....mk.sK.FQ'.+.H.SN..<M...{..H...I..q.... .n.QV ..s......B..F...5..)-...*.6).~w....V..........A..&.[W.U../m.n...^GFY^LX3.....?..w..:....N........77...." .6%...M.......7,..5PG..~..)6......0.mn .......]s.e.o'j.b0......^..^X..1.3...x.D..{{.....L....)FD@...'[?.BI......A;.W....b.).J.N.e...u..=...v$..B.-...@.I.F4.f@..._L.G....Y.D.....2k)G....Q.A..0p.....z........ .{S.)..%xP.r.Y...2...#..8.G.&L.J..,/\....-.../..*_.b...C....-..... .;....#...V...v..n...M.......GEz(..E.......j \.5.&N[.\S}....}.x......F..=..r...kSsUv......4..=.L.7......[L.0.P}.@G:....B.6"....uW.]u....~j{.ZE.Q...s6Z:.?.'.8<:..u..A..o.(HD~...

                        C:\Program Files\ScreenBeam\Conference\app\Images\Display 02b.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 418 x 41, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):992
                        Entropy (8bit):7.535009718254115
                        Encrypted:false
                        SSDEEP:24:z8BxQe0TePO+8NiLc0Q3BvRbFsEFZ3DmyUaO6qtV5:z8B0J1Ocf3BHsUDm4Cd
                        MD5:14FB74503A226AD44EE05F6B3ACFCD48
                        SHA1:A6A941D05179649E59A009D62F27CFD795B3198B
                        SHA-256:F25EB99C02CBF3FCEAA3A5A6CB246BBFE26FB2662936CAFEBD9F8CDDE005151F
                        SHA-512:14F19438DCB85E157C6C43B2F19B76E172C0BCAB6D3B4EF26B55FD696B8E4B27197C6854718C9DB9F9B7D4AE1A62DDA03EDD8CAFCF869AEF0BE3F9DFD84A2B22
                        Malicious:false
                        Preview:.PNG........IHDR.......).....w.-.....pHYs...........~.....IDATx...An.@...7.....'.7.w..W.....'(7(...^...N.p....j..=....R..$......>f<..J.Ya."...PDnE.S.....7k.y..G.Y.Yv....(+.XD.D..!.@.JD.yjf1...DYa..g......)...,B.v.z1+.TD..!...\v<i.4......Z.=#..8.g.. O.k.R. ..Zp/..pb..QR.#.........f.. ...v..}....4kvvKsYa. ..............G.3..!.....5sJ.HgC..} ..*]....c..: Z..z..1...r..&...w......w@..]..2^@.<O.mL..}.....R ......o../.5..tv........6....!$.#fF@...t.P...5Z.x..E.mC.5.w|.......$X...p._]...3-.<.z....v@.1......D..oIN.&T}d..F3..... ......r\L......vM.......|..v.#..k...w...4x..j...+..~.~....h...#s.....`i...O.D.....H..p.g...z..{G}}.@G..2......lD.._n..V.@'.+...,T%...@7.mc...`.q.....B...h.v.U...8..D..^.......)..D.UX..1...2..F+=S.8.YakU..9o...5s..).......Z.x.....8. *..~-.d.Fn..W...pF....v....l.h.....8...9<_e.!%K..g..H....5N.#....LI|........t....7.....Ue...^o*/...X.#.yj.E.Z.H6at..#......Z.6L.fA...h...m...:..h..WD{.6....D>...........9....W..X.`Y:....IEND.B`.

                        C:\Program Files\ScreenBeam\Conference\app\Images\Go2Meeting.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 403 x 849, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):85416
                        Entropy (8bit):7.9853531268658555
                        Encrypted:false
                        SSDEEP:1536:wAvvK0847tDGOXl9CCdAB8C8uzhkKM+010k4lzyUOAManqZtq0IKJLf7+92:RK0NtyOuWA/2S2UGaxozm2
                        MD5:6428081514C762235484B78DE4D3FB53
                        SHA1:5D2D5F71B6433BB46704D795BF49815EDD8A0223
                        SHA-256:5C21456B22595F128A2C6303D966E9A8AA9ADF0D34C2B5C578559EFF15DEFDC9
                        SHA-512:49EC94B13B2CC0E7BAF12D737CAC3CADD7AA83A9CEAD2858E5A8E2E9FD0D6C0783FBAF46BF7E64DF375970A1A4B434BDACDA046CFECBBC19954B9668E67A3C88
                        Malicious:false
                        Preview:.PNG........IHDR.......Q.....&.Q.....pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:17-05:00" xmp:ModifyDate="2021-04-30T18:38:34-05:00" xmp:MetadataDate="2021-04-30T18:38:34-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:6352cb88-8d2a-e149-8d10-7cffae4a6cae" xmpMM:DocumentID="xmp.did:6352cb88-8d2a-e149-8d10-7cffae4a6cae" xmpMM:Original

                        C:\Program Files\ScreenBeam\Conference\app\Images\GoogleMeet_audio.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 1000 x 813, 8-bit/color RGB, non-interlaced
                        Category:dropped
                        Size (bytes):42674
                        Entropy (8bit):7.840543790213694
                        Encrypted:false
                        SSDEEP:768:U26KcWAxdOTO5c83tmMuc6Ewb9rrRLO+Pn3SDMyYdevWDXCF6xLF6+Svm/GdFa/5:UxnWAPOq51ki8g+PniDMTdevQSF6xLFt
                        MD5:6945E1DF586C00BA686661631EA1CB04
                        SHA1:9CF569943F5A14DCF9E7EF19782943A4E92A080E
                        SHA-256:60570553A0DAA7FF5A0D913A35A80CC56EB902DE30A6B9167915E996382B1601
                        SHA-512:DCC29BE2CB686FA00B68CA2449A693CB6DF4B7E15B6C8EB2B79A84044DEC9243614480381FB7E5238780E9E98293286293C8632AEB1D1F77BC705E1C5E4FFC2D
                        Malicious:false
                        Preview:.PNG........IHDR.......-............pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:17-05:00" xmp:ModifyDate="2021-04-30T21:23:22-05:00" xmp:MetadataDate="2021-04-30T21:23:22-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:6f655927-aa5d-0948-a8ff-3c5aaaecc992" xmpMM:DocumentID="adobe:docid:photoshop:aafcfe97-a717-7d4a-bfba-859cc33b877d"

                        C:\Program Files\ScreenBeam\Conference\app\Images\GoogleMeet_video.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 1000 x 813, 8-bit/color RGB, non-interlaced
                        Category:dropped
                        Size (bytes):49327
                        Entropy (8bit):7.888483310268996
                        Encrypted:false
                        SSDEEP:768:HKKfW1CdIvk8YKDoAOA+MkG0VVHi8q7Fixi4xgBd56CR1ek8UFJiAEb:Hu1ebfAOA+HG0VtqEuj58k8qiAC
                        MD5:204887D32D0D728E2E72961501142C68
                        SHA1:3331B0FC1D18CD8C3CAD8AD69F8D1DD9CAA8B8A4
                        SHA-256:044AFB54D6FDD785AD82B34E4D8391FB58A1BD231EAF18CB5B3D2952F123DCDC
                        SHA-512:FA769DA9C79726E64B0EC58CF8B717BFC34A4F392FC9974369200448CBC266440BBDA4898BE3E9BE3FFB5BA16FBF47600E910C587A6CDDC25CD971CC60FB8D7C
                        Malicious:false
                        Preview:.PNG........IHDR.......-............pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:17-05:00" xmp:ModifyDate="2021-04-30T21:19:08-05:00" xmp:MetadataDate="2021-04-30T21:19:08-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:e16fd676-4704-dc4b-8de9-f5a093460ec6" xmpMM:DocumentID="adobe:docid:photoshop:8f014ea2-b541-b44b-a065-a8feef2455ce"

                        C:\Program Files\ScreenBeam\Conference\app\Images\Hamburger 01.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 128 x 75, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):476
                        Entropy (8bit):6.572841577492603
                        Encrypted:false
                        SSDEEP:12:6v/7+/3UNBHPKNU+ZlZlZFpGOK+uf81ZlZlZFyHrK1ZAm8:6Nctbb7pGcufubb7yH2Lg
                        MD5:0EE2D0A6EA0FF374B16A61691601C046
                        SHA1:9267376FBFCD392CE6E45CBF33C814F4B22E9651
                        SHA-256:C75D0A805DABE8DA0C642883DA48509B0DA1A1ADA39472A77271A5BC5BA046AB
                        SHA-512:B3926CEE6A6713FA4F5897FFDDE188A01A2EA98CF19CE1E1337EC17E1AC6BF951F63CC2BF3951664EDA0630131142BB57017094D72945F31527CBC5767CFB752
                        Malicious:false
                        Preview:.PNG........IHDR.......K.............pHYs...........~.....IDATx....M.P.....G8%.@..==..t..@..A:.....KH:..$.8Z...0.u..8.d.=..!.b.."b.Bhk..w~..X.....G.DD9...y....:....}..>.....3.8..3.8..3.8..3.8.`.g.[......%.x.O.h...........@.I...~.....p..g.p..g.p..g.p..g.p..g.p..w.........#.w[.|....S.T..&o..v0..k.....3.8..3.8..3.8..3.8.`s9....C....W.>..h../.....p..g.p..g.p..g.p..g.p..g.p..7...~/.z7.#.C.q9t.kB......r(..t..g.p..g.p..g.p..g.l.....P0.......Zv...b...9.....IEND.B`.

                        C:\Program Files\ScreenBeam\Conference\app\Images\Hamburger 01b.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 128 x 75, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):491
                        Entropy (8bit):6.790559557465972
                        Encrypted:false
                        SSDEEP:12:6v/7+/EOJqXZdqBqyQ85+BNFaFIAhRMQS/uMlZlZl7Jc:XqXfqV4BNFShjSFlbb7K
                        MD5:A7F065CC49B62671D1F7A0C559E805C3
                        SHA1:DE343398B2C64DEFBFCCF09747D4925F79509439
                        SHA-256:10B9791E40694B30A4645B8841A31F7F16DFF84D38C31F5423A4250E1EAEFE49
                        SHA-512:6DBEBF11B04E5FF8C9C5F7A3B3B4F1572211E12A1FF499C0851E7D25F572C22C53A176FF685D7956E14ECC7ACAD6BA27CC5C951F7FBB19C2A53E5911F7131623
                        Malicious:false
                        Preview:.PNG........IHDR.......K.............pHYs...........~.....IDATx....Q.@.F./....-..r.#...K....<.7.a.P.t.. ...P...:..1.3.?[.}.b...I..A.d.6U7.....$..z......,...P.u..}...k............................5...g_.MU.x6.......(.B3..@tmS.... &7.p..g.p..g.p..g.p..g.p..g.p7....3'...............dJ_....8x.=O.Bn.+....o.|.L.n....g.p..g.p..g.p..g.p..6.........n....}5`.mS.8...................................n....CWI....Q..X.......:........P:..3.8..3.8..3.8..3.6o....P0o....94....\{..l.....IEND.B`.

                        C:\Program Files\ScreenBeam\Conference\app\Images\ScreenBeamLogo.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 601 x 74, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):6635
                        Entropy (8bit):7.956737759715022
                        Encrypted:false
                        SSDEEP:192:rTOgkGBqPdihCpS1zTXA+x8vEIJ+7kXo3maupCIa:rnkAqPdmCIJXALa0P5a
                        MD5:64EFA7DC6B94CE461FD8B8E348A28B05
                        SHA1:7867140BB930F7ABE83EBB66D731141C4ABAC20A
                        SHA-256:EF69AD54F09D3223FEA10E0A8BBB71E31100078A87E095EB0CC9748906B3819D
                        SHA-512:AB9D0ACC714A212F20A7B97C6F798C507C42098B9A65FB03BE0A3D197F72D06762A892DDFB1375D456D16EE2BB58FD81E2EB19F257403EFBEEC7A273EE2D428E
                        Malicious:false
                        Preview:.PNG........IHDR...Y...J......%A[....pHYs...#...#.x.?v....IDATx..Or.I..{&.G/..^..>..........fN0..F'0...........gN./J~J......n...x...].UYOeee.....H..p2......(.......~j.E.........h......0EQ.EQ....Y.....).....q..2.k.]..H...Y`7v....#.(..%....,.......1......*.3..(...'........c............Z.l....bk..MQ.....4L...6P.]..8.D.\.f._$..#.f.O...d..Ph..r.5.].[........pb<G...X..h....?...S.(..f;.?.L.N+J...,#`...:...7......-EQN.^.E_...*J..,...N.J....*..E9a.Uh)Jx.,.:!..."Th).r.\.P..(..).L.S..B/ ..EQN.%..*....".....o....p2..(...Cz.EQ. !...l..Y.jNQ...Z........&.=......kx.:..[.v5......"..,........^.=D..G$.+.(..=..$.V.P(...3..1c.X.Y........W.E...'k* .>=?=T^A!k.K...T...Puf...(.'..B..4F..R.r..^Q:E<&..9.."...;.a..A3!+..4.O.F..Z..^....^.z!..Ei.....n..H.J.........U..-.....;.K....0.".b..U(.-.....X..jNQ.V...0Cl+.]`*J..,..y....o*..Ei#\."KQ...|..H_..e.?...'.k54..8sRSX~8'..]9..S..X{.....F.7#.-.Dkk.q...3n..vr.....'G..H....ks....Yn=....i.2.l.9.K..>?.9.zkg.....U.Z xM..&wN./.0..Y.17...

                        C:\Program Files\ScreenBeam\Conference\app\Images\Settings 01.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 227 x 180, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):7228
                        Entropy (8bit):7.96362266301775
                        Encrypted:false
                        SSDEEP:96:kOt9w5kl1xpeQHWHAE5041RSdw5E4aee6AARfYIflh9M4Hzfaa+rstb1YpjT6s:k89wql/QaWpRSdc8e5/j9LaLrsMpjT6s
                        MD5:04EF5899D53A2AF4D87EB161DDDAE312
                        SHA1:EF05428FC27D5DA6EA9DE6B4E4FB0CFF0F7157E8
                        SHA-256:B8CCBC29B65B34C4BB7CE5E28FB0AE48CF499D45BCAA39BF7DA25C01D840378A
                        SHA-512:4341AE9AE239CC27EECFFA6117137F702D741A2A6DA6D1A89EC80813FC3ADD7C6D7F54751160786ABA657E7E84B67ABB25336A1821CCD615484AC22C2994254C
                        Malicious:false
                        Preview:.PNG........IHDR.............f.......pHYs...........~.....IDATx..].q.I..u}...@...F`...i#..@R.F..E`........"X.`E..UkO.m...o?..T..a..aN.......U.O.'.qUUW.9.....M..{...YUU/....r..\.2:.O...UU.Ez.).:.8... S.2..I=...:.%......b5....y........Y&.S...O..6........B...C..p.s..Y..^WA@.4...SU.I....g.I....B..-.U....__."......a....m.:..3....O.n.W..C'...........6.....F.P._l.U.{....y.7.k.VUu...c.3.?.D..)h.."#\.....d..I.h..<;U8...pH.......l20.......qS...N,5.....)N...]|......,.8......kg .4..!c!OAp$wS=.BM..}<../..N...S.Q...x..u.q.Qi.......@.A..\.;F...M51.g...*..s.o.....<..9.W.."..."....p[.$....M5.a<.G..J8'.0r..=.D'.CD..<..5gM..n...c[....s;xn.6.$@T2.$.@D.0q.&kN.6.._....{e...^....2.A..FF...8%.u.).2^.4..\.o..&.4..eb$>....5u...s..l.......e./........q....B.y........[.'....y-.2...-..;.e.7.gcE..A.."r...V...x....0....n..E.t.(.......`.8."Os.3-...a.y2.yq...d.'u....q..3..o....... .Q..]..Gy..(...9u....~M.{...q'].xP%#.z#O"NA.w.4..].w.!.......)mkA.......FF...#..tq..HD

                        C:\Program Files\ScreenBeam\Conference\app\Images\Settings 01b.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 227 x 181, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):7176
                        Entropy (8bit):7.958435392585551
                        Encrypted:false
                        SSDEEP:192:1d39ffDdaSaHiWIKhJdof02esUeFEOTqzMBu7xDRs5:ThRGH4KadlXqcqRG
                        MD5:3381A6F3CF452721366507045E0A9DCE
                        SHA1:BC91156986104AE4794CCA4F63D68396668B4DCB
                        SHA-256:387D53BBD452C6CA18D0333D1D754CA8049621A6C9CB71ED82AA053DD95D1663
                        SHA-512:DDCB94DB1CC063CBB04B030F726F87C778182A6CFB76322E263C3D53635CE3F2B45B13A635AA6BB9684E84459B651AEB20FB70E777E0442DAAD39A9436437B33
                        Malicious:false
                        Preview:.PNG........IHDR..............YH.....pHYs...........~.....IDATx..]Kr...m...o..W ..,.4.<d$....H^....#..CF.+0....kV...K..+?U].u"./.>C..S......z]d.Dg.n.EqU......S.........e.)..].dt../....Eq..R+...==\......82...d./..k..0/...p...x..5"..?"..Eq....L...p.....dD.....c.........7......K...q..5.p.'#......}.....c?.....2....m.;.99..H..2...6N`Jg.....MX.......x..K.L.g.....UF.!....H...y..y.....82$.M..M....)...e./..)..p.jI..\.sD ..V...e$c.....".8.w&...6...N..y...9]...I..3YwqJQ..OfQ.....e%LFp..3..?..?.!.......2.<.M(.E|a}......,.K...Q.R..?;.....,rm2R.ODF......<n.o...s.W...L.L...%.G..~.9.O..'.y..FY.=....O..J....E2...pp....4...M.v&.+....?.......!*.qj=!.......d.2...'....M.M...OA..L......).!.f...L.....2..Q!|3<.Li...ex.....a.....;|S{.gX.....Hj%`..M.;15T.I.(.......O....kjr6. 5.......p.z.).7..|.+t.HzC:..=..X$D4..KQ...[9......U........a.M.|7%B.!@..Q../.we|_?...z.l.Y.0-)..%.3..1M..'.....D,..z.pB,u...).4N.N...{.g=mx.....f.n..S...........v9w.a..P%#~,I2.C{..1...[..~...zW.. ..8

                        C:\Program Files\ScreenBeam\Conference\app\Images\Source 01.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 272 x 202, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):2605
                        Entropy (8bit):7.7402023981882175
                        Encrypted:false
                        SSDEEP:48:E+1u99QkCU8QSObjAzrOZzzx1EJ++YwO7sdcXvfpmR3akAkAkAkAkAkAkAkAkAkO:E+1u9sU1jAzrUzQJewOW0nUapppppppj
                        MD5:9E53C56B516DD54749FC05768098FFA9
                        SHA1:917DE4A8D10A862016D223859F9624465C45737B
                        SHA-256:E07E38B0B90360D8FC316E37436E94D7692A02E500C60A0064C3DB22AF3DE49D
                        SHA-512:AFE46AD70BBF82188C85717EC581077C1667361181C99E03A176CD54761D629B188712A29BD88FA8AD796CA5CE5EB4E314D78146E1E6AFBFEDA59DCB5AEF2870
                        Malicious:false
                        Preview:.PNG........IHDR.............m.......pHYs...........~.....IDATx....q.W....h#@....fj..6...,G`9.......?5n"X..E.(...:..B.{..|.y.(Se4jF.[...s....K..Xv.M..O.......-. P.b..5Ms.4...^.}.4......5....|.N. P.b..A.|.^G....w..(..*Z,..i~..........}.K?/...U.}<.&..r>k?l.g'@.......c.$1.........6. +7.$.....7..........i~m..?.ew..@.!@...-....z....D...@e.e.o......9.r.F......r`!.&..j.S.....HL!N........&G).B.Y....-.u^..@......Z/&@`.,.].ar:QQZ.S......a1B..5<.....2..U......Yl..p.#.t....31*9.Q..O?*D....#.I....=.#...;8... p ...4.$;.).q...D....8..<z..f...hd).o.Y{1....8P.e...I..^.../@...X....N.Z.. 0..;.*....4u..x...".... PY.g.+.V}...n.K.......;.. PQ.G7.....U.0I..|.....O.P.y...O...e.)>...gm....u.......U...?...V...../.....j.._.....E.8.i....... ._.......)..3.Pl..^.@].....;`._<......,jJ.B.@]..u...d..)....G.@E...v.....p+.E\./.u.7..*...~....1^.......T.d0..1.=.8Z....../..Q..&.....6.. .ek...*......X,......0.e..j?r...M..k...Oe...u........!...|.F..|.W.-=.G.B..\..;(vHN....

                        C:\Program Files\ScreenBeam\Conference\app\Images\Source 01b.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 272 x 201, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):2609
                        Entropy (8bit):7.751935570594546
                        Encrypted:false
                        SSDEEP:48:rWJfP2n18fIq36wA1Y3S0XCi+OsmgV7iQKeApLzuVcaaWhq0OIsHZc:l8gq36wYYNr+OsvxiR5Zgc1vIsHy
                        MD5:8BB5D9194F9AE840C1EF54C02C43FE99
                        SHA1:96EFAC9879BBEA22C1EA2FFF18B1F2BC3E4594E1
                        SHA-256:D07F812BD5236CCBFD9217C6AC267DE941D006641ABB3531BB5149DEA9E17743
                        SHA-512:F22625D9C3FEB679DEF5E0AB3C92A5EBBB255CC7F7AF419C69C323F85B8203776F4A1530927FD8B6BDC9824328510F20DB752B2EBC3F862756A5BE707CC1E15D
                        Malicious:false
                        Preview:.PNG........IHDR..............LmF....pHYs...........~.....IDATx...KR[I...T..P+0......i..F.WP.T+h..S#M.P#..`..+h...q.).L!q.(.^|_...........A.4..o4m..N.y..|.:..nw... P.h..q.R:....9P.SJm..N...].\..T4.6.9.....9P...d8........F.f.R.......j...u"@.......xI.&...2. P.h../.m.lj0V.@E.......x2.\..E.Z..+.yC..w)./.is=.6..zQ-..(.y.l.{.H...p. P.h....m...1wmz.l. .\.z......rk.......=..8...?....>..........\.z...4.....!9... .e...}..n.<..Y.vD.....)...1..\..$..vDn.....+..~.........A.i...R..CD.....$... ..r...6..,.X. .'.;.=U<;#@`.XJ_T'b5..\m.!.(J..VL'Z ..r..:X;.iPU...[!D....K.....A...U..>.......}.[..."7..`..D..*._.....&..k...!..rw.....}.5+.y?..Z+g.!.2.^.Y..........G..r4m.V}..).....h.@E=..Se{.6.RJ..xH.:z.u.@..>.0l......U..IW..Z!Z P...i..:..F...?.......u.L.........%.z.... @...5....H`@.o.. PQ...a..i8Dr..%...... PY^C....3.s.....?...ATX..[..Q.5jGB..N.>L...5)...@....;..Rz.]`F...e.0.../.d8h...o.?.{y..K.Cr...|....."m..d8...M..../Q2{.}....l....6K^Xz.H^k.W.k..>...l...)..^Xz.

                        C:\Program Files\ScreenBeam\Conference\app\Images\Teams_03.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 1000 x 1000, 8-bit/color RGB, non-interlaced
                        Category:dropped
                        Size (bytes):69554
                        Entropy (8bit):7.876398312717814
                        Encrypted:false
                        SSDEEP:1536:EoeNeq0IAahqMnkW45preYA7eVyQud3ce/XjG+7/p:w/DHnF6FcJJJB/j9zp
                        MD5:C6A33864468BF8E7F43B4BBB8DBCF83E
                        SHA1:99F18AB1F88249E2D184E2ED09111E6DF849BA57
                        SHA-256:BFD7126FBA79119B208374700733B636EBDE1E03A20F0D07757181D59E8DBB9B
                        SHA-512:BD4CA6DF1BE8046AAC755F9790AB0E02A7692D18C6F9341227CF1A2E013C54BEB1DFA66F5F5C31D46E18D3CBAE077950C0034B88860D593ADD0FC7B0DE8C9493
                        Malicious:false
                        Preview:.PNG........IHDR...............C.....pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:18-05:00" xmp:ModifyDate="2021-04-30T18:45:01-05:00" xmp:MetadataDate="2021-04-30T18:45:01-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:c433aeb0-0a69-0043-ad67-aefd8a1b2e97" xmpMM:DocumentID="xmp.did:c433aeb0-0a69-0043-ad67-aefd8a1b2e97" xmpMM:Original

                        C:\Program Files\ScreenBeam\Conference\app\Images\Warning_blk.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 155 x 136, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):2340
                        Entropy (8bit):7.846633957982799
                        Encrypted:false
                        SSDEEP:48:EtDfZuMXtRcFH05EWPCLp60Q1/cb/oem1aHUPaGc4e4mwm:EtD48bcIcp60Qh+/oeCC7Sm
                        MD5:6050EDE0EDF86C0CB1E93000FFCB627C
                        SHA1:A28E3B8C5344F1D5DD145B9BD80F2E3655798350
                        SHA-256:020E19B7DC88FDE6473BF002ED65622808C5B77D50B273A81AEF7E287FC950DB
                        SHA-512:371283937CC3606ED899C1FDC8817E43B9DBF0263D430B83D87153D3844985F9F5AD1471AD240748BC227A420BD11CDE75A1FACFD8E8E0EB2615E8B507D5A074
                        Malicious:false
                        Preview:.PNG........IHDR..............#......pHYs...........~.....IDATx...q.7.......N.V*.SA...T`v.....H.P.. r..*.U.2..6%..pG|......XG.....`..>...yx...>..6..$.l/.....k..W.}|:....M<?.'3.S.......s.-..;........(.W....G....M..f...4.....u.^7*.36...p..>..^{.W.nR.6."x.o..4.8...!|.u.\1e..{........7(.S.'d,.n.sQ..$..W[,<..9k...C.q..n.........J....}T.........F....?B..B......G..;....vo..._i.0....3.Kl...NlA.]!.X.L.....c.T.+.....S..CY!..Yg.....Xx`xe+9.Z2...S....\..ZaP..^.66..........!D....~.?...z.z.M.{....&9,;.NF],..l.2.../14....E~.&.gXe.. .F.@....d.T6p....H.).Q!.)[bN..6.K..-....h9.#*...(=...7...el....:.J+M.+d..O4C..5\....\!.0..*...Z.Cs..`.e.u....A..0..Q....X5....0Q!..B.o.9.d.w.{. .(.]!#..._W.....8.z.Md._.V...aC.[.....q...b..j.-....K$....Q.l...=...l+j...0E.t..S.%Y.......g8..SYV..^.Y.....i9b......b...!..n..G.k.4}?..l....*.....C.kX.L..T.\..%..7.}WC...06x../...-PVk...G.3.G..Q...8I......ol..c..vR...j..9...yE.A..^.....3S.W7..V+......v...X..l..s'u...."...e...*,(..".......

                        C:\Program Files\ScreenBeam\Conference\app\Images\Warning_red.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 154 x 136, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):2267
                        Entropy (8bit):7.8636669830835295
                        Encrypted:false
                        SSDEEP:48:7I1s/0OuyGJQmNgm5xazmEtY3r3JIS2aS1LvYX7BIG1Ayejzj:7IK0Ouye/azxoIkS5AX7BIa/Azj
                        MD5:11BAFFF191DA71749104B9CCBF5FBAD8
                        SHA1:BA6CB42E95FD177C5DB06A74B93CD0FD5AEFBD49
                        SHA-256:1012143CE9B9009DE27EC83417BCB290998EC1D47642226755FE5BEAF018573D
                        SHA-512:427D6CD7F71AD26C07590641BB9F31240C71FE7415BB256D1EB882AFFB13EC34D30835C8DB27924D5A44AD97677004FB2960B93BB206E3FC484E8A4196A47831
                        Malicious:false
                        Preview:.PNG........IHDR....................pHYs...........~.....IDATx...Y.9..e...W.\.!..U...H...n......H..*8. ..[.....ifg.G..{..0.2,...k.r.{0.p.....p.........V../..i,.p........x.Y.f.r... ..d.....w..S4.0\.........[..`....5.|..U..p..?..Q....s.....Ba....a..s..n..Q....,L.^...T.....q.0Z!...h.8w......S..O..s..G........).K.D.\....o...F~~..Vea..%... Wo...7......8...l....N....cP...(.m.=W;.;1...-...,.. ...=...C.;..h.....D+._...S4..H.A...;.Q.....nE.....d.....`.G..]...1.....Ao.....r.f...y...=..:sN.S,..C..9....o.V....v.T...P..;^.O.[.v.2.F...pu).mg.........m.V........3.gbA.3...a..;....(Z....J.-..X.}-..Tow..h\.........X........-.gc..]..X..gq..Y..:..X..v...3....t..q.h.v...6._I...hS..j......08l5A.=E...q9.gjy.PZT4..<ev.\(..9UkK......g...#..VD:....x...h..y.#.>.iV.".....><..6.E..1C.)...E.i..+..;g+&.m(Z.j.i.W..;.+Z.y..y....j~)>..E...%e.R.*^.d.Z.3.js9.@..}E..I.r.=t.J&,1t..]...U.......;...'W.Jf@.R.....!S..U..9.C....).h.^..DE[%><o......C.d.Z8<.{...7..s......h...i.+BM

                        C:\Program Files\ScreenBeam\Conference\app\Images\Webex_audio.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 720 x 788, 8-bit/color RGB, non-interlaced
                        Category:dropped
                        Size (bytes):66299
                        Entropy (8bit):7.961523068971229
                        Encrypted:false
                        SSDEEP:1536:yaDvYOVbQEQjKJXDVCf7P/2qzYzpsL6/ET7B1d51pDKx4vnE:xDgCbQoJXq2wYzKzBnBGanE
                        MD5:C63418D64D9F55FAE8983BB8E3390F22
                        SHA1:EFB964CC281188199E67377EEF79915A2F47CA4D
                        SHA-256:C7600F818D52DA2291188622BB31F89FD7C6CA5BB724BB75562AB80F8B380DA6
                        SHA-512:593B13021E2F772299B48E5183ABF832237AE083124F34FDE0AB3B2FC90C163FD0886142AC4271455917713D92002F0249F6415DFE4056581500C648C2E665D4
                        Malicious:false
                        Preview:.PNG........IHDR..............;......pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:18-05:00" xmp:ModifyDate="2021-05-01T12:58:43-05:00" xmp:MetadataDate="2021-05-01T12:58:43-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:4fcf30c5-2837-6d49-9228-8aaf4ce449fe" xmpMM:DocumentID="adobe:docid:photoshop:1e58d27a-8eb5-7043-9c25-a23e0fa28b76"

                        C:\Program Files\ScreenBeam\Conference\app\Images\Webex_video.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 720 x 788, 8-bit/color RGB, non-interlaced
                        Category:dropped
                        Size (bytes):225205
                        Entropy (8bit):7.988659019849531
                        Encrypted:false
                        SSDEEP:6144:YzOPygYSjCzPltsEGUW1k+/5C8fBRNxPg3otp1xUxGQ:Y69azP49UGk+/bZRNZ4DGQ
                        MD5:0B24AF962EFB65CF9D84D32F1051CB7F
                        SHA1:AF93286939B3ED2FB8B4281E80A0616C2FD850AD
                        SHA-256:A5C3F258AA8BC1B5113F9EE3EE68C0B494C0396DF89E64BA397809E5BAB98127
                        SHA-512:29F3A99E33467CF3E92AE55E1CBBA5A0F8985F159F0A5583266CBA7AB66CB78F91D95D0AC97329835939290464CA2696EE339D65B79635D00481A4358BE88B61
                        Malicious:false
                        Preview:.PNG........IHDR..............;......pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:18-05:00" xmp:ModifyDate="2021-05-01T12:53:49-05:00" xmp:MetadataDate="2021-05-01T12:53:49-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:ee909eb4-bcc6-cf4b-b832-a231bec47261" xmpMM:DocumentID="adobe:docid:photoshop:57ed1941-e4ee-a143-aaa6-82c889b5b586"

                        C:\Program Files\ScreenBeam\Conference\app\Images\Zoom_audio.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 996 x 822, 8-bit/color RGB, non-interlaced
                        Category:dropped
                        Size (bytes):62003
                        Entropy (8bit):7.882536706934873
                        Encrypted:false
                        SSDEEP:768:DmQg8L4uOc2ALn9mKqYFrUjGE3ztVfasP+tbrpPS+plZ8qHK8mUSGlxGt6uu1ibH:Dm64py9lqYFkJVSV/YqqL8lwtnuMahb4
                        MD5:33DEF4334217F9817B543EFE2BD011A0
                        SHA1:A856001007EFA1275E2564B86640A376837C41F9
                        SHA-256:6122D3A1745C83B68B99C595EB0AE24FCD06C2E1FA74F3AA67CDB2088592C796
                        SHA-512:FD78545900E479353304D07B46CB5DF55822324A38BA717715C9C84DFCFAB16761D21A337D0B1C9420FC79C1C0898DA425F8DBDFE3F3FC306F5550EB21D778BF
                        Malicious:false
                        Preview:.PNG........IHDR.......6........b....pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:18-05:00" xmp:ModifyDate="2021-04-30T21:10:30-05:00" xmp:MetadataDate="2021-04-30T21:10:30-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:13569480-ea61-a44e-b054-8352c2def7a0" xmpMM:DocumentID="adobe:docid:photoshop:766ddbae-3d8a-1743-bad8-2c7d64d35992"

                        C:\Program Files\ScreenBeam\Conference\app\Images\Zoom_video.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 996 x 822, 8-bit/color RGB, non-interlaced
                        Category:dropped
                        Size (bytes):260289
                        Entropy (8bit):7.986983765173423
                        Encrypted:false
                        SSDEEP:6144:Mituzb/ztF2V+J5d1/05VU2I7V96Kfka4L1+Q1833P:uv5QV0t0k1V968a1+QuHP
                        MD5:28CA09E17FA6D684172BE70F5E88D5DD
                        SHA1:562FEAAD833907F1ED1F0BE6AD54B3AE7A5A1E01
                        SHA-256:54F0D37EED8C9CF43C71E168FA31CE0E58579C40B08C594B1C19F044FBC460E7
                        SHA-512:B4CDFB8CB2BCFA19258C118C839947CAC2582A9201A29DA2C7E5E14B8CCA8D5BB49B035AF505CCD145FA8926C79B7CCF042D2948A21A76AA84890C64FE12E049
                        Malicious:false
                        Preview:.PNG........IHDR.......6........b....pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:18-05:00" xmp:ModifyDate="2021-04-30T21:16:24-05:00" xmp:MetadataDate="2021-04-30T21:16:24-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:9cba2451-d985-764b-93b9-d14c63061ffb" xmpMM:DocumentID="adobe:docid:photoshop:5d86836f-d0be-2a49-a299-386e92516686"

                        C:\Program Files\ScreenBeam\Conference\app\Images\ham_menu.svg

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:SVG Scalable Vector Graphics image
                        Category:dropped
                        Size (bytes):330
                        Entropy (8bit):5.119426182542363
                        Encrypted:false
                        SSDEEP:6:tccGS3mc4slZKYnic4sFvQoEGlBMfqGqR3laF4SK3lNkADT/HD38:tcFS3/KYh93Mfq93ladK3lNbDzHD38
                        MD5:0C7F014CE9B23358D00BA953D9C44CCB
                        SHA1:DF1752C78BC6BD78615783C512AA81302FC14D13
                        SHA-256:A0F75FFC5C685A770D776661D354422DBA9DC17AA84885F6F35DB82106A7DF67
                        SHA-512:3DEE488FA25CBD4F2DC6CB789D4BF29E48C1CBD320D6DD7CFF92042923745D868C4C0580B9FB499BB4699D7FFC6AC2D9FA80EC4330F8C8B4B685E9E4AE21373B
                        Malicious:false
                        Preview:<svg viewBox="0 0 96 96" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" id="Icons_HamburgerMenuIcon" overflow="hidden"><path d="M11 30 48 30 85 30 85 18 11 18Z" fill="#FFFFFF"/><path d="M11 54 48 54 85 54 85 42 11 42Z" fill="#FFFFFF"/><path d="M11 78 48 78 85 78 85 66 11 66Z" fill="#FFFFFF"/></svg>

                        C:\Program Files\ScreenBeam\Conference\app\Images\info-icon.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):8329
                        Entropy (8bit):7.832751646585658
                        Encrypted:false
                        SSDEEP:192:nbj4rMvGOipjk7J9jjUkgTmdo9jU83jbZOwlVbDQMcYR9qH2Xo+c:nNe3k70adoNU8Tb7DbjR9E2Xo+c
                        MD5:164EAD314AC3D2E989D23C9A2BF92509
                        SHA1:01ABDBF23F0C579C8E7BEB94326EB0EC893DED2F
                        SHA-256:188604E0436236A03272350C27A8E6EF96EDADD7E89F35975369F446A1D9DC82
                        SHA-512:3FF029EE8321A2F333FB708FE5109CB86A97C5682C6FCBB558485E866400E5B5E9F901062E931CD37FF4AF5E6058FD8A9B72E9C7C59712541009E0278A068873
                        Malicious:false
                        Preview:.PNG........IHDR..............x......sRGB.........gAMA......a.....pHYs..........o.d.. .IDATx^..Oh.....z...4*....z..x..@/{v....7....:..`..o1xf..0<D .y..A.hF..L..2.A...%.I..G.u.}%]Iu..~..Hw.n.:u...I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$.....W.G.6......9.U{...??:......X.$."5..[g..i.............a8..........U.I.3%I....~..l.o./..'q.._.L....pfa.......I.$.S..;.nw^....:N...vzp0..L...H\..$.........~:..........|.L...lA\.$]_.T....../{......[..p.ecr.Q.x$IZO.S....Ag.u.......%..{.\:.$...kr6..o........7..6..$.u..~8.<..y<n.E.9.....K.j+.".....g..S...j...?....'....;...{.. .?..?r.$..A.....3...Y....g.]...f..n"...6.s...v.6.`@.F.|B..|..6\..0Uq..%I...9.........I.?...Y.I....g....u..>.qV@..\x.{.>^.BV...P.Vh..|o.8.nx.D..%I...~..|Z^..)]...i.WJ.._..+\......&w.P........TS...Q|!Kj..5y.@@R...~x+....j>..^...>.Ar8K..>.._....3..~8.p............cv .?......B5......i..:~.$i.mL.>.~.<K.ui..a.......k.H......n|

                        C:\Program Files\ScreenBeam\Conference\app\Images\panic_button.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 135 x 176, 8-bit/color RGBA, non-interlaced
                        Category:dropped
                        Size (bytes):12500
                        Entropy (8bit):7.963895025939282
                        Encrypted:false
                        SSDEEP:384:puDCg3GXRy+I3dfjFIK6Sdg9cA0g5LWqsjtT:vg3/trGn9cAXW
                        MD5:DDC8FD60D7AC9B0F5B4A31F85941D910
                        SHA1:D178CF17269863F9D66564BEDB0501B68B788D0C
                        SHA-256:DDAF21F47792E18653DC4737562F0A50704D29C165FC6B0D79BACFFB52235032
                        SHA-512:F2EC43E66913D43594326E08FC4D196561B6125B71E74A9158A1555458B09BA3B9B2633C53117FC65B614ED63CE5C16FC93713ABB10F29884271FB677245E5F1
                        Malicious:false
                        Preview:.PNG........IHDR.............%.}.....sRGB.........gAMA......a.....pHYs..........&.?..0iIDATx^...U......O..F%&&t...e.C.w..2. ..X.n4v.-...6, .X. ..P....L..{..=.n.R..#g=.........>wf.'..B.-..B.-..B.-..B.-..B.-..B.-..B.-..B.........B-:../..'M....I5?.>....73.O.0k../g....O..A..Z..un.uC+...4.._.6..Y3..z.../.05..Z..X...Y.Us...+.......x....^{.._}.._y........e..".....9...3f].... N..C..s..V5....E...J.....9"..o7.hv..f........}....=.....=..sO.s.}J.=.y.q.....7..fw.b...[...i....m>...f.)].X.q.D9.._.H;s.C.._.Z|.....y..po.....g.^Y`..5...2{g....._n..{f..o.....?.|..]....r...K..-~..W..<o6Wdz.a...3..N..n.T.x......-...f.D9x..!..L..!.&....q...*G. ..#.....?+.V}........V.... ......=.q...8.......6{C.xi....Hi.-....KY.~..KU2.9..u.w.L..r.......2'..".q.O.G$......%o.d .~ ...@-..*.C.....IM.....~.u...c..9.......Y.Q.....#...W)........2.:=u..).5....'$.~.[Y8.G..S....*..69..?Wu../(..../#..(/.~...+/j..3...0.H.a.{u.........j.../..u....R.Wu../E.M..D.....{r.).z..C.Q!....L...Q....

                        C:\Program Files\ScreenBeam\Conference\app\Images\repair_icon.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 139 x 139, 8-bit colormap, non-interlaced
                        Category:dropped
                        Size (bytes):1175
                        Entropy (8bit):7.6598667385130375
                        Encrypted:false
                        SSDEEP:24:IAh+4Jr4fJLlxuQNJzPaS7ABIijx++53yyqDb2BBqLjWN4:IA/JyLlxrzSGAFL53Vq/Q2jJ
                        MD5:E9FB3CF8B34D6CFB76978312E8B1D0AA
                        SHA1:69382962C0C236B16B4153FF66F81241B4EB0508
                        SHA-256:38CBCF4277F5C062906535018C6D5BB9DB86C1B90C1090CDB39C0A4398C86D93
                        SHA-512:CCBBC2B407D7742BD7960C48FAA1F299CA43E5CC83A6204EAC9FE0534B3EBCEB5E23EAE462252B325AE4CB3DEDB264ABC657C8960D4836EAEAAE4BA28F2465AD
                        Malicious:false
                        Preview:.PNG........IHDR.............f......sRGB.........gAMA......a....3PLTE...`..X..Z..X..Y..X..Y..X..Y..Z..Y..Y..Y..Y..Y..Y....%]....tRNS.. 0@P`p........#.......pHYs..........o.d....IDATx^... ..`.......................GDP'6555555k:.....u=|..7/...n..{.shaa*.].G.i.q.......Pl..J`.k...{...i..I..r..@...?.A...4/X.fR.47..0(M..B....{.`.9.....&.._XmNf.i......4wXq.{m/7..D.1.....X(...$....wF.\a.KdM...',..k..N......a...@./m..|....,cg..@...{..OU.y.C.a.B....O^@....,..0..X.g.~.}..]...aR<5.....c........... .L.X.g..72|...+.h......S.x.f..-....,.Y.S8...s.t.1.....:."..S....(.5MI1...;.3.;.f8.#,.Q].!Rx...>.H.\.p1T.h..a...%,.C......:.L...R1tJ.M..C..Gh..C.+...M.C......J1/.'*q..b.:..c..e..V3.c&...(......wj.9!L.R$8.+...%....e.lWe_..f.;.J.1..b1..bo........,...R.T..J.R)X(..|.P"$.A.Z.C.`.P.!S.c......,.I).aS.a..R....FH)..S.1..mL.E..I..P(....haH..q....../0dJy..R....0)%1lJ9..R.#....)%0b.>&.....b2)..l..F...Q..`.(..5J>F...Q..a.))L..&v.#.$0...-.{.~...&.0.7@.)qL.a....Cu..%....@....g.peQ..P-1......+..

                        C:\Program Files\ScreenBeam\Conference\app\Images\teams_settings.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 755 x 396, 8-bit/color RGB, non-interlaced
                        Category:dropped
                        Size (bytes):51633
                        Entropy (8bit):7.977056362115758
                        Encrypted:false
                        SSDEEP:1536:jnYsZO/yN01sa2DT8krc9ri/FVpQbSS8T7C8+GCM7bHacC0EIIA42xO:DYgO/p238bhiNfQeS78+GCQHjC0Dh0
                        MD5:39728FCA44F75F4E8070E789ACA184D7
                        SHA1:F4CAA9AC061752ED81720B03D5E56DBD322EC33C
                        SHA-256:4A987D6FD5B338F3EDCBAF8C7C514076F44026DE4F11276C11335ECF3FDC3117
                        SHA-512:363918CCA1424E2D0D927A1438C539BC38130936E893E42F9AAB370BB57FCDD4306BEB6B0B16E20A9E1B852A72051409BC1C54E052FF5C20E8CD5138271820DD
                        Malicious:false
                        Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs...t...t..f.x...FIDATx^..`....V.h<..G6..l.......B.......-..h)V(EK.......~...m..M.J.A............g'..qb... .. ... .. ... .. ... .. ... .. ... .. .G.H___O...(..Dr1.......9..A<.......2e\.t.._..0........^..........'....W.R..I~9.... ...\*...........'/&..0.3....(....2..!.!.....^..n..8......A...FF..0'9S`.8.....W..%.S/..,.........h.....31.4..?l.......#..P.....Dh....<......zg''.g....g&.bL...IJrrHp0N..B\l,.x.#....R......s..e...%..Zt... .^p....Y^Vfll.K@lLL}]...8.%...anl.....Uzz:.Djf....i/..==\.P....P,f...X.07G...8(...wfF.:b."...Yaa!4........."..*1!..".....c^N.!.B.........<...XD$3..Q!R(.DEF.#.B%..^.Cw.A.?.Z. .G.N....r.u.....eZh(..E+.s..y.$.n@n..m#..q.a.0r...........0.w77L.y........oii....rpP...OMuuPP.^.1.........{...D.GZZ......../...mmmc...M..5)*,D........$d`..f...mee......0........ OxXXLL..........d.-<...:9:.S\.0.h...G.X..../.5.f..................a.......N...A...^..\.Y....NXo//..`^l

                        C:\Program Files\ScreenBeam\Conference\app\Images\warning-orange.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 95 x 95, 8-bit colormap, non-interlaced
                        Category:dropped
                        Size (bytes):855
                        Entropy (8bit):7.436117043011675
                        Encrypted:false
                        SSDEEP:12:6v/7o4/fM/M6UG7NU/+04/0gira0+rfloGWVYSMlDhg9wFzPBziJuUQeJCctHu9:Ox6UyU/+jkra0ufllRm9wZP5fUNUctHg
                        MD5:B2D1F94BB64D09B0A984994312A44326
                        SHA1:D6E755583CF299DF6AB1131C9D94AA18ED5E7DBF
                        SHA-256:B67CC2D62300EFC5D1AC008525E37269AD477BA57D0C6B0A6DEF5DD2EC5F8D72
                        SHA-512:C28B92A2847AA5DD1D664B466C31837963121AA3B38615CF221AD9CAF81E5412F454EE0502C17042FED288B0984C5602F99D81BAADAC7876DF35A79E5ACEE57D
                        Malicious:false
                        Preview:.PNG........IHDR..._..._.............sRGB.........gAMA......a....3PLTE...................................................A......tRNS.. 0@P`p........#.......pHYs..........o.d....IDAThC...0.@........X...m >-...3;Q.C............@....R.aL./.t..L0.k..s........Q...[.;.v.t.`r...[..x.....P..'.....x...,n+......v.snn(;.,H......t.ssC.Q.......m.6.......j.......i....h8......8................q.a"7.2.v..b.....VN;..... ?...E.@7....tt....s....H&......$.mgs..m`...8.h....Y..........DS...t4q.B.GG..-..l_&j-pz.;Jw'2..#...K.<.....3..sQ.(..#..m%....Q..g.X.(?9..%.r....GG+.9l.l...>.....L.ZGq`.\.JGY.-cn.....ab#...Ql.9...k....|.....&.x,&....8wO.6!.G...Ud..y7..s..&&.(6...o...:.6.....T$.q.....\$.G.).o~....9..|...l*?....b..?......r..1.VY...l~,.9*..KD..w..2.......c`O...7E............ue..@..>&.."KR.ZM.u........R.$..3.....IEND.B`.

                        C:\Program Files\ScreenBeam\Conference\app\Images\zoom_settings.png

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PNG image data, 590 x 589, 8-bit/color RGB, non-interlaced
                        Category:dropped
                        Size (bytes):137156
                        Entropy (8bit):7.99115996925414
                        Encrypted:true
                        SSDEEP:3072:Yk7BUP0qkRwSPdlu+RCq1G0pmWS+iFmKLvlj+DWEZMJYRp:Yk7C8qkRHPdlucCOPpmyRKDd+DW1ap
                        MD5:337565E283405CBA53EF817465D7582E
                        SHA1:813C6E741BA1E430547E615006F53C415309CA8B
                        SHA-256:E6A0F5E41B147D59AE1ED49FE8F805516AFFFCB544EB10377A58C8A0F86FE50D
                        SHA-512:5A2BF0CCF1B6254C2A5B498D42D3B6111BFB7D01D55BC540B7C568D06B208BEC7737FA16C48A3813A64A6EE5980E53F8428A55C22E46D2C56FB8D6B40901815E
                        Malicious:false
                        Preview:.PNG........IHDR...N...M.....H.m.....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^..@.......}..p~.{......N $A.!!.......A.....C.S.TRw{u/........i..N....of....{.((((((.kP.CAAAA...J........T.PPPPP..R......7..:......9........A.......o.*u(((((.sP.CAAAA...J........T.PPPPP..R......7..:......9........A.......o.*u(((((.sP.CAAAA...J........T.PPPPP..R......7..:......9........A.......o.*u(((((.sP.CAAAA...J........T.PPPPP..R......7.+u......e....+.L..s.+....D..b^.P.....w..R.6."....%....%o+.P.l..q.Pgs;Q.t;Q..WF]..:._D.U.z...*u..].....sB..Q..mC.........8..U.-E..h.-T....sB...n.2..N.9.f........U.'..l...s.j..%h....m........]..G.&.y.Y..{s1nX.....Ne&.....u3......!T...WQ......F....uN..uf.#T^w9......'J...3....S7R..((((w'jW.D...u%K[...'....,.VS.......F.n..<..K9..T.T..^......Q.......@....uN(........R....R..s..s>..A.N...JT.0.C((.5(..uN((+.J.U.....?.g?........-.d....o........Q...:..."...6....p.J..........S...E.oT[W...>...k``.@AAAA.m.7+..9..p.......*.....I.j..|#@m

                        C:\Program Files\ScreenBeam\Conference\app\Interop.NetFwTypeLib.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):29464
                        Entropy (8bit):6.454905771753302
                        Encrypted:false
                        SSDEEP:384:1JGWtLDBqWg7I7BFQvW1xLfCOF33OOO3OOOO3O3fOOO3OOOO3O3B3OTFRxYLcTIg:jGpWg7g2TFOcTQwBy0SJYiQASAMxkE
                        MD5:C9E30F06F662C51D59286F713AC11690
                        SHA1:AAC6C177F33ABA956B9BE318512BC6A3C9A33E88
                        SHA-256:9FE5A7B910AA0AE97214BBEFCAB43FFEB4F94B5EA47335C99DB9A6A824AA96C5
                        SHA-512:0C0724BEF2D2D4421B20AF7961874FDBE785265651B568A8AC868D437DAF2B645E19A6309C8D836CD20490D8DBB123F8A3F9F91AA427199DFB279DF807CE5E18
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B...........`... ........... ....................................`.................................j`..O....................J...)..........._..8............................................ ............... ..H............text....@... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B.................`......H.......P ..t?..........................................................BSJB............v4.0.30319......l....&..#~...&......#Strings.....8......#US..8......#GUID....8......#Blob...........W?.........3................*...................!...x...r.......k.............................I...k.I...............E.................R...........7.....q.....1.*.....*...............\.*.....*...w.#.....*.....#.........#.......E.............P.................................................&.

                        C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\MultiOnvifServer.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):694040
                        Entropy (8bit):6.798102285658193
                        Encrypted:false
                        SSDEEP:12288:gJkgHpHfl7unn983HkCSamwpx8dDgX9C0p6Qzz:giYpL3HxSaHpudDG9C08Qzz
                        MD5:791CA00E60183CE182D776A143DF6EC9
                        SHA1:368E837E0163E49C4FFC3CB1E96D03640CBE6BB0
                        SHA-256:790F666A8E61FA13618CBA524C7F05856880E56DDC226654C0FEC20955878608
                        SHA-512:6A74FF474AF4E0E756509592EE64685C0993EADDE40518EE5574E0DB0EA8A84651185FFE0BF22B4E06B8F2F4B4FE3767CB5AD919095945C0759FDFF3986385C9
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*..D..D..D.......D.[.E..D.r.E..D.{"...D.[.A..D.[.@..D.[.G..D...E..D..E.u.D.|.L..D.|...D.|.F..D.Rich.D.........PE..L....9De.................8...8.......=.......P....@..................................7....@.....................................@....0...............n...)...@...p......p...............................@............P..L............................text...i6.......8.................. ..`.rdata.."....P.......<..............@..@.data...@...........................@....rsrc........0......................@..@.reloc...p...@...r..................@..B........................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\config1_base.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2056
                        Entropy (8bit):4.542339687773985
                        Encrypted:false
                        SSDEEP:24:2dRE//EkMruCF9JzN8PzdKfomWfZAfqRX6hpQ9793/0AbhXI4X89:cpdR8Pzk4QfMtzNM9
                        MD5:6D9D46649B405988650753948C8E374C
                        SHA1:D73D605051D538D4ED9D2E8367D8977600046049
                        SHA-256:54067968411799D76813CD2D980AA26D04E3E78632E6CE2747A555E30BF32690
                        SHA-512:E451B77D2968DC9E6728A7EAEC5851FD7C79415FB8D2B95FDCF15EFC75C4FD065D1FDE0A593B5C7D49EAAE817BC39EBCA1F00C561711CF5FC8F3C2C7BE93719C
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>..<config>.. <log_enable>0</log_enable>.. <log_level>0</log_level>.. <device>.. <server_ip>127.0.0.1</server_ip>.. <server_port>27182</server_port>.. <http_max_users>16</http_max_users>.. <https_enable>0</https_enable>.. <need_auth>0</need_auth>.. <information>.. <Manufacturer>ScreenBeam</Manufacturer>.. <Model>SB1100PLUS</Model>.. <FirmwareVersion>1.0</FirmwareVersion>.. <SerialNumber>123456</SerialNumber>.. <HardwareId>0.1</HardwareId>.. </information>.. <user>.. <username>admin</username>.. <password>admin</password>.. <userlevel>Administrator</userlevel>.. </user>.. <profile>.. <video_source>.. <width>[VideoWidth]</width>.. <height>[VideoHeight]</height>.. </video_source>.. <video_encoder>.. <width>[Vide

                        C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\config2_base.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4246
                        Entropy (8bit):4.59391160498296
                        Encrypted:false
                        SSDEEP:48:cpdCtK8Pzk4QfMtzNMfdCQW/8PzkTCcMtexNM9:C1gZtzNktegJtYNW
                        MD5:3907C753C5684A8E3E5F527D52BCC033
                        SHA1:35C0132D2A728632439414DE9C00E450D4092E36
                        SHA-256:83E20372AFDC7388F8310860908B0E1E5478C371AC97B28914C2FA176E52E2E9
                        SHA-512:B31290F12774B1F85298D1A87C21B218FBF0C35A3797F4DA9B4841D448D46C54118F4D517AD5F01DFB2AEC6ED243C2FD65FD76902540DE19F1B5778056A5A5FB
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>..<config>.. <log_enable>0</log_enable>.. <log_level>0</log_level>.. <device>.. <server_ip>127.0.0.1</server_ip>.. <server_port>27182</server_port>.. <http_max_users>16</http_max_users>.. <https_enable>0</https_enable>.. <need_auth>0</need_auth>....<camera_name>In-Room Camera</camera_name>....<camera_uuid>[CameraUUID]</camera_uuid>.. <information>.. <Manufacturer>ScreenBeam</Manufacturer>.. <Model>SB1100PLUS</Model>.. <FirmwareVersion>1.0</FirmwareVersion>.. <SerialNumber>123456</SerialNumber>.. <HardwareId>0.1</HardwareId>.. </information>.. <user>.. <username>admin</username>.. <password>admin</password>.. <userlevel>Administrator</userlevel>.. </user>.. <profile>.. <video_source>.. <width>[VideoWidth]</width>.. <height>[VideoHeight]</height>

                        C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ipsee.txt

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:ASCII text, with very long lines (1519), with CRLF, CR line terminators
                        Category:dropped
                        Size (bytes):5127
                        Entropy (8bit):5.331931775659372
                        Encrypted:false
                        SSDEEP:96:o/OpOWBHl18Pe6HGbpOWBHl18Pe6HcpOWBHZ83ehebpOWBHZ83ehn:7pOWBF1ke6mbpOWBF1ke68pOWB5UeYbD
                        MD5:A87DDC5D8B7E5D761FB916AF29B40BC4
                        SHA1:B92C2E94D8B4536129F4B1ABD6525F32C09CE4ED
                        SHA-256:6867B93F2F7E603F8BD1ABE82A19905018FE0634176C442A08F8ED83E8EB257B
                        SHA-512:7CF4EBEDBAC013927454C900E57CADC59843F565D571DF7E89E56AA0D2A16680BBD2825D944365DAB7C47DB664DCCB8476ED51BEB36CB408049A2CA7AB530EBD
                        Malicious:false
                        Preview:[2021-08-23 21:52:25] : [ERROR] http_srv_net_init, bind tcp socket fail,err[WSAE-10049]!!!..[2021-08-23 21:52:25] : [DEBUG] onvif_device_hello, p_buf = <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:enc="http://www.w3.org/2003/05/soap-encoding" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsa5="http://www.w3.org/2005/08/addressing" xmlns:d="http://schemas.xmlsoap.org/ws/2005/04/discovery" xmlns:dn="http://www.onvif.org/ver10/network/wsdl" xmlns:tt="http://www.onvif.org/ver10/schema" xmlns:tds="http://www.onvif.org/ver10/device/wsdl"><s:Header><wsa:MessageID>uuid:30991b2f-72c2-24fc-5d79-2b1312437e85</wsa:MessageID><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Hello</wsa:Action></s:Header><s:Body><d:Hello><wsa:EndpointReference><wsa:Address>urn:uuid:718a1fb9-27d6-3c95-6829-4ab318de4250</wsa

                        C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libcrypto-1_1.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2434328
                        Entropy (8bit):6.265965080489682
                        Encrypted:false
                        SSDEEP:49152:iQ1VVA2kTpvTDuW8VNd1CPwDv3uFh+0nUg:iQ1Vu5DuW8fd1CPwDv3uFh+0N
                        MD5:BBE6544A2463E7F3B27F41B760C87600
                        SHA1:ADB20E2518FBA34EC85941AF2E4FF26312DA8A2C
                        SHA-256:96FC06CC2E4161D34A2BE2443A9E82BD2DED6831E589C5570EC61841AC24FFF3
                        SHA-512:8BC2137D6266C208F8AE6F4F02644556C6F704C647BD3592BD7C28992B02B8D54EC77825466891108D3F4CC2DF76E6C58D22A8CCBD0D3E963A894AA6CD7EF035
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#..eg..6g..6g..6n.L6s..6\..7e..6\..7m..6\..7m..6\..7l..6...7l..6g..6...6g..6q..6..7...6..7f..6.. 6f..6..7f..6Richg..6................PE..L....o.^...........!................E.........................................%.....u.%...@...........................!.hg...U$.T.....$.|.............$..)....$..... g!.8...........................Xg!.@............P$..............................text.............................. ..`.rdata..............................@..@.data....Y....#.......#.............@....idata..J....P$.......#.............@..@.gfids..%....p$.......$.............@..@.00cfg........$.......$.............@..@.rsrc...|.....$.......$.............@..@.reloc..D.....$.......$.............@..B........................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libssl-1_1.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):515352
                        Entropy (8bit):5.814079585998486
                        Encrypted:false
                        SSDEEP:12288:oJ8sR6fYGsTRZ9vpHvG9ZiBgp/GidLzVaU2lvzXE5J:o/Xsf8WaU2lvzXE5J
                        MD5:B099C2C82838FCE61AE04D31DDEC4904
                        SHA1:F036A622E122127EC16BA57BF279ED575C5BA17D
                        SHA-256:4CDB1B8B05FBBBBB1B242CE4EBE620EC28C79EA0B61F3B22DFA373C63FA46A0D
                        SHA-512:6DF64C2B171BD14534B253CC1F8F97938D3AA31D74B45DA5CBBF863CE2DA6257756852F81B5B77A5FE485988F5585A44942932C0B62181478393B995DBA52967
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.7..xd..xd..xd.b.d..xd.Dye..xd.|ye..xd.D{e..xd.D}e..xd.D|e..xd9Dye..xd..ydL.xd9D|e..xd9Dxe..xd<D.d..xd9Dze..xdRich..xd........................PE..L....o.^...........!.........0......................................................p.....@..............................N...Z..........s................).......3......8...............................@............P...............................text...y........................... ..`.rdata...i.......j..................@..@.data....;.......6..................@....idata..3A...P...B...*..............@..@.gfids..%............l..............@..@.00cfg...............n..............@..@.rsrc...s............p..............@..@.reloc...:.......<...x..............@..B................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\runconfig.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF, CR line terminators
                        Category:dropped
                        Size (bytes):28635
                        Entropy (8bit):5.2012587313035885
                        Encrypted:false
                        SSDEEP:384:uJymAewyafBfBb3IyRcKjo8jmnCB8G289tn+Q8D/BOKJt28WH8mHmQn/rajAZxqg:Jj5B+xERuY7MIAIASkXS6XNQ
                        MD5:612C974F0E3EA3B05914188CA96A0AA6
                        SHA1:12D18BEBBDB5D03D21C2BE8E4F35CD4C8834FB7B
                        SHA-256:9A37752D8A0B5E89DA83AFD9D65A22DA8781D1C74699B1FB78E324001D787A37
                        SHA-512:5C4873A6A5FF06E07A06D5CF857E8E5929C7F8955900D2756F5D405C48A618B3A13DFFBF30FD2E26D49D4E9B15FA6B8AF3B9DDA2551052ED31F7F3364F2F9AC5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>...<config>...<log_enable>0</log_enable>...<log_level>0</log_level>...<device>...<server_ip>127.0.0.1</server_ip>...<server_port>10000</server_port>...<http_max_users>16</http_max_users>...<https_enable>0</https_enable>...<need_auth>0</need_auth>...<EndpointReference>f258763e-0959-4c30-b432-6729c72df070</EndpointReference>...<information>...<tds:Manufacturer>ScreenBeam</tds:Manufacturer>...<tds:Model>SB1100PLUS</tds:Model>...<tds:FirmwareVersion>1.0</tds:FirmwareVersion>...<tds:SerialNumber>123456</tds:SerialNumber>...<tds:HardwareId>0.1</tds:HardwareId>...</information>...<user>...<fixed>TRUE</fixed>...<username>admin</username>...<password>admin</password>...<userlevel>Administrator</userlevel>...</user>...<RemoteUser>...<Username></Username>...<Password></Password>...<UseDerivedPassword>FALSE</UseDerivedPassword>...</RemoteUser>...<SystemDateTime>...<tt:DateTimeType>NTP</tt:DateTimeType>...<tt:DaylightSavings>false</tt:DaylightSavings>...<tt:Tim

                        C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ssl.ca

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PEM certificate
                        Category:dropped
                        Size (bytes):1298
                        Entropy (8bit):5.792853162111365
                        Encrypted:false
                        SSDEEP:24:LrDpMNpyvSq0pxpynh0YH0kcP0y7Fm8osGYeoeGOodxp1ha7K9A:LryjppnhkaL7FCsGYeoWipS
                        MD5:CDAF1F178B74FDF227723E7516464254
                        SHA1:85908E45E29EAAE60CE6D4EB90861B0C61DDDD89
                        SHA-256:525CA5B085D6F9D4A4D7C4C7A2986E9E4E467EE1030E12EDF07C5E2812BD1C79
                        SHA-512:44F7A7222075F63B7681B9C4C301D7F318B476E3518C4D3A76F21340BFC158AA5A01D7E523C5EC254D9E621D793F0D50C906063A3139717B6DA73B65F0406963
                        Malicious:false
                        Preview:-----BEGIN CERTIFICATE-----..MIIDgzCCAuygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBjjELMAkGA1UEBhMCVUEx..EjAQBgNVBAgTCUNhbGlmb25pYTEPMA0GA1UEBxMGSXJ2aW5lMREwDwYDVQQKEwhC..cm9hZGNvbTESMBAGA1UECxMJQnJvYWRiYW5kMQ8wDQYDVQQDEwZEYW5pZWwxIjAg..BgkqhkiG9w0BCQEWE2tpZGluZ0Bicm9hZGNvbS5jb20wHhcNMDYwODA3MjMzMTIx..WhcNMDYwOTA2MjMzMTIxWjCBjjELMAkGA1UEBhMCVUExEjAQBgNVBAgTCUNhbGlm..b25pYTEPMA0GA1UEBxMGSXJ2aW5lMREwDwYDVQQKEwhCcm9hZGNvbTESMBAGA1UE..CxMJQnJvYWRiYW5kMQ8wDQYDVQQDEwZEYW5pZWwxIjAgBgkqhkiG9w0BCQEWE2tp..ZGluZ0Bicm9hZGNvbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOoE..anmsp8b0bUKiI7KeSEK0r6jUvKmP/DoPw2bMH8ufU3NrMrUxiqTWYw1hf21T9oZ/..75V1N4KPHE8XXuMLgAaIhBS1ynj2hrzqrK7+uVp+tV7Txwg8w/XoMRacMRLVk94W..eCHwC574sIq54EX0Ah6GmO4D045J4xiT595wB7ztAgMBAAGjge4wgeswHQYDVR0O..BBYEFDTJsJlw8ckQu3dWh5SGlXAQ03ECMIG7BgNVHSMEgbMwgbCAFDTJsJlw8ckQ..u3dWh5SGlXAQ03ECoYGUpIGRMIGOMQswCQYDVQQGEwJVQTESMBAGA1UECBMJQ2Fs..aWZvbmlhMQ8wDQYDVQQHEwZJcnZpbmUxETAPBgNVBAoTCEJyb2FkY29tMRIwEAYD..VQQLEwlCcm9hZGJhbmQxDzANBgNVBAMTBkRhbmllbDEiMCA

                        C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ssl.key

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PEM RSA private key
                        Category:dropped
                        Size (bytes):902
                        Entropy (8bit):6.008844379962527
                        Encrypted:false
                        SSDEEP:24:Lr4Rt7PVG5ju0j71GT86Ohq3B9avOcyh1uMRESsH6:LrEtgPjxX23Uxyfurq
                        MD5:022C48439BC463BA3EC82002B5845A3C
                        SHA1:2CD2A36E397287481E46B7E85477A70072127922
                        SHA-256:B95A00C0C85DBF880BC9010CDB9C073B1665D5B4A940E05109A667438984A529
                        SHA-512:50C44A1667095CC9DAA02A4D7150D82211A69A5E59B8BEC8108B94F8A4A115BA8DEED05F886FB1A25065179FD5F474CAA8B00BC85F8849389C80920A32755C08
                        Malicious:false
                        Preview:-----BEGIN RSA PRIVATE KEY-----..MIICXAIBAAKBgQDqBGp5rKfG9G1CoiOynkhCtK+o1Lypj/w6D8NmzB/Ln1NzazK1..MYqk1mMNYX9tU/aGf++VdTeCjxxPF17jC4AGiIQUtcp49oa86qyu/rlafrVe08cI..PMP16DEWnDES1ZPeFngh8Aue+LCKueBF9AIehpjuA9OOSeMYk+fecAe87QIDAQAB..AoGAIZ9QzPqJgIRNzm0NQ/SJ3UuokVE/af1N9+mb4YEicFcL3mFgf7gGe3hx8tI3..RLXzjY+EFK0qtI9rOdHZyDU2x3MuqaxICq25GD8u5Sq5SEcqeIA3xgF2HcytkXoo..WRXjJF8hKypVTM6Q6ApYT0iSQylRYEk2FyRFXrmzSby5EgECQQD4QoWGwBOonO7y..Ar47ulgppx1uwOVW4tHP5gjTzr1+UKcyhNaWWkIKPm1MsDTB0K78SV06cfRpFWoX..k395zuq9AkEA8VA3qvhfDrwvL+7FN56S9X9dmMgyTpp5D+/Ay2EoXaw03wPDGUyu..0xpIL6AJV4+66op3DRGM+zdOX//i/DxV8QJAP5gqxD3ny0WIIA571KkDdIgOjhRz..qzInNO5kTH2lJPpcGiDVJ2avjBg5v29T1GI0sQPKEfKm/VQy/R8XhIhwsQJBANIl..6qTAsX+SkIFsrWE3foG/DlKMHYtoaP9g6oPzM4UH/+8rRo9UwXbkD3MyKpCPgdbZ..CL5fx2fLDTz7CcBiBvECQFTdSuvk4OaOgtw0aFn3JSsHGZI9uZLIcoRemOQNg1o2..0PXn+gNzVkz6mdTwdgLNoKWLZxAC9faG2HA3UlobZzE=..-----END RSA PRIVATE KEY-----..

                        C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\user manual.pdf

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PDF document, version 1.7, 25 pages
                        Category:dropped
                        Size (bytes):682431
                        Entropy (8bit):7.869888364240819
                        Encrypted:false
                        SSDEEP:12288:A86ijIexjY7508+5xtPNWvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvK:A52Wu+cE33MO30BnHNT17
                        MD5:A26BDC90611ED559EB76EB35EB8B5219
                        SHA1:E739803561D958E6FBBEA50295C22218FFD3D23D
                        SHA-256:0D9FA2A08AAE647FDD0014B4C0CF0951FF2A63BA4D7D2E5C0FF43769FA8BC8AA
                        SHA-512:CD63F6D27DD2EEA26773A5D8B33322CEDA130510840B3AADFBF2D59CB3CE29F25EFD9CF0EFAA6ED51B78D937693BAFBB05A7B9431A53965A2D30FBFF5FBB7D98
                        Malicious:false
                        Preview:%PDF-1.7.%.....1 0 obj.<</Names <</Dests 4 0 R>> /Outlines 5 0 R /Pages 2 0 R /Type /Catalog>>.endobj.3 0 obj.<</Author (Happytimesoft) /Comments () /Company () /CreationDate (D:20210802110638+03'06') /Creator (...W.P.S. e.[W) /Keywords () /ModDate (D:20210802110638+03'06') /Producer () /SourceModified (D:20210802110639+03'06') /Subject () /Title (Onvif Server) /Trapped /False>>.endobj.8 0 obj.<</AIS false /BM /Normal /CA 1 /Type /ExtGState /ca 1>>.endobj.6 0 obj.<</Contents 7 0 R /MediaBox [0 0 595.3 841.9] /Parent 2 0 R /Resources <</ExtGState <</GS8 8 0 R>> /Font <</FT14 14 0 R /FT19 19 0 R /FT9 9 0 R>>>> /Type /Page>>.endobj.7 0 obj.<</Filter /FlateDecode /Length 444>>..stream..x....J.@.....;.Z0f2.t.D......S..D.AA.....k...S)e..L....W..u..$.....^..6...=.....=........]..TQ..+F l.?.p.n.!)|8..r_..i...eir..U.....a...\....I ."S......t.=A..}J..;/..^..1d.%J....J...+x....0...J..Mn..... L[!.arDV.>/ i.G....1n....5ww....Z.}.;....|.........DQ.,.W.d......f...0J^..z/. ..q....0.

                        C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\vcruntime140.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):74520
                        Entropy (8bit):6.849253783098929
                        Encrypted:false
                        SSDEEP:1536:l42886xv555et/MCsjw0BuRK3jteo3ecbA2W86f7Qaxr:l428V55At/zqw+Iq9ecbA2W8CM6
                        MD5:C0673FED51645C9371E4F7FB7B055069
                        SHA1:3546CF0DDED5A2E484D7F586E35AE8C7514B0F79
                        SHA-256:590953DC589ED19BD1FB09ADF4F18CC00788929EA90D46ECB28D8747690263A9
                        SHA-512:98E31357F2A1E46599893D3B00E43746AA7592E4AE1002E1F672896599A471E3D54F5E48D710B3C87E698A671523E74A4E785D86B46CC3169F069C9EF8276C1E
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0......$.....@A.............................................................)... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\zlibwapi.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):402200
                        Entropy (8bit):6.730627615295673
                        Encrypted:false
                        SSDEEP:6144:TLVeNa307jXrapwILWL9pMCsVohOn81Za7PGW698TB5vC0Tzhf:P36jALWL9OCmohOnqcGW698TPvC01
                        MD5:445F7538B5EAB5F5A28CCEC8A1F07BC9
                        SHA1:3FB993616A37B6031788E2D0E658A05D243D3016
                        SHA-256:064E3702D739C3287141C7C4615D3D215431FCC800DAD0520F7A3BA667ABBC63
                        SHA-512:54E9C9254FB467799402C6720BE79B821005E9A6F824CE892170A3B8EB953F9A5F921D6DC559AA7AA5C42BDFBE1BE5B8EA27C1C063AB196D357F0955167136F6
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z.....T...T...T..yT...T..{T'..T..zT...T.E.U...T.E.U...T.E.U...Tq.CT...T...T...T>E.U...T;E.U...T;E.U...T>EwT...T;E.U...TRich...T................PE..L.....^...........!.........$...............................................P..................................................(........................)... ...$.....p...........................P...@...............h............................text...)........................... ..`.rdata..............................@..@.data... ...........................@....gfids..d...........................@..@.rsrc...............................@..@.reloc...$... ...&..................@..B................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):3567896
                        Entropy (8bit):6.162182105574189
                        Encrypted:false
                        SSDEEP:24576:NOkuRMk0mZk7qDL2PtBLhM7RU7R2/8QcVYtk3:NOk4P4dmRU7R2/8QcVR
                        MD5:2C2C738027BDA0CCAC83819F8CFB57F4
                        SHA1:8E8FE34DED17865CCF8AB49EAAC71C99EA9139D2
                        SHA-256:D08868C4220BC7B40EC343B0F32A6E4F8B0E005BFE7C0218594B764C6149E9F3
                        SHA-512:FB0DE1B42F66E2019ED3CC4287A5D84D510C5270B2572F24A1CFB0AC097354A5CE43F1D9A3A84E727BB21BDA9D255773B3B1DEC7780F0E397470CF697B72CC4B
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..>6..........]6.. ...`6...... ........................6......6...`.................................1]6.O....`6.P............H6..)....6......\6.8............................................ ............... ..H............text....=6.. ...>6................. ..`.rsrc...P....`6......@6.............@..@.reloc........6......F6.............@..B................e]6.....H........^...............g..X.,.(\6.......................................(F...*..(F...*..(G...*..(H...*"..(I...*&...(J...*&...(K...*>.-.~....*~....*^......................*"..(L...*...0...........r...p.oM........ ...oN...oO....r5..p.oP........ ...oN...oO....ra..p.oQ........ ...oN...oO....r...p.oR........ ...oN...oO....r...p.oS........ ...oN...oO....r...p.oT........ ...oN...oO....r...p.oU........ ...oN...oO...*.s.........*..(V...*"..(W...*..(G...*..0..-.......~....- r[..p....

                        C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MSVC program database ver 7.00, 512*3675 bytes
                        Category:dropped
                        Size (bytes):1881600
                        Entropy (8bit):4.153189992522293
                        Encrypted:false
                        SSDEEP:12288:joj++vd7wRRaHmTp4dg5uSdV0uRlqV9CNxoF4dj9j:+nRXH/g5ndV0yNZt
                        MD5:94C8740D63B37C684DE2161DAB3F12A0
                        SHA1:0D9D0A83BAA3A88DF4C81244215E310E0BA4FD94
                        SHA-256:7D118A9927106081E6861212729B50B9954CDC156BEA7553D76A2E137D97A048
                        SHA-512:3C97A442758325B8262015A47AF1BFB47F838C70557AC95AE8BCE9D5D87696344F46D928D1A99999CB8924A343EFCFD717F167030F6B2930A3B9CB3524D2CEBF
                        Malicious:false
                        Preview:Microsoft C/C++ MSF 7.00...DS...........[....5......Z...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):599672
                        Entropy (8bit):4.694314470643874
                        Encrypted:false
                        SSDEEP:6144:NktMqadrRUnvQFqnhpcROFutFeBiR5b7TVjEqqpFL:3UCA
                        MD5:3DEB13968C22CDE75D6F614DFA25758E
                        SHA1:177E9B52A72AE157F70EA16D16F3E917BEBE3B79
                        SHA-256:90AACC1B9F0325A081C1DC5BABC580D693A3D5CAB61905BE8D3E9BC2496F4ACB
                        SHA-512:8269F6900AB3AE726D6D79C9135F1D46A8AE9192C88C7EE82CA6038CD25CC5CC30D7F5215D049CB17DEC8EA18F02511315E79C16F17A0148DEF46580B746F314
                        Malicious:false
                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>MahApps.Metro</name>.. </assembly>.. <members>.. <member name="P:MahApps.Metro.Accessibility.AccessibilitySwitches.UseNetFx472CompatibleAccessibilityFeatures">.. <summary>.. Switch to force accessibility to only use features compatible with .NET 472.. When true, all accessibility features are compatible with .NET 472.. When false, accessibility features added in .NET versions greater than 472 can be enabled... </summary>.. </member>.. <member name="T:MahApps.Metro.Actions.CommandTriggerAction">.. <summary>.. This CommandTriggerAction can be used to bind any event on any FrameworkElement to an <see cref="T:System.Windows.Input.ICommand" />... This trigger can only be attached to a FrameworkElement or a class deriving from FrameworkElement... .. This class is inspired from Laurent Bugnion and h

                        C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):102168
                        Entropy (8bit):6.120408464675954
                        Encrypted:false
                        SSDEEP:1536:+rf5GttgxHXEuRmG5rtkGY4CEmWAxXSSYhhS98ca2Wvsd65FJDlGWwkEyq7Qjx:W5GttWHXEUx5r65LxXshk8JDIWPqM
                        MD5:D918C3CDFD629929C08931F0E3B7848A
                        SHA1:EBC8A61ADDF30883AFFFB584309FAD9C7989270F
                        SHA-256:4FB1F48D1A2EDE2D4769210050D39F92D14ABF158CADC54A80B24010037D3682
                        SHA-512:448FF92C55B8B8FE4463F3D8226FA664B7206361F765AF275F5C12AF6D4671356466C419E4B71E41F6E4CB7B8A0AEC6B899FBC8915B5450D1F5D4B0CE5F86951
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...eu.K...........!.....\...........z... ........@.. ....................................@..................................y..K....................f...)...........x............................................... ............... ..H............text...$Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................z......H...........L...........x...1...P ........................................z...y.k.....bdd I..`..).PsR@... .aL...%:...y.....XDgM.X}..~)2.v-..4..........EAZZ...,..[..H...o5*C.o...5/I.m.!2...#.:.(......}....*:.(......}....*...0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*"..(....*"..(....*..*..{....,..{.....o....*.{....o....*2.~....(....*6.~.....(....*F.~....(....td...*6.~.....(....*J.(.....s ...}....*F.(...

                        C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with very long lines (409), with CRLF line terminators
                        Category:dropped
                        Size (bytes):76763
                        Entropy (8bit):4.535821308884759
                        Encrypted:false
                        SSDEEP:1536:+hRBEEny5f5YFsUxLvgLTGzJxKG4E+pZ1aI8a2GKvEGKGlMEYHDPrMp3hIr4Poqm:qvyFrMp3hc7oTi
                        MD5:6183C17BCC82E2A2885A14B35FA50B1C
                        SHA1:CE4E6A7BA118FA52DCD3C5E448F1FA26040E85E3
                        SHA-256:6208068DD16A2C1C79FAA2E29CA029B59DE06CD66F16D9DC27EDABB8FFEBAD48
                        SHA-512:B5140BECB6F72075BDFFB40DCCADD77A83B8836BE87FE2B3AB7AF18EAD85F6F9171B3E97640352BEB1DB64393CA67033EC09F7B2F95C85ADE795ECE866B39DF3
                        Malicious:false
                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Microsoft.Expression.Interactions</name>.. </assembly>.. <members>.. <member name="T:Microsoft.Expression.Interactivity.Core.ActionCommand">.. <summary>.. A basic implementation of ICommand that wraps a method that takes no parameters or a method that takes one parameter... </summary>.. </member>.. <member name="M:Microsoft.Expression.Interactivity.Core.ActionCommand.#ctor(System.Action)">.. <summary>.. Initializes a new instance of the <see cref="T:Microsoft.Expression.Interactivity.Core.ActionCommand"/> class... </summary>.. <param name="action">The action.</param>.. <remarks>Use this constructor to provide an action that ignores the ICommand parameter.</remarks>.. </member>.. <member name="M:Microsoft.Expression.Interactivity.Core.ActionCommand.#ctor(System.Action{System.Object})">.. <s

                        C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):146200
                        Entropy (8bit):6.131962488593054
                        Encrypted:false
                        SSDEEP:3072:iCPmFPD950+dzR1decbMn5TX55r4j2cMK:jPmVDz0+d05T
                        MD5:62E302B316CF2CC7E582EBA1077E0370
                        SHA1:521913D97A40B5ACBC81807DCD35679937C3F4CD
                        SHA-256:C400AE108B59CC0365DAE062E404FD64F48959D89C37A01F83FAF9EE69A4E512
                        SHA-512:C3E2F6A99D7703063C5F31231CF3731A75CE029E04A66D91D9BBAC6D252417FD08E4AA1113C6CB60361D514D3961D6DA4E26C7D30E2DCB67B1A79EE0A4C394A0
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g............" ..0..............'... ...@....... ...............................E....`..................................'..O....@...................)...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......X....@..............8...4&........................................(-...*6.(.....{/...*..(0.......1...s2...o3....s4...}5...*..0..F........(6....{5...o7.....,0..+#..(8.........{5....o9........3...X...(6...2.*...0..J........{5....o:...,;(;...(v.........%......(<...o=....%..(>...o=....(?...s@...z*...0...........oA.....E............].......Y...*.oB...o#....+0.o!...........(C.....oD......{5.....(E....oF.....o....-......u#.....,..o......oG...o#....+#.o!.............oH....{5

                        C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Microsoft Roslyn C# debugging symbols version 1.0
                        Category:dropped
                        Size (bytes):52032
                        Entropy (8bit):5.334600855320652
                        Encrypted:false
                        SSDEEP:768:Ho05puXM/mr0or4TKzkhq5WGneTfAp+A5cgWpORyUtAOHpZfDvdorxU5HMRI0xgm:1JWL4w2WtAOJFl4nkrvq3
                        MD5:5C23C6B85B1BF45EB8B2B36014C24D87
                        SHA1:EBFF7B739F015EB024A7FA3F947A39E02DC70E31
                        SHA-256:FB216DDB86BD1E6053BF8BAD8E67557E2922D56D83B913197142C872907BC79A
                        SHA-512:5BCE36466755B173512D9EBA3172B5194F9FE548E11718850DD4C239134729344CB00976A70E398AA5BA048AEAC64331E4A23F0E48272455C93530B95987D11B
                        Malicious:false
                        Preview:BSJB............PDB v1.0........|.......#Pdb........dW..#~..hX..H...#Strings.....e......#US..e..@...#GUID....e..Le..#Blob....fQ....N.A.|9..C.......W_.......... ...j...4...................'.......................@...............P.......................................................<...............1...................................................................................c...u...........$...6...m.......................................<...N............ ... ...!...!..B#..T#...#...#..[$..m$..#%..5%...&...&...'...'...(...(...)...)...*...*...2...2..a6..u6...8...8...;...;..^<..r<..G>..[>...A...B...B...B...C...C..MD..cD..iF...F...G...H...T...T...U...U..OV..eV...W..1W...Z..2Z...[..-[..,\..@\..na...a..[b..ob...b...b...b...c..Kc..ac...c...c...c...c..,d..@d..od...d...d...d...e..*e....................................,...>...5...=...m...............................0...7...>...J...[...b...............;...\...m...~......._...0...7...B.......o...........<...C...J...Q...]...............@.....

                        C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with very long lines (389), with CRLF line terminators
                        Category:dropped
                        Size (bytes):139226
                        Entropy (8bit):4.53900325821367
                        Encrypted:false
                        SSDEEP:1536:+ZyjUyXsNaimE+YRwUxLvgLTGztxKG4E+pJ1as8a2G6vEG+GlGgLPgJRBy8nm0lr:F9gk/BUB0fYSt3Bl
                        MD5:83A73589D5705D3A890253A6F8C140EB
                        SHA1:27C092DBB481D0207FB160098BB4B43FB0D6E126
                        SHA-256:0672969B6ADF9FC6D56873FF17FC8F45E9FEBC2FD6E997B19D5CB7EF2546DB70
                        SHA-512:A18A29FDF055E2507A6BD2837FF1D9B6E9A0486B315C786FC86B49DC2229B8B167A7D103FB16EF342916324A08DF0EDCAEEAA2BFD0F4FF8862C63572C9AD371B
                        Malicious:false
                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Microsoft.Xaml.Behaviors</name>.. </assembly>.. <members>.. <member name="T:Microsoft.Xaml.Behaviors.AttachableCollection`1">.. <summary>.. Represents a collection of IAttachedObject with a shared AssociatedObject and provides change notifications to its contents when that AssociatedObject changes... </summary>.. </member>.. <member name="P:Microsoft.Xaml.Behaviors.AttachableCollection`1.AssociatedObject">.. <summary>.. The object on which the collection is hosted... </summary>.. </member>.. <member name="M:Microsoft.Xaml.Behaviors.AttachableCollection`1.#ctor">.. <summary>.. Initializes a new instance of the <see cref="T:Microsoft.Xaml.Behaviors.AttachableCollection`1"/> class... </summary>.. <remarks>Internal, because this should not be inherited outside this assembly.</remark

                        C:\Program Files\ScreenBeam\Conference\app\NLog.config

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1434
                        Entropy (8bit):4.900941090644329
                        Encrypted:false
                        SSDEEP:24:JdNQjY8jsLoKaQe1W04pyaMMW04FzMSMpbP3KabFx2ldnD2cc/Or:3b8jbgpXMzFzMSMdvClJ7r
                        MD5:5DD8A1A04E3B8E2CF8D8D0CA563A08F5
                        SHA1:DD79976E4FB6D7799B83EF26569C0FF433662FF3
                        SHA-256:8687718C6EB351CEFFBE09395A5F565790E4F784DA2A4464DC411960FD3BC99A
                        SHA-512:8B472C76E9D4DD97775B72211D4C54A5A552CF60055B6A4F139EE224E6B483898D3607646FA285850DC2A990DDCCF84F71E6DCCF0B33D70F6E13009B0BEA233C
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. autoReload="true".. throwExceptions="false">.... <variable name="appName" value="ScreenBeam Conference" />.... <targets async="true">.. <target xsi:type="File".. name="default".. layout="${longdate} - ${level:uppercase=true}: ${message}${onexception:${newline}EXCEPTION\: ${exception:format=ToString}}".. fileName="${specialfolder:LocalApplicationData}\${appName}\Logs\${appName}_${shortdate}.log".. keepFileOpen="false".. archiveFileName="${specialfolder:LocalApplicationData}\${appName}\Logs\${appName}_${shortdate}.{##}.log".. archiveNumbering="Sequence".. archiveEvery="Day".. maxArchiveFiles="30".. />.... <target name="debugger".. xsi:type="Debugger".. layout="${longdate} - ${level:upperc

                        C:\Program Files\ScreenBeam\Conference\app\NLog.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):888600
                        Entropy (8bit):6.070769026837723
                        Encrypted:false
                        SSDEEP:12288:J1g1a9wdGNA9qQmDocTrP5rs3ekNuquwKUYaDyUsQW:J1g1a9wdGNA9qQco+rh0uqvKUYamUsQW
                        MD5:E2561144AC9673C7F994F3958122F96A
                        SHA1:308EB4D730603E8C044A1F594BC9B65AF8D9894A
                        SHA-256:3AC10089DE33F40998F150EC12AD7F382B3E4ED57F2B7B9915B4EFF20780720F
                        SHA-512:A78491473902B4545CC191E4F6A2A2FBA85DFD5B17FEDB4C20C08BAB7FF58BF1C802BC4AC9939CFA954833DA03CFA55205A538C21345985688F2B79C78E1C9CE
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..X...........v... ........... ....................................`.................................<v..O....................f...)..........tu..T............................................ ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............d..............@..B................pv......H........,...=..........Dj.......t......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                        C:\Program Files\ScreenBeam\Conference\app\NLog.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with very long lines (385), with CRLF line terminators
                        Category:dropped
                        Size (bytes):1661000
                        Entropy (8bit):4.576713883814205
                        Encrypted:false
                        SSDEEP:6144:3bDXjSkDsv6ZrgFOG3We13QixCx8ZaRIHp8TEKcQonqDhIrMBc+6z+beoX:PH15e8EKH
                        MD5:CA532230EDE750DC11C7E26C521F382F
                        SHA1:F8DB7F7BF3C5A7B68CAA072D79064EFC52F66ABC
                        SHA-256:0840395F0EF1BFF0746895255C19AF38E7775D3C316892E94C6514E834E3BFB5
                        SHA-512:5025B6EE3E9C56D902435D209C75A3A6A873B489656B0E42BDBCCEEE8F3B083A1F06B74AE436552E00CCEE0C1D0D6726408FECF2A68091B442E44EBC79B80929
                        Malicious:false
                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>NLog</name>.. </assembly>.. <members>.. <member name="T:JetBrains.Annotations.CanBeNullAttribute">.. <summary>.. Indicates that the value of the marked element could be <c>null</c> sometimes,.. so the check for <c>null</c> is necessary before its usage... </summary>.. <example><code>.. [CanBeNull] object Test() => null;.. .. void UseTest() {.. var p = Test();.. var s = p.ToString(); // Warning: Possible 'System.NullReferenceException'.. }.. </code></example>.. </member>.. <member name="T:JetBrains.Annotations.NotNullAttribute">.. <summary>.. Indicates that the value of the marked element could never be <c>null</c>... </summary>.. <example><code>.. [NotNull] object Foo() {.. return null; // Warning: P

                        C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):704792
                        Entropy (8bit):5.954760610188248
                        Encrypted:false
                        SSDEEP:12288:B9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3:B8m657w6ZBLmkitKqBCjC0PDgM5
                        MD5:A251E2074BD974340EEFDC21A1B983BA
                        SHA1:613748B5250FFC1B80A54EEE76B64B6D5E1B2A8C
                        SHA-256:25504D1A90DB5E3BD6751C43714FE3AEF1CC7747ADA07F01049AC6E83E066480
                        SHA-512:C7C6B5A72E45EF405F2E0D4F12F6B9E17E4CA4C103C1E469B2048B1A4575D4923245D1B205D88C66394B2F36597F9CA05C1075262040749BC7AD2E79809BD80C
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................t....`.....................................O........................).............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):710224
                        Entropy (8bit):4.632813781023419
                        Encrypted:false
                        SSDEEP:6144:XqqUmk/RikeaG0rH3jGHdl0/InHHpgVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QA:DUq
                        MD5:F414B3F68FE7C4F094B8FE8382F858C9
                        SHA1:66EE1B3266FCEDDE433B392156AB4A24262B2F34
                        SHA-256:2D46B37B086D6848AF5F021D2D7A40581CE78AADD8EE39D309AEE4771A0EECCF
                        SHA-512:19B2FEB40C2E9D4D20D9A21F88F6ECEA773060C056B8CBBD21A6EEC41486DC5FC101E6C31129B0D53466D04709BCD4ED777058DDFB02532242B43E253A7B24BD
                        Malicious:false
                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

                        C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):56088
                        Entropy (8bit):6.323161692791659
                        Encrypted:false
                        SSDEEP:1536:okCPMBRD49uC70Ky9xbLwLJ7ElKntU7QIx:oPMz4s9xbLwN7ElKntUM
                        MD5:7835DA1858C3BD8F18A6762849152F85
                        SHA1:EF293F18A0D488112D0820B387E902672A799D5E
                        SHA-256:9FC0D9AA69FBDE1F9AE9637E31EA487700EEFAAE16A01D90B62DA202419AEE28
                        SHA-512:D37607482EAA513F6F5132D0FE67665A1DF8285CB905319B57A2E4F2733F770DB6F392CD8FD5D61818B76DE9B313138D29296C81D060678387CB44F46BE3A714
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m............"...0.................. ........@.. ....................... ......3.....`.................................=...O........................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................q.......H........F..pr..........................................................>. 4......("...*2......o#...*:........o$...*.0..,........o%...r...p $...........%...%....o&...t....*&...o'...*..((...*...0............r!..p..s)...}.....-.(2....(*...*(+...s....o,...(+....o-...(+...o....o/...(+...o....s0.....o1...&..o2...(3...}.....{...........s4...o5...*..0.._........~....39(+...%-.&+.(....%-.&+.(/...(+...%-.&++(....%-.&+ (6...&+..~....3.(+...%-.&+.(*...~7...*..0..S........{....,..{....o8

                        C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exe.config

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):189
                        Entropy (8bit):4.986033023891149
                        Encrypted:false
                        SSDEEP:3:JLWMNHU8LdgCzMvHcIMOofMuQVQDURAmIRMNHjFHr0lUfEyhTRGOGFvREBAW4QIT:JiMVBdTMkIGMfVJ7VJdfEyFRzSJuAW4p
                        MD5:9DBAD5517B46F41DBB0D8780B20AB87E
                        SHA1:EF6AEF0B1EA5D01B6E088A8BF2F429773C04BA5E
                        SHA-256:47E5A0F101AF4151D7F13D2D6BFA9B847D5B5E4A98D1F4674B7C015772746CDF
                        SHA-512:43825F5C26C54E1FC5BFFCCE30CAAD1449A28C0C9A9432E9CE17D255F8BF6057C1A1002D9471E5B654AB1DE08FB6EABF96302CDB3E0FB4B63BA0FF186E903BE8
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />.. </startup>..</configuration>

                        C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MSVC program database ver 7.00, 512*259 bytes
                        Category:dropped
                        Size (bytes):132608
                        Entropy (8bit):3.7367234561117266
                        Encrypted:false
                        SSDEEP:768:L+Z2ZTTM1ldA+TnAGrpqOF052IeUfQV5kGgv1s5zM6265QCuhdgl9gKfU0dSsJfA:ZfQ7Eds5zM6F5cfg8EU0dSsxNfQ8IsY
                        MD5:5DAAA783F426B37DB9254F6063054D6F
                        SHA1:7756681B5C157B1503EE8E576DF7B94B0C5D30A5
                        SHA-256:5B78D9816A463FBDFF8F0B7E6D0F8AB206C0EE5437049DB88BBE09CEFA648CE7
                        SHA-512:389C3F11A8A0FC4178EB99BC3DA0BCFCD75B2540688C50434B396FA34F043D3FFB91B63D8B997ABC9F8AA309D7387ED58A3C3046447DCBABB76384D1D53D1E15
                        Malicious:false
                        Preview:Microsoft C/C++ MSF 7.00...DS........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................8..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):55576
                        Entropy (8bit):6.461396281270018
                        Encrypted:false
                        SSDEEP:1536:Y9pnyoDi7S/Z5MCS8gDWNEwXGyPsFyYiZ7QFx:Y9NyoDiO/Z5MCQDMB2yPpYiZM
                        MD5:89D7667DFE530B84EC8525E5D29A1274
                        SHA1:51757A768B68667D57EEE033C481F4DC42E0E180
                        SHA-256:C4C83D2CD53714BC9D05D67D29D999B30A0B79B7F7369BA29D796D2CDDC6BC6D
                        SHA-512:0E1504806C6F2B951B7E7DA369F5F749EBF9E07393FE19B6ACE78668A49635176077BDE5C1D24DF8CA982A2AC5B3BC6C18EBE8664AAB4C4C6D688BFDC75E59F4
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p:De.........." ..0.................. ........... ....................... .......z....`.....................................W........................)........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............8..............X............................................0..........(@...*.*.0..o....... ...(%....~.....o.....(....,..+..+.-..(0....(0...(.....o...... ...(%....o......o.....,..+..+.-..(0...*.(0...*..0..........~.... Q...(%....(0...o...... ....(%... S...(%...(....o....o.... Q...(%...(.....(0...o.......,..+..+.-..o.....~.... B...(%....(0...o...... ....(%...~.....(0...o.......,..+..+.-..o.....*........@[...................0..........~.... ....(%....(0...o......

                        C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MSVC program database ver 7.00, 512*75 bytes
                        Category:dropped
                        Size (bytes):38400
                        Entropy (8bit):3.097681309335531
                        Encrypted:false
                        SSDEEP:384:CwFyFr8sKK8PuuN/qtMfrdAU8sKH8Pu1dL:CwFyFr8sKpPua/xdR8sKcPu1d
                        MD5:EE633CA4D9B35855BBE69FE010669F1D
                        SHA1:174460DC05E7272F4D7EED7457067849E60DB4F4
                        SHA-256:F3F3104207128C7DC15F0CFD00A3F7A0E4DCE8C3F3AF49EC34D8B4797CEE9E4C
                        SHA-512:9EAEF0A16F144CEC11B0BDE9297C6BE994A4E2BC9CF5C266B913E5F21CE613B2B1034E7C29001B84971B42B3CE2B316288534625898CF36ED3E3F9E975010FEA
                        Malicious:false
                        Preview:Microsoft C/C++ MSF 7.00...DS...........K...........G...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):148760
                        Entropy (8bit):6.3112655496294146
                        Encrypted:false
                        SSDEEP:3072:mGylXBUxOPJLYTwTupuYRzBgW4suS9fUsicKlCO6wnVvH5hWQIcYVbxVMb4M+0:/yITRpuszBgWuSwZhWDx1Sg0
                        MD5:6A0DD3334956D963E07AC926CE79FF17
                        SHA1:78B48F281AE632556B21916ECE01054992A42A1C
                        SHA-256:AB3C2F0D8A426D9DB257CCFE41D18F29F3CBF7494BE77FA76412CFA284A9B387
                        SHA-512:C9585BF01C27B4658CB810D53D5A757392B59EB8806384F84BE4F2452FCCF0696CEDBEE15AE724DEAEB363597874E6207E5709FF0F4C16C3D25DA8181E20CC93
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s:De.........." ..0..............3... ........... ...................................`..................................2..O....@...................)...`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................3......H........W..............lE..x............................................0..........( ...*.*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0.._.........~....,..+..+.-F~......(........(......~....,..+..+.-.s .............,..+..+.-..(.......~....*.........'E......&........*...0...........{.......8r.....D(....a.+:...G(....a..+"...B(....a.....VYE............4....(......+...(..........+....PYE............5......+.+.

                        C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MSVC program database ver 7.00, 512*603 bytes
                        Category:dropped
                        Size (bytes):308736
                        Entropy (8bit):3.8262086050978015
                        Encrypted:false
                        SSDEEP:3072:4WQbfwD6V/47LcvvnzUcGvqvm9V8LgH+Ivqvm9V8LP:4WIfwGV/eLcXnzUrqvm9V5H+wqvm9V2
                        MD5:4B656C3E177BFEDFE9049D6D74758837
                        SHA1:4DBAE14EDF09ADF522B41178414532EEE28DD429
                        SHA-256:769758D4BC8E3AFA81ED56D427E0239B66A1B7B8C4919A52DF39AD3C62306009
                        SHA-512:CDA70B5B0FC0285A2AC55C8421DE8E9888045F7E55B33B560953583D74C3193EE1EBACE1306D2F9543A04AC8EB17F4EDF38E2947B510F9BF0BCDC9570F0D9699
                        Malicious:false
                        Preview:Microsoft C/C++ MSF 7.00...DS...........[...........X.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................?...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):48920
                        Entropy (8bit):6.125020161270827
                        Encrypted:false
                        SSDEEP:768:Z4yhv8fqk6HrbN63C4rmPZvfZmcUWcm+9dT2snd3wDYiQ7AMxkEi4:3FRZf/85wD7Q7x9
                        MD5:C3B73D8037A54A9278F1C57BD4D0D30B
                        SHA1:68342C8E32980C6E66656975612692BADCEB9C6C
                        SHA-256:6416D55EB1FF1038FEAD883D0218AAF86121864D839A19721745DC948C6B8554
                        SHA-512:A066F345AA435482D66D75954A80CA14AB812516143692A2ABB331E496E453166E2364A6AE1487962AA87651530917569125C32F5FA720C7A3689B433F971BA9
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................................`.....................................O........................).............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........B..<i...........................................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*b.{....%-.&*..s....o....*..(....*..{....*"..}....*..{....*..{....*..{....*..0..^........(............s....s-...}............s....s-...}............s....s-...}.....r...p(......(&...*...0...........~....(.....(....o....("....(....o....(*...(...........s....o....(...........s....o....(...........s....

                        C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MSVC program database ver 7.00, 512*287 bytes
                        Category:dropped
                        Size (bytes):146944
                        Entropy (8bit):3.7902276258653957
                        Encrypted:false
                        SSDEEP:1536:9fLv4i06+dm9GDIEPabRijzVGY8o5oEOhifrIEx5oEOh:5XCUEZVatThdE8Th
                        MD5:42E55BB9138A8AD19838E7F4A2057F20
                        SHA1:8398755E3092D0C0FBC37AC66DA40CCB98D286E2
                        SHA-256:9C8D881E88E6EFF0ACF5A5C749371FA3FFAB30CFA22024987D6143A878589BCF
                        SHA-512:50E4B1AA50E159B4B43B9474B50647E636E3D6DD1F3568344CCA5A7218363CC15A7208850D1179CB8024901245B049FB7D70CC53890E1E1D3EAE9B876E99F2E2
                        Malicious:false
                        Preview:Microsoft C/C++ MSF 7.00...DS...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):4067096
                        Entropy (8bit):7.989751832423046
                        Encrypted:false
                        SSDEEP:98304:7V4iE7vmfvf2PYzrm5zwXHq+Ze3y0+/yooKLrE84z8XojnHeYX7:7V4i73DC58Xoi0gyozPE84z8YDt
                        MD5:7F4AD7C523B6499229A3D933D5114028
                        SHA1:09AA0DBA05E4D728B5AE841F0CDEA30B88E6763D
                        SHA-256:F0AE528C79B8501133F1AA2DF22645DA15AD3BEFE4F6D45EB22BD76BAAF3BF24
                        SHA-512:D32847A438E71397EF880843E83632625ABD8579A4E5E4825C15F6BE375C6A534884C0489D169D356BD43DBA3E0EE03C6B0B35A7CE2A43ACE97A265D37B0BF2B
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n:De.........."...0...<.........^.<.. ........@.. .......................@>.....]d>...`...................................<.K.....=...............=..)... >...................................................... ............... ..H............text...d.<.. ....<................. ..`.rsrc.........=.......<.............@..@.reloc....... >.......=.............@..B................@.<.....H.........<..U..............x.;..........................................0..........(x...*.*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*.0..W.........(.....(....8.......(h...a.+N...(h...a.+....(h...a...(YE........#.../.....(h....+...$XE........?...O.....+..*(L......+.+... XE........<...V...j...}..............8w....!(........8g...8V....(...........s....o.......87...........s....(.......8......o....(.......8.....(....o.......8.....s........8.....s....%.(

                        C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exe.config

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):933
                        Entropy (8bit):5.0355202174457405
                        Encrypted:false
                        SSDEEP:24:JdErnJM9zsfFgCJsPuAHGPF7NruH2/+Y9y:3ErnJM9zs6Gyumu7Yg+Yw
                        MD5:552EC6CC1F2349624ED0015E3B765A98
                        SHA1:B95938B153783194DBC664D4AB4C60FF5C350B7D
                        SHA-256:A793490AC3AF49279521B305B3C5C9B9A2A8EF6D1A684BA228E4B68E9A7B5C5F
                        SHA-512:6567E66701E5CA16897D40C53BE5E3415A021E70D75D8593AE9D6AB5BD265A09DE8973DFCA3AEEE7BAD0E09275732BA835B7D87A84EE7DA0C8EA4522A989418E
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />.. </startup>.. <system.serviceModel>.. <client>.... <endpoint name="NetTcpEndpoint" address="net.tcp://localhost:16669/Service" binding="netTcpBinding" contract="SBConference.Common.IService" />.... </client>.... <diagnostics>.. <messageLogging logEntireMessage="true".. logMessagesAtTransportLevel="true" />.. </diagnostics>-->.... </system.serviceModel>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.1.3.0" newVersion="4.1.3.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                        C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MSVC program database ver 7.00, 512*251 bytes
                        Category:dropped
                        Size (bytes):128512
                        Entropy (8bit):3.9446456181394685
                        Encrypted:false
                        SSDEEP:768:bdEKENVTmV18AzjLCierdAiYWgi421cLld2SNPcOnXUwu+fV7lZETvTrXNVTmV1e:CkUk97l+TrX91U
                        MD5:19359948F96E202829BC83E46C35F7F2
                        SHA1:9956C7C60C3B3635394ACDB04D07A33048E091FA
                        SHA-256:899459C447699163E01FC0BFB8AB345929FEECB808693A2634E1E8EBADF806EE
                        SHA-512:ECB06C0AF7DBB71C9A338FEA300283759D680C5B2383DA3D55238C63B662F936741CDA8BA1340C73B44C92C856DE7963F2BC1AF0D005D6957922C3843FECDD15
                        Malicious:false
                        Preview:Microsoft C/C++ MSF 7.00...DS...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\SharpDX.DXGI.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):160536
                        Entropy (8bit):6.28088817705701
                        Encrypted:false
                        SSDEEP:1536:2K9VX2/egy/giIRVFmXeMlGEs94P6MLrUPBBuOpKUsnj80T+EaDnsPPxbTp8fnTo:2KDXEeFc7KeMlGEsBPsUWq/jFYelgZM
                        MD5:457D520EC2C367B901BDA2D22A6664EF
                        SHA1:04B319A27300D23B6EFB52EA6568C3F7CEC05722
                        SHA-256:EFFDAF7EE9423796B7DBD02083CC301F460489F7FD013EA106FA8E7ABD02CADC
                        SHA-512:02AE2262AC7BE946D8163916668A2B8D7DC70AF24E625368950BE4EC37431ACA9A3B71B3AADA713BD062D863BBF577E41978D2693980CF22DF72990C38B45A78
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x4.............!.....@..........>_... ........@.. ...................................`..................................^..O....`...............J...)...........^..8............................................ ............... ..H............text...D?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................ _......H.......x................................................................(....*..(....*..0..8.......s.......o......(....~....(....(....-..,...o....+..o....*.0..............(....*...0................(......(....*J......(.....(....*...0............(.....(.......(....*...0..............(.......(.....*..0..-.............(....~....(....(....-..,..o......X.+..*"..(5...*Z.~....(....-..s....*.*....0.............(.....*...0..F.......~......{.........{....M........ZXM)....(.....~....(.

                        C:\Program Files\ScreenBeam\Conference\app\SharpDX.Direct3D9.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):349464
                        Entropy (8bit):5.894829651221559
                        Encrypted:false
                        SSDEEP:6144:QjqoeIm08rQRRaTPNKr6hwAdQ7qKCJdj5c:QjqoeImLrH9hJc
                        MD5:1EDC905E838D76951AFCC7B4B4C31AF6
                        SHA1:43F01A0A226FF26346118AA476A31E236AE962F1
                        SHA-256:CFF37E42E79A01DEB07ABD09196F5774746A7D42BCCCACCE909267030601AB15
                        SHA-512:1A8FF5E30A3320D3571D2F8FB51CAF52995B54F3D44E25DC7837CE24B7DBBD168791042828D827BF348F06DC9BDD5E7B5FE4A884B3CF99B0CEF038677EE4BA1A
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.............!....."...........@... ........@.. ....................................`.................................4@..W....`...............,...)...........?..8............................................ ............... ..H............text.... ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................p@......H........................................................................(x...*..(....*b(.....3...(....*..(....*j(.....3....(....*...(....*:..-..+..(....*...0../........s....(......+..(......s$...o......X...o....2.**.{-......*...0..C........{'....0ci ...._.{'.... ci ...._.{'.....ci ...._.{'...i ...._s....*..0..L........{-...,>.{-...../ .....{-.....cX.{-... ...._.c.{-... ...._s....*~....*~....*..("...*.0...........|..........(.... ....(....}$.......|..........(.... ....(....}%

                        C:\Program Files\ScreenBeam\Conference\app\SharpDX.Mathematics.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):226072
                        Entropy (8bit):5.65506765234442
                        Encrypted:false
                        SSDEEP:3072:7RpzojglcletW1yZLJ80UOEgS8DOnL6dCZrGxamas0Ank/uy1WWZjUjY1xC/BytQ:t1BE5L6xy1WWZjUj4e
                        MD5:69FE2CCDA0BD2F553AA7CC595EA83C5C
                        SHA1:9692F391A014B44B272AE94C4CBE692465B43ECE
                        SHA-256:2284BFA82AAD189B30518BF78E9221E3B38D1BF2C689B9FA864863051AED0D04
                        SHA-512:A7C28F6FB764BC7AB1955F5C6207BF3D72D02DD9A8265E5733DF39E31CF855931B9A8D7FC9733E55918895433519EE42E5803DC9AACE727ECED960407224CCBC
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.....@..........._... ........@.. ..............................?@....`.................................._..S....`...............J...).......... _..8............................................ ............... ..H............text....?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................._......H.......x....?............................................................(....*.0..Z.........}.....E................$...+/..(....}....*..(....}....*..}....*..(....}....*."....}....*F..}.......[}....*.0..A........{....l#...`.!.@(....k.."..I.5.."...@X.+.."..I@6.."...@Y...}....*....0..*........{...."...@]..l#........4.."...@X...}....*2.{....(....*6..(....}....*2.{....(....*6..(....}....*.0..:........{....(......"....4..l(....k...Y"..pBZ*.l(....k...Y"..pBZ*...0..*........{....(.

                        C:\Program Files\ScreenBeam\Conference\app\SharpDX.MediaFoundation.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):567064
                        Entropy (8bit):5.7867112796764735
                        Encrypted:false
                        SSDEEP:6144:X6gB96kgNEh+jVLm7SVTZ+YS5dXnuqhciIgluGvSfTaDuc:XSDEhum+F45dXEiDuc
                        MD5:17728DA4B8E76DE47760C8268DD51B16
                        SHA1:2F1FD38617D7D89CDAF043F43D2571B75E2CDDB7
                        SHA-256:DFB1E8BE0F32EFDBBC8457D5DFC7DB49D3B76D45595DFDF31F8942C38FEEF1D6
                        SHA-512:9220D2B562E2FCEF3A69452FCB397E6CCC9F78ADC5365BA2A7957D3129F24D034AAFD1A2BBBE7C3203E159FC0BF086C62BDF7FF9D243E8BF7605E5B4F0A7DEDA
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q..............!.....t..........N.... ........@.. ..............................i)....`.....................................S....................~...)..............8............................................ ............... ..H............text...Tr... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B................0.......H.........................................................................(....*.0..'.........(...........(....(......(......(....*..0..............(.....(...+*.0..%............(....(....o.........(.....(...+*"..(....*Z.~....(....-..s....*.*....0..8.............{.........{....M.!.......ZXM)....(..........(....*.0..,........{.....{....M.".......ZXM)....(.......(....*.0..,........{.....{....M.#.......ZXM)....(.......(....*..*.~....*..(....*..(...+*.~....*..(....*.s.........*...

                        C:\Program Files\ScreenBeam\Conference\app\SharpDX.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):281880
                        Entropy (8bit):6.1790402071438315
                        Encrypted:false
                        SSDEEP:3072:MNGAHSuAfn0xDI+enjgpjgAvZgDlq514bA383R5QAfSgaZoqej16x3aG37B6Hy7O:NAyOEkfBgDlq/M3rQMSN2d1Wqo/Il
                        MD5:A7E5673F2EA694EAA5A666F1A3B406F7
                        SHA1:F79C3473E0F6B936159B3DB25AD6E58D35C39430
                        SHA-256:DF1823FB80B410957142413F5932E4C71EBD8A480C1F4F7B2F10D26B603D98E6
                        SHA-512:CD72D2EDC143C09963324780508C1D553F3C334C34D6F276C6CBFB3A9ADE1BB567A88D51CF9A04F978A6721472E9DA163B0748B974E253B6ABEEC9FFA891AE5E
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K..............!.................;... ........@.. ...............................2....`.................................L;..O....@...............$...)...`.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................;......H.......L................................................................(....(....*..(....*..,..(....&*.0..1........{......-.r...ps....z.|......X.(.......3...X*..+.....0..9........{......|......Y.(.......3...3..%o....o.....o......Y*..+.....0..9........o....t/.......q....oh.....M~....(....,.~I...(Q...*~B...*..{....*"..}....*:..}.....(....*....0..[........(......}.....~....}.....{....,:..i........}......(...+Z..(....}......+......(......X...2.*..(...........}......(...+Z..(...

                        C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):64280
                        Entropy (8bit):6.289684742162814
                        Encrypted:false
                        SSDEEP:1536:1Ye5uO+LcqmQWE1EwULYFaue+7nF107Q7xE:1l5u7A5EeUaunJ10M
                        MD5:82890B43546D2952C9167C1BA6F75368
                        SHA1:5F07BAAC0F8E628EBCC5ECBF1BFD6DD92E8549DB
                        SHA-256:2C59CFDE98C3B0F0AD4E071E1F52AA259F9502808FB8E5B9DD4120F1D3B6AAD9
                        SHA-512:52546642E9BC7FE655BECF369623000E958520605976ADE180F565AA5998295A2F7116F8C6CACACD4DDE88FE4F7F4716A885932703A32DF1AE53FD1EA5600DF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Bwl..........."...0.................. ........@.. .......................@...........`.................................q...O........................)... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......4Y..d............................................................0..D........(....(...........s ...o!...("..........s#...o$..........s%...(&...*.0..;.......(....r...po'...,.(B....((...*..r...p..s)...}.....-..((...**..0.._.......(...........s ...o*...("..........s#...o+..........s%...(,....{....,..{....o-.....}......(....*zs....%.}l.........s/....(....*R..o0...(......o1...*..0...........(.......(....*N..o2...(.....o3...*..o4...u....%-.&ru..p.o4...(5...s6...*J.r...p.s7.

                        C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exe.config

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):189
                        Entropy (8bit):4.986033023891149
                        Encrypted:false
                        SSDEEP:3:JLWMNHU8LdgCzMvHcIMOofMuQVQDURAmIRMNHjFHr0lUfEyhTRGOGFvREBAW4QIT:JiMVBdTMkIGMfVJ7VJdfEyFRzSJuAW4p
                        MD5:9DBAD5517B46F41DBB0D8780B20AB87E
                        SHA1:EF6AEF0B1EA5D01B6E088A8BF2F429773C04BA5E
                        SHA-256:47E5A0F101AF4151D7F13D2D6BFA9B847D5B5E4A98D1F4674B7C015772746CDF
                        SHA-512:43825F5C26C54E1FC5BFFCCE30CAAD1449A28C0C9A9432E9CE17D255F8BF6057C1A1002D9471E5B654AB1DE08FB6EABF96302CDB3E0FB4B63BA0FF186E903BE8
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />.. </startup>..</configuration>

                        C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MSVC program database ver 7.00, 512*295 bytes
                        Category:dropped
                        Size (bytes):151040
                        Entropy (8bit):3.7625146843055375
                        Encrypted:false
                        SSDEEP:1536:pFQdS3gVUDit2w2eflHwUr3MiyjCdG7GVV4kDA6Ziy0lYkDA:pFQdAitn2qwUr3p7VV4kDAZLlYkDA
                        MD5:3ADD5FDC896B38683C251DA1AD6128BC
                        SHA1:588FD99903588E38A11AC532754DB1946AFA76E3
                        SHA-256:696334D3707F55432B4BEC3A43DC23D9BEB9E994D4D1D9B40CAACEBFF8B68FE3
                        SHA-512:A1405D66AD8AFB2946800D7573EF601C86B3FDC50DD0879693AADF1ABDC465962B066B3AE6B8E3319A78643B685D2FE94A86B5C368DEA6646878407D2818912D
                        Malicious:false
                        Preview:Microsoft C/C++ MSF 7.00...DS...........'...|.......$...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\app\Svg.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):759576
                        Entropy (8bit):6.352367517201184
                        Encrypted:false
                        SSDEEP:12288:GjyerCn3SG4tGFGU+NzJHomqU6V1jnQxZdlCG3pFb6KtXX2nrfSNT6v2q6wT:+rCn3S0GfNzP76V1jnQxZdlCG3pFb6Ka
                        MD5:080B18CB50B1146E98E5BC8BF274BE1A
                        SHA1:279BA9E266CAE30F426A4650749CD8CB72887FED
                        SHA-256:883DC0E0192BB39F6BACBF7B2AD04B23CF03CBA7DF766964E9067C0DB35F262F
                        SHA-512:CD61B2E0A540D97F34287AB77E76FA574E1730D5970F7C25BC9899EA5F23AAD8DD9D879151239FC74BE38497A590954B305E7B5C6EC041C1CF0D250464648FB4
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`............." ..0..f..........J.... ........... ...............................[....`.....................................O....................n...)..........8...T............................................ ............... ..H............text....e... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................,.......H............q...........w................................................(6...*..(6...*..(6...*V!.'.......s7........*J.o.....o....s>...*..{....*...}.....o_...r...p..L...o......o....*..{....*...}.....o_...r...p..L...o......o....*..{....*...}.....o_...r...p..L...o......o....*..0...........{....,..o....9.....(....(Q..."...@[..,.".......o.....s8...}.....{....o9....(.........(9.....o...........(H....X..{......(:....Y..(;....Y"...@.Z"...@.Zo<....{....o=....{....*...0...........o..

                        C:\Program Files\ScreenBeam\Conference\app\Svg.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (621), with CRLF line terminators
                        Category:dropped
                        Size (bytes):168793
                        Entropy (8bit):4.530149376990327
                        Encrypted:false
                        SSDEEP:1536:ReWZtlVd41Oqi0H1Oqi02Vx5cnJ1OqinzP48Y4Q26ga68xFdJLyuipkyhg1+e1pl:AWHZ5QZ8T6gsJLyuiyyhwTpCN/24K
                        MD5:7AEE18F5FD135B525FEEC66BB2AED5D3
                        SHA1:2B6C577F4AD8C5BFD704394AEB7F2C056E3FB21F
                        SHA-256:882E2B07E327779A7C917ACA4B2B22D8F8D1F55B79BD8576418F980FB9770179
                        SHA-512:F4DFE5DCA00A9504F0EE9ABCEC03AC334901400BED6411C9FEA7891DBCA2EA7F7E92B43620C83A36984B4A2CDDBBB77170CD23BF2149B2B842E7D7BAC76359C5
                        Malicious:false
                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Svg</name>.. </assembly>.. <members>.. <member name="T:Svg.SvgCircle">.. <summary>.. An SVG element to render circles to the document... </summary>.. </member>.. <member name="P:Svg.SvgCircle.Center">.. <summary>.. Gets the center point of the circle... </summary>.. <value>The center.</value>.. </member>.. <member name="M:Svg.SvgCircle.Path(Svg.ISvgRenderer)">.. <summary>.. Gets the <see cref="T:System.Drawing.Drawing2D.GraphicsPath"/> representing this element... </summary>.. </member>.. <member name="M:Svg.SvgCircle.Render(Svg.ISvgRenderer)">.. <summary>.. Renders the circle using the specified <see cref="T:Svg.ISvgRenderer"/> object... </summary>.. <param name="renderer">The renderer object.</param>.. </member>.

                        C:\Program Files\ScreenBeam\Conference\app\System.Buffers.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):22296
                        Entropy (8bit):6.662640854850192
                        Encrypted:false
                        SSDEEP:384:+ICREYcfpyXOT9Z7a6WmYWXVIYiQ3qgAM+o/8E9VF0NyxR5b:+IiE9QXM1cYiQNAMxkEbb
                        MD5:353D0759D1634133082AB13DD7E3D86C
                        SHA1:468F91340A7243C1611B8B7FDAFAB3693A5183E9
                        SHA-256:6308107F723373784ACB23EF0E7DDCD8A49F33CDF23BB4C87C0A8C77FBE2E4F9
                        SHA-512:78EBB691CBDC4BC179EBD811255F3555688A28F28CA7553B57284D8CF39CDB6CBE93DA4E3EC6F30981A597CD91E05A54ADF1E27ECD1538A283773BF5CBAFC083
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oY.........." ..0..$..........:C... ...`....... ..............................=.....@..................................B..O....`...................)...........A............................................... ............... ..H............text...@#... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................C......H.......h'..p............?..X...0A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..(....*R. ...(...+%-.&("...*^. ...(#....(...+&~ ...*.s%...*"..s&...*..('...*.*....0........................((

                        C:\Program Files\ScreenBeam\Conference\app\System.Buffers.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (634), with CRLF line terminators
                        Category:dropped
                        Size (bytes):3195
                        Entropy (8bit):4.750160458439205
                        Encrypted:false
                        SSDEEP:48:3iRtamCGLiVMgLGTKLG0LG8hLGRpWG79NmGM9TLGoA96cmgKxnGu7gMcXFFfYK8L:ySm9iVHAKv3hQt9Y9TXAixbewKXHSH
                        MD5:0C727C6CF7E10FB85310C46EC17AC47F
                        SHA1:F7C922B32655DA2732CDF9E980DAD7337EA87D5E
                        SHA-256:5047E342F6E3860E8B37B77207D5E10C5007E07692777EB504D0CED628DA022C
                        SHA-512:32D95683A8AE55E0EAA6A6C401B01E1ED50389C2382EDBDD05A59A39AFE78FB8BB10E49FF4696AAF702B98AEE0A2AC4857EA330AE133AAFEAAC3B514EFBE2EA4
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8"?><span>..<doc>.. <assembly>.. <name>System.Buffers</name>.. </assembly>.. <members>.. <member name="T:System.Buffers.ArrayPool`1">.. <summary>Provides a resource pool that enables reusing instances of type <see cref="T[]"></see>.</summary>.. <typeparam name="T">The type of the objects that are in the resource pool.</typeparam>.. </member>.. <member name="M:System.Buffers.ArrayPool`1.#ctor">.. <summary>Initializes a new instance of the <see cref="ArrayPool{T}"></see> class.</summary>.. </member>.. <member name="M:System.Buffers.ArrayPool`1.Create">.. <summary>Creates a new instance of the <see cref="ArrayPool{T}"></see> class.</summary>.. <returns>A new instance of the <see cref="ArrayPool{T}"></see> class.</returns>.. </member>.. <member name="M:System.Buffers.ArrayPool`1.Create(System.Int32,System.Int32)">.. <summary>Creates a new instance of the <see cref="ArrayPool{T}"></see> class using

                        C:\Program Files\ScreenBeam\Conference\app\System.Memory.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):143128
                        Entropy (8bit):6.161219718760204
                        Encrypted:false
                        SSDEEP:1536:Ixi8ae06y7Q0kSutmvEmFk0pBa/+h8k/6kY2F8xB0dhqABtx5yoG9QI7Qhxh:w0vDkSutmhFpYqtDqAhjMQIMB
                        MD5:C96449FF5C9F0CF0695878CA7387DAFE
                        SHA1:0E0F20888F3502859475F10CBFF0C3E0375B1C7A
                        SHA-256:B3235C92C2601E879D83FB6524265B9A8F3A13021DE9D610260570CFB2907811
                        SHA-512:5EBDC3AF19D5E87899CE214F827211E9062E4B42D025051150F93937F2E2EBA528A4B9BAA3F4EBCD38CFC96D492A528BF39E6B8AFB671316CCCC83761B5671B3
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U..\.........." ..0.............b.... ... ....... .......................`............@.....................................O.... ..8................)...@..........8............................................ ............... ..H............text...8.... ...................... ..`.rsrc...8.... ......................@..@.reloc.......@......................@..B................C.......H........,..L...........,.................................................((...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....()...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o*....{....(a...*..(....zN........o+...s,...*.(....z.s-...*..(....zF(U....(O...s....*.(....z.(V...s....*.(....z.s/...*.(....z.s0...*..(....zN........o+...s1...*.(....zrr...p(\....c.M...(O...s2...*.(....zBr...p(Y...s2...*.(....z.s3...*.(....z.(X...s4...*.(!...z.(_...s4...*.(#...z

                        C:\Program Files\ScreenBeam\Conference\app\System.Memory.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):13950
                        Entropy (8bit):4.749162715500682
                        Encrypted:false
                        SSDEEP:192:19SSrAVfjSE0wxiMiLiLiXdCjticiciAiJiziPNjNei5i9zhi+ipOUTJ:1gbXKKXppPmcPi6LmJ
                        MD5:ADD19745A43B2515280CE24671863114
                        SHA1:CF44E6557FDE93288FF2567A002A69279965CABA
                        SHA-256:D5714C96607EB1A9D0F90F57CA194D8A9C3EDE0656A1D1F461E78B209F054813
                        SHA-512:8D7E564FA61411B5C28F29B07855DD112687EDCB39B991803C7C7DE67B6894B309102AC9B52409B56B7BB5C9101EB4CDFB21FCFBF5D835E4A153E188CB97CC87
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8"?><doc>.. <assembly>.. <name>System.Memory</name>.. </assembly>.. <members>.. <member name="T:System.Span`1">.. <typeparam name="T"></typeparam>.. </member>.. <member name="M:System.Span`1.#ctor(`0[])">.. <param name="array"></param>.. </member>.. <member name="M:System.Span`1.#ctor(System.Void*,System.Int32)">.. <param name="pointer"></param>.. <param name="length"></param>.. </member>.. <member name="M:System.Span`1.#ctor(`0[],System.Int32)">.. <param name="array"></param>.. <param name="start"></param>.. </member>.. <member name="M:System.Span`1.#ctor(`0[],System.Int32,System.Int32)">.. <param name="array"></param>.. <param name="start"></param>.. <param name="length"></param>.. </member>.. <member name="M:System.Span`1.Clear">.. .. </member>.. <member name="M:System.Span`1.CopyTo(System.Span{`0})">.. <param name="destination"></param>.. </mem

                        C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):110360
                        Entropy (8bit):5.472132056009666
                        Encrypted:false
                        SSDEEP:1536:8pKSyD3hoE3PQU9xb1iPKHKWU//6hE2rkQQ67QhxI:/SyLhZ/X9xb1YKqn/unQ6Mo
                        MD5:D384D0B8E99C0FFCECEB470B7F4D1653
                        SHA1:BA0DBF776D8F05BF79573399617CEF6D69F6A804
                        SHA-256:06652E2AD4485D6D77719B97D594E5058ED18C8F0514F58F7CE1A8178CF1226E
                        SHA-512:11E83087EE5CC4D70136EB8DE2C31A2C4185D8507D4F3DA69600BEF900840F1630652EED9B61A3C52EA3CD72588051EF0088243F79054A5CD9F4B021EE18B12D
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oY.........." ..0..v..........j.... ........... ..............................3.....@.....................................O........................)..........t................................................ ............... ..H............text...pu... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B................K.......H.......,S..0>..........\.................................................(....*&.l(....k*&.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(....*......(....*...

                        C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (640), with CRLF line terminators
                        Category:dropped
                        Size (bytes):183543
                        Entropy (8bit):4.784775080568946
                        Encrypted:false
                        SSDEEP:1536:9zlgmfTCpKdUqMGFYBlF8Yza2HbyJtJZJ9JaGN4AscoqrbuCeBqaiaIacasa7c12:9zhfTD227fX1HKg1agk
                        MD5:A556041FB2F0F8ACFB89FCE08A9DE8F0
                        SHA1:E2A3B3ACB380A4EB626B44FF6EE04A37110A3389
                        SHA-256:996E11F72E5BB4F58B080CCAF94C325F8CABB175070DDE109516A5069ED17708
                        SHA-512:116D6C3C98E0CC70718A7B0CE38826FDE8EF00CFE9A8D00C721BC1BF2297F39A5B256143BA6568A87BC6D0506D53A3BAE12B7899655454536DEC13AC455B2A17
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8"?><span>..<doc>.. <assembly>.. <name>System.Numerics.Vectors</name>.. </assembly>.. <members>.. <member name="T:System.Numerics.Matrix3x2">.. <summary>Represents a 3x2 matrix.</summary>.. </member>.. <member name="M:System.Numerics.Matrix3x2.#ctor(System.Single,System.Single,System.Single,System.Single,System.Single,System.Single)">.. <summary>Creates a 3x2 matrix from the specified components.</summary>.. <param name="m11">The value to assign to the first element in the first row.</param>.. <param name="m12">The value to assign to the second element in the first row.</param>.. <param name="m21">The value to assign to the first element in the second row.</param>.. <param name="m22">The value to assign to the second element in the second row.</param>.. <param name="m31">The value to assign to the first element in the third row.</param>.. <param name="m32">The value to assign to the second eleme

                        C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):18200
                        Entropy (8bit):6.647217440333779
                        Encrypted:false
                        SSDEEP:384:6qTO1PdhW1YWxv2IYiQ39WiIAM+o/8E9VF0Nyg0:6q6PSzDYiQFIAMxkEx
                        MD5:6B00510842A2BCF0127FB0974A271B44
                        SHA1:E8DBDEF1A5D1925A9781B41E63E313E8421EE2F9
                        SHA-256:509537FDC26623938EA150F3AA0DAD8EAB9C9627F6D99D3A2ED5DA75AB5F5E0E
                        SHA-512:DC0460BDE36773F5960EA4C1EF05CFCE5036D05AB2D735174C138584FCFEBD5A1A53DA062931AFFC307DEF4C35CAC675644BF4ADF8416AEC6F3EEABC10BD22D4
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..[...........!.................1... ...@....@.. ...............................I....@..................................1..K....@...................)...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ........................................|......<...rp....O..Ih.VvI..a,...%...(..@...7.v..v..N..x.6.._.....H^c~s_...]..Q@.,n.H(..CN..Q..<...%N`H..MV}%'x;.A.1..E..^.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                        C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):14080
                        Entropy (8bit):4.739717678047703
                        Encrypted:false
                        SSDEEP:384:1/uXuAB8fmAc26yQew6griJriurt8rtTpkE+EDJOgOha/MU:1/A3WfmAc2rQew6griJriurt8rtTpkEX
                        MD5:26CD9E7E8A62BB97CACE4E4AC16987A0
                        SHA1:E705414BE72B4866BC3AD02B9529656014C63CB1
                        SHA-256:63E32EBB4B26C25F65DDF26B5FA9D7147A9C8B45DF355DB90AC706AFEC980036
                        SHA-512:AEF9CF14E85D954E86B7C9A3AB35398DE0E1EE97A6CE383F82BCE789DCB2355C8AB781007F88B2D5E8F94D2E4CF940319FE0BF746E937F600F8425CA885973CD
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8"?><doc>.. <assembly>.. <name>System.Runtime.CompilerServices.Unsafe</name>.. </assembly>.. <members>.. <member name="T:System.Runtime.CompilerServices.Unsafe">.. <summary>Contains generic, low-level functionality for manipulating pointers.</summary>.. </member>.. <member name="M:System.Runtime.CompilerServices.Unsafe.Add``1(``0@,System.Int32)">.. <summary>Adds an element offset to the given reference.</summary>.. <param name="source">The reference to add the offset to.</param>.. <param name="elementOffset">The offset to add.</param>.. <typeparam name="T">The type of reference.</typeparam>.. <returns>A new reference that reflects the addition of offset to pointer.</returns>.. </member>.. <member name="M:System.Runtime.CompilerServices.Unsafe.Add``1(``0@,System.IntPtr)">.. <summary>Adds an element offset to the given reference.</summary>.. <param name="source">The reference to add the offs

                        C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):22808
                        Entropy (8bit):6.59534348354375
                        Encrypted:false
                        SSDEEP:384:oB9g5l+A3VVdCRdtOfd7TCUBQ4BX8JZa6Si5HsOgrE2WGCWLIYiQ3I4ERoAM+o/L:U9g5HVVX12fsOgrE+QYiQRECAMxkEqq
                        MD5:2ADF0CCB5C5CBE3A07D78EA0EA5F2917
                        SHA1:3F8FEC82E1484DF9BC97BBD690C836EDB0D9071B
                        SHA-256:B5BF96A26ADDED26BC15842A2B152FD56B2693B9CEB52BB623E4330A0AE9C311
                        SHA-512:364D52AC2897D7A53B344A5E2B981ED10E4817CDED462F4731D6AEE2B174073FA7ACF853556104045DCB3B9281A28AB680103EFCBDD4454A9F4304E52884E08F
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP...........!.....&...........E... ...`....... ...................................`..................................E..S....`...............0...)........................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H.......<#..\"..................P ......................................'o...Ab]+.^nz..w..fBw..W.r..D..0...|..fc.x.@.J.S......_..t....&].. ~.8...t..j.j.W...g...d %..:/`b..X.q~....s.[G!]otwD..m...*..*..*..*..*..*..*..*..*..*..*..*..*..*...0...................*...0...................*...0...................*...0...................*..*..*..*..*..*..*..*..*..*..*..*..*..*..*..*..*..(....*..*..*..*..*..*..*.*.*.*.*.*.*..*..*..*..*..*..*.s....z*#........*.**#........*.*..*..

                        C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (541), with CRLF line terminators
                        Category:dropped
                        Size (bytes):76981
                        Entropy (8bit):4.819464476297391
                        Encrypted:false
                        SSDEEP:384:YNa7Vx5ughg2y1eEics/2cLtU+61hYg45bmZiNjcAjdKvj59znKSe5+YjTjljcKZ:YHeEUZtgsccITKSFYjxcKSskiKS1
                        MD5:3A4E05CD88971CC7988F3179977192CA
                        SHA1:C0F796775FB852E6F9F75AB70846EE49619D9988
                        SHA-256:576D49F78CEDFC37A7F7452EA7519EBF690642EBB87D01AC777605FFDBC648B0
                        SHA-512:4E649FE654160B8D2595927CB215F078E1D97EE5B1D366D0651743E143DD990867FFB3E6C69AC19AFEF0D75C9B8B28E36977AAA4D64C5FFD24B0037B04828479
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<doc>.. <assembly>.. <name>System.Runtime.WindowsRuntime</name>.. </assembly>.. <members>.. <member name="T:System.WindowsRuntimeSystemExtensions">.. <summary>Provides extension methods for converting between tasks and Windows Runtime asynchronous actions and operations. </summary>.. </member>.. <member name="M:System.WindowsRuntimeSystemExtensions.AsAsyncAction(System.Threading.Tasks.Task)">.. <summary>Returns a Windows Runtime asynchronous action that represents a started task. </summary>.. <returns>A Windows.Foundation.IAsyncAction instance that represents the started task. </returns>.. <param name="source">The started task. </param>.. <exception cref="T:System.ArgumentNullException">.. <paramref name="source" /> is null. </exception>.. <exception cref="T:System.InvalidOperationException">.. <paramref name="source" /> is an unstarted task. </exception>.. </member>.. <member na

                        C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):19736
                        Entropy (8bit):6.538394494082158
                        Encrypted:false
                        SSDEEP:384:4yPa16oAL4D+wW9IWmDIW4IWYDfIYiQ3fhciAM+o/8E9VF0Nya:4Ws6oqDjADKeDgYiQpciAMxkE
                        MD5:7B19D9ACFE966D1C3318690945C85E6B
                        SHA1:485EA9F801F1A273C81A573ED1EEE9315E817BF8
                        SHA-256:0462A2FAEF5195194FA15788C4E82147D007ED3EACA8E201D0AB553987C86151
                        SHA-512:C11AA8DEE1972A32012ECF7964AE3CDD6A4F9057EF7423B77E8C96A7B840656F984B4212697D878AC6D357755C2F817CBFF5429C795656A64CEAAE9D888B4890
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ..............................R.....@..................................2..O....@...............$...)...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                        C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):142
                        Entropy (8bit):4.391770241438592
                        Encrypted:false
                        SSDEEP:3:vFWWMNHUz6GbC/0tFFNu7WRtLz3hAbS9/FFNrGMH/xtgGM8Xby:TMV06GbSWVVR+SXNffgp8Xby
                        MD5:B6E60687AE5DB6D011E21E6993620745
                        SHA1:B117C6BBDDC72E7F4B590173992EE17BFDDE4BE1
                        SHA-256:C37E163FA76629C196460C7B4D54E95B1A46A4C66AB7B6F3311959C8137DC5F1
                        SHA-512:709212B6CB36F57B92A82DEF810F9C075A91B3E6A5FD330DCFB563D94A320783509441347D63BDE97F530C6B10CE6AA769CA11F7FC39ACF1B25D5C8F9DCBB389
                        Malicious:false
                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>System.ValueTuple</name>.. </assembly>.. <members>.. </members>..</doc>..

                        C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):50456
                        Entropy (8bit):6.213144783587278
                        Encrypted:false
                        SSDEEP:1536:B3wBccZdxuB8mQen6JxKjrlMZgR0Eon7Q7x2:NcHmQPUknM0
                        MD5:32179F31DEA928CC6E1C89803560B7F0
                        SHA1:4A0339F44605FE14DB312ABE0891B38B7C734F09
                        SHA-256:EF2D27F1403875B46B2DC34E38054EF631A5D1F574068E4F98428ABA731D9796
                        SHA-512:B3F52CBF53A54F57BB6F1ACB7487733BD49BDDBF2CB6BABE9DC2C2410947382C6DB2707B2447DFA05CF8B4A2B1E6E424750C0F1B50F6AABDF6D0BA06AA3F471B
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...du.K...........!..................... ........ ;. ..............................:.....@.................................\...O........................)........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......4O..X`..........xD......P ......................................{c...2......q..Z,.C.....3.n.Z..7....R.....T.{yF")i.$JMv...,a.....U...M:,...Z.Q:..c..N.{....<....h%.....:s..T...Z.gSI.....6.(.....{....*...0..&........(..............s....o.....s....}....*...0..K........(.....{....o........,3..+&..( .........{.....o!............*..X...(....2.*..0..L........{.....o"...,=(#...(..................($...o%.......(&...o%.....('...s(...z*.0...........o).......E............d

                        C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):62128
                        Entropy (8bit):4.529932548825407
                        Encrypted:false
                        SSDEEP:1536:2y80yatyXMOX0lrNyzEYIFu8cKy5BYAeu:MsY
                        MD5:F70AEFF5A0E73BBA854A66ED6F0F5340
                        SHA1:5669C580408931021A39CFE0563771CBED623670
                        SHA-256:9608C07302EFF914A866DC5D416A8816FE9B28DF62EDF6D9C28F79A0236824F4
                        SHA-512:95B076A38E3F320CC16F4AE31FB76CFE3FC378A7EB33ECE9F1FA83D7281CBA72D8BBCBADE2C1476793351B0C19CE8851A192FD42E3E3554402011E9FDC024BE7
                        Malicious:false
                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>System.Windows.Interactivity</name>.. </assembly>.. <members>.. <member name="T:System.Windows.Interactivity.AttachableCollection`1">.. <summary>.. Represents a collection of IAttachedObject with a shared AssociatedObject and provides change notifications to its contents when that AssociatedObject changes... </summary>.. </member>.. <member name="T:System.Windows.Interactivity.IAttachedObject">.. <summary>.. An interface for an object that can be attached to another object... </summary>.. </member>.. <member name="M:System.Windows.Interactivity.IAttachedObject.Attach(System.Windows.DependencyObject)">.. <summary>.. Attaches to the specified object... </summary>.. <param name="dependencyObject">The object to attach to.</param>.. </member>.. <member name="M:System.Wi

                        C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmd

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):24064
                        Entropy (8bit):5.436377150873873
                        Encrypted:false
                        SSDEEP:384:nOeNiCPJ8d//4CMSKtmVbFhFMTuzO3zoVOgvevU3+uARkArvLU8Wyt:/x8d/i49z7cgWvwARkwvLU8
                        MD5:D0854E8DB0D1AFBDAB9CEDB8464561A7
                        SHA1:7550E1257E2D243AC0A12439D2A55C74718753D4
                        SHA-256:363DC1FDC0C50618C9049F87BF6E2C6EB9D9CE4AC08960373BF778EF854D78AD
                        SHA-512:CAF5CB38121FE12A560CEBE4E1AC3266AEFB3C7AB0635EFF26D1AB7DE8CD349F52CB8F9FD4F8E05CF6E496FF07083961881517298FF80A07691B22EF2B317A3D
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...................................@...PE..L......\...........!..............................@..................................o....@..........................................p..`...............................................................................................H............text....V.......X.................. ..@.rsrc...`....p.......Z..............@..@........................................................................................................................H.......P...hV..................................................................BSJB............WindowsRuntime 1.4......t...x3..#~...3......#Strings.....G......#US..G......#GUID....H..`...#Blob...........W.........%3........h...a...m...9...........)...S.......................,... ...............!.....0.........l.e...~.............................5.....b.e...g.....s...........................................................&.....>.....L.....V.....o.e...v.........................e.....

                        C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmd

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):5773312
                        Entropy (8bit):5.68640191645299
                        Encrypted:false
                        SSDEEP:49152:OVINVwJzGKybK12T5yb9ksyZWPsADcn0XjOTQVm8fGwoAIMHFqG:/NVwJzVSs+Wp4xyD
                        MD5:2B71864142900544334292C45C9A9A21
                        SHA1:763865F2163F8B3A294BB156D1E36B9E73A9EBAB
                        SHA-256:94687C2812CD4B0DF1F93C3D083BAA730CAB07E9D9C3931FA6557C808BCEF49B
                        SHA-512:DD73C7832A2B43774D18A83AC08CEE5A6F7D76F870A98A344B3FDD1DE61CD9B7362D31009F443592F138EFFB9ED7CDD9E4F8A7282C699B7AF3F434ABE74F215E
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...................................@...PE..L......\...........!..............................@..........................@X......AX...@..........................................0X.`...............................................................................................H............text.....X.......X................. ..@.rsrc...`....0X.......X.............@..@........................................................................................................................H.......P...L.X.................................................................BSJB............WindowsRuntime 1.4......t...t(>.#~...(>..O..#Strings.....xK.....#US..xK.....#GUID....xK.x...#Blob...........W..........3........d.......c$......b"......sV......'.......A...P....s.......a................2...........p...i.....u.......................i.........................6.........o.......................................%.........I.........g...............................................

                        C:\Program Files\ScreenBeam\Conference\app\Windows.WinMD

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):174080
                        Entropy (8bit):4.838714488862786
                        Encrypted:false
                        SSDEEP:1536:BXlu9HOsrxLLC581nfkhTf85SfD/8E8pMyF2fIK2E3ZMrf/GXTdXg7A/w:b41x7v54sMyov2+Mrf/GXKA
                        MD5:6AEB1C3E0470912D776EF79DC180AEF6
                        SHA1:C35A83124548142B7AF868166EEB9B9A8DEDCA03
                        SHA-256:249D4EBDCB399002F7B6DCB50384AD0DF3AB6A7CF7087161EDA4E43052128E6D
                        SHA-512:3AA0D6D8BFB0788353A85E5C0F88B0D0B0CD80F200C78932D8BD4FCF0711EF6577F9C3F4036BB88A4EC7BCF58ED2C4A48FC003324B47A0FAB51E2A1B73436DE4
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......U.........." ..................... ........@.. ....................................@.......................................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................................H.......H ..............................................................BSJB............WindowsRuntime 1.3......t...@...#~.......s..#Strings....`.......#US.h.......#GUID...x.......#Blob......................3................$.......................................................6=............................................iA......................cE.......................F.......................C.......................A.......................@......................PC................

                        C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):103704
                        Entropy (8bit):6.2832691309787005
                        Encrypted:false
                        SSDEEP:1536:JZGfW5mvu8DC4AiyZAZIJjAgyzjeIcKNVT7VuWCbwt2Ezl7Qfx:JZGfNu8DyZAZwWtpVT7VVdgYlM
                        MD5:E559F688AA11FB55311073A2ACA3CE3F
                        SHA1:FDC560C5126929207E27902AA760060D4C54AAD6
                        SHA-256:AF38C7A93172B379545260FC8CE61D82AF7ABAEC6106C2B53903C0B4FD5BF69F
                        SHA-512:106FA1F33C86369EEF17AAFB7D53F8528618C4795708866788378BA462146DFA9A1EA68FAD8462291BC3DC5E40B0DCBF21D3932C81BE547C2B3C7F5DACD0C5F0
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..b............... ........... ....................................`.................................E...O.......L............l...)..........`...T............................................ ............... ..H............text....a... ...b.................. ..`.rsrc...L............d..............@..@.reloc...............j..............@..B................y.......H........................................................................{#...*..{$...*V.(%.....}#.....}$...*...0..A........u........4.,/(&....{#....{#...o'...,.((....{$....{$...o)...*.*.*. ..~. )UU.Z(&....{#...o*...X )UU.Z((....{$...o+...X*...0..b........r...p......%..{#......%q.........-.&.+.......o,....%..{$......%q.........-.&.+.......o,....(-...*..(....*..(....*F.~....o/...t....*6.~.....o0...*F.~....o/...t....*6.~.....o0...*F.~....o/.... ...*J.~...... ...o0...*F.~....o/

                        C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Microsoft Roslyn C# debugging symbols version 1.0
                        Category:dropped
                        Size (bytes):28012
                        Entropy (8bit):5.07766090155697
                        Encrypted:false
                        SSDEEP:384:UnhIrxUN3RhP+UVpi+L2P2lxX2rzELJRDXPn1F4da24Ui0o92d2zPSuWaK9cww0H:txwnPJL5JL4Dih9KWK9cww0oUZ
                        MD5:9F580CA88DB263A3BDB75D40EE88C8B8
                        SHA1:73F47B6B2A04525C8DA776A746933EE8F02E3845
                        SHA-256:E0387871E704D9402196F786ED697F87FB63267BDCB142829E02CC1C3F548275
                        SHA-512:2839625305CF2375C281C60E86694263AF151F5CDA311624C019A76207543B1A1E9AB91C5D70AB50A151DA52BEEC7225D887C5AA748E4B964271CB8F63C9B681
                        Malicious:false
                        Preview:BSJB............PDB v1.0........|.......#Pdb........x/..#~..t0..T...#Strings.....2......#US..2..p...#GUID...<3..0:..#Blob.....q0\.UG......j..Z.....W...............r.......#.......9...&...........................i.......j...............@.......................................+...#.......z...=...1...T...B...I...........................G...O...........................H...R...........................8...B...z.......................1...;...z.......................&...0...g...q...................-...7...d...n...................<...F.......................%...]...g.......................8...u.......................*...2...`...h...............).....................................\...c...o...v...........................................................#...0...=...J...W...d...q...~...................................7...................................?...o.......w...................................................*...1...................8...............<...........C...P...X...........j.........

                        C:\Program Files\ScreenBeam\Conference\app\de\MahApps.Metro.resources.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):10752
                        Entropy (8bit):4.756472052670044
                        Encrypted:false
                        SSDEEP:192:MGzDcHtDpvhpzcPWg3TUHfBo+6IhF0DY2ACkVtW/lRODhQkBp3ySNUt4LUTsVB6j:M3HtDpvhpz03TafBo+6IhF0DY2ACkVlk
                        MD5:742FAA100BAC5ED77490CC84EDC1F7CD
                        SHA1:A9EAEFC888393EBE225D185943C8F96CD76D6CCB
                        SHA-256:63DF6824DC2E3B89E9EC6B715C3003A5897B0D9922DA5C15E89C7C775076D819
                        SHA-512:8744657359041C78161E3CC51497D26A30E1C46F5222764EC1376EBAC0E9602F98B7E7E7B94047F4F3CEC320A6726B352386AF2B4AA704AE4D9788C3EAAAFACC
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.~`...........!..... ...........>... ...@....... ...................................@..................................=..K....@..x....................`....................................................... ............... ..H............text...$.... ... .................. ..`.rsrc...x....@......."..............@..@.reloc.......`.......(..............@..B.................>......H........8............... ......P ......................................A..K..bo....x.r..R~.....T.qs.:....X....3...5U.n #...D...M.V>.s.Ap;.........#..O..]..7F.....i.. ...O*.j.....@..jv=...W_L.$...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.=....T.f.@.i.=.'....C..)bJ.;.$...._*.../.n#0...2..ck.##s.ua..C|.<...u..MQ........gJ.........

                        C:\Program Files\ScreenBeam\Conference\app\en-US\SBConference.Model.resources.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):11264
                        Entropy (8bit):4.611224181752981
                        Encrypted:false
                        SSDEEP:192:xN1vttjc+uAS57xu3e5auZJWzE4idhleNjqi4oqTJVnt1JhRw0BVVIr:xbvH0uzE4UhYjqi4/d/RPBMr
                        MD5:66589C67C2BA410602D83574F6369527
                        SHA1:327F7E07C5088DD15EE9C27EFAC4B9C1E1C49632
                        SHA-256:8AEF6E5C455EB7780A3F01D1E16B4B1990980817FF54BB6A13FF556A7CDF2B98
                        SHA-512:1FB3DBD6E37D9658AFAA1493889D80D36B414A54BF49629BE8EAF32BD1821ED52326C84DFE1C565688F513841391B9A65E12913DAAEF25E1D190862A218E9491
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s:De...........!.....$...........B... ........... ....................................@.................................TB..W....`............................................................................... ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............*..............@..B.................B......H....... ?..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....Q.......PADPADPh....>.......P..Z..'..l..}....;z..!.a..I...J...K...L...M.......i...#......v...w..e+..<..3'.w.......d?...a..s.....AsY.p...H.>..............v..N.R....#...&...&2..*.3.,/1.-B.W3..p7%.o8..r;=..?..G.}.K.}.K.}.K.}.K.}.K{.(O

                        C:\Program Files\ScreenBeam\Conference\app\qf4net.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):39192
                        Entropy (8bit):5.11094796126397
                        Encrypted:false
                        SSDEEP:768:p+ZpbHSTTUa8x+qvvIojhSYiQ8dWAMxkERW:p+Zpb8T2x+CvS7QKkx9W
                        MD5:D44CD9DD109EDDEB4826012AD5B256AC
                        SHA1:74E2D2775BC09341EEDDC1E28BEE5C87240820B9
                        SHA-256:6E6081C20C02B8AA3658891F3A27D93CF0E82CAD6BE8D9EEFF7D73D1E53C8614
                        SHA-512:6880277739F71058EE3362FA7C666600B72F97A8814DAC92B3B13C9845E53BCAC531327E6D9D03FA4F801A80FE4BBAD76303DA5DDA0B223D20BA8D45995AAA13
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....KV.........." ..0..@... ......J^... ...`....... ..............................r.....`..................................]..O....`..<............p...)...........]............................................... ............... ..H............text...P>... ...@.................. ..`.rsrc...<....`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\appsettings\settings.json

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:JSON data
                        Category:dropped
                        Size (bytes):389
                        Entropy (8bit):4.731905128310357
                        Encrypted:false
                        SSDEEP:12:UYZI36ofqq2NpJXRRdNpVBfHU/iKz6J7z:UYS9qDNrXZNaTzon
                        MD5:5F8CB8F1EC254CD5617741E89BC7569A
                        SHA1:818A4674AF8BC1713B37CE0A28EAFB14EE6CC29F
                        SHA-256:3A3B2CD2FFB3C5554D4828EB695B00AD5E7D1B2EC99D2FD2D10C19BD01AA50D0
                        SHA-512:A919EDF9765384F2FC4567F1F1DC34E10B63109EC6748E969BA8D50B86809909CB0F87846E9A6005477C32122D2B8DE4A7EFEB1F1CBABE09ED84B654E5BCB028
                        Malicious:false
                        Preview:{.. "General": {.. "MinimizeUponConnection": false,.. "RunOnStartUp": false,.. "ShowTutortialUponConnection": true.. },.. "Conference": {.. "ConnectByomAutomatically": false,.. "UseInRoomMicrophoneAutomatically": false,.. "IsStreamingFhdVideo": true.. },.. "Test": {.. "IsEnableEchoCancelling": false.. },.. "Misc": {.. "IsShowOnNextDisconnect": true.. }..}

                        C:\Program Files\ScreenBeam\Conference\audio\vac\instrmv.cmd

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1435
                        Entropy (8bit):5.168514160976156
                        Encrypted:false
                        SSDEEP:24:CBc6mGOPDSgJaX7Blu7BW7BFXli/3g/EuzU/OVdEisHROVyOpX:0VgQX7Blu7BW7BFXg3g/EhAXnx
                        MD5:9A11812CD3236C4E308130B537534745
                        SHA1:26C6225474A25FB9C644CF78D4A7CB87D1E04AA2
                        SHA-256:7CBF8C34EBF0318B37AA0ED06FA51BBB07F1F8C2BF4C1B07CAFE733A5D6E58DB
                        SHA-512:5BCB6FD583828941F95B267742A82CCA602ADABF36D775F850D50336296EB6144FA1E7BAF29E3A3D9ED043A6BD7A605B1E1650C8D2EBC60F253057293D42C512
                        Malicious:false
                        Preview:@echo off....setlocal....set "DriverInfFile=vacscbkd.inf"..set "DeviceHwId=ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5"..set "DeviceInstId=Root\{aafa5613-1d56-4309-9c3a-c3911d766be5}\0000"....set Mode=....if /i "%1" == "install" set Mode=install..if /i "%1" == "remove" set Mode=remove....if "%Mode%" == "" (.... echo Parameter 1 must be "install" or "remove".. pause.. exit /b 1....)....if /i "%PROCESSOR_ARCHITECTURE%" == "x86" (.... set ProcDir=x86....) else if /i "%PROCESSOR_ARCHITECTURE%" == "AMD64" (.... set ProcDir=x64....) else (.... echo Unsupported architechture %PROCESSOR_ARCHITECTURE%.. pause.. exit /b 1....)....for /f "tokens=2 delims=[]" %%S in ('ver') do (.... for /f "tokens=2-5 delims=. " %%A in ("%%S") do (.... set /a Ver1=%%A.. set /a Ver2=%%B.. set /a Ver3=%%C.. rem set /a Ver4=%%D.... )....)....set InfFileSfx=....if %Ver1% LEQ 6 set InfFileSfx=6x....for %%F in ("%DriverInfFile%") do set DriverInfFile=%%~nF%InfFileSfx%%%~xF....if "%M

                        C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd.cat

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):11466
                        Entropy (8bit):7.156043451841546
                        Encrypted:false
                        SSDEEP:192:f+nOiAfy+mtbJCwOngEw9JPgXkhYCbYp80Hy5qnajWSu703oQ:2JvbrquLh3bYpslIA39
                        MD5:5FAA07BCF94E9633F2AE5E688C7EA6A3
                        SHA1:ACBD43137133162385D73970445ED89258EEC687
                        SHA-256:F4E28994F1A986261BBAE5838F75E52642A5C70E50D28990E250769548B25D97
                        SHA-512:1BD7E45A0B3611A8297D49F8D70A2D46ED07BDD5B003796F90D78B9A4FCE8BD14DD088DC7CADB8ED41F0C21DFA8D372AAB2A291D875262DD16B343A106C35424
                        Malicious:false
                        Preview:0.,...*.H........,.0.,....1.0...`.H.e......0.....+.....7......0...0...+.....7........R.*.N...z>.....210708162227Z0...+.....7.....0...0.... ...H..g.Uq.[.......X...........1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ...H..g.Uq.[.......X...........0.... S..,Y.!.2..i6*...e...&.y.M.zVd1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... S..,Y.!.2..i6*...e...&.y.M.zVd0.......)....4..._;"@...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...s.y.s...0.... .coY.@u{..xe3$.....qY1.........1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...s.y.s.

                        C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd.inf

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Windows setup INFormation
                        Category:dropped
                        Size (bytes):2927
                        Entropy (8bit):5.065256670569242
                        Encrypted:false
                        SSDEEP:48:fzlab2Qb2ncb25AMPHwuTHYH9ewl9P8uPtS+iSFEY0dPFi+8PBDx:LtNnhZSkFwPBt
                        MD5:E5EDB842967CD25E6B490ED05764A2AD
                        SHA1:F4EACF18194D422B203904A058FD21A6A456F2B8
                        SHA-256:041B83489E80678F5571825B0D0F9BB310F51658C7ACA4AC068CBB07B5EE16FF
                        SHA-512:B1AB11A0A10DC1985AD510A4D873181BB28ECEECF414A255A8E895FB3B2BA72A232C0B54F4A71F26CE33CDDEAEBC999B522808F7DFA6CF3ED2BA0B4534C53BC0
                        Malicious:false
                        Preview:[Version]....Signature = "$WINDOWS NT$"..Class = MEDIA..Provider = %VendorName%..ClassGUID = {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 06/28/2021, 4.65.3.11864..CatalogFile = vacscbkd.cat........[Manufacturer]....%VendorName% = DevSection, NTx86, NTamd64........[DevSection.NTx86]....%DeviceName% = DevInst, %HardwareId%........[DevSection.NTamd64]....%DeviceName% = DevInst, %HardwareId%........[DevInst.NT]....Include = ks.inf, wdmaudio.inf..Needs = KS.Registration, WDMAUDIO.Registration..CopyFiles = DevInst.DriverModules..AddReg = DevInst.AddReg..AddProperty = DevInst.Properties........;#####################################################################..;..; Services..; ========..;..;#####################################################################........[DevInst.NT.Services]....AddService = %ServiceId%, 0x2, SrvInstSection........[SrvInstSection]....DisplayName = %ServiceName%..ServiceType = %SERVICE_KERNEL_DRIVER%..StartType = %SERVICE_DEMAND_START%..ErrorControl = %

                        C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd6x.cat

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):12070
                        Entropy (8bit):7.445862467348569
                        Encrypted:false
                        SSDEEP:192:Ctm9UMQVMeKazCKVHGzex+0bUVEVFJ84kcGNq4/C+Q3ISVSWMZMQ3Gr:CNMQJK2CKVjd4VEVFJ8ZcGwGBk7/UMQC
                        MD5:D9A4012E567137C10A49105EEB869A7C
                        SHA1:C04F6D600714465CC8BB341B76DC6B54235DF1AF
                        SHA-256:BCA872DAC035899B85BF2603EFCC3B991273BD318958669B288481558BBF639E
                        SHA-512:FBAADB1F872EB6829A07A593C5BDE7E5EC92EDE1E5BEC1BE560E3A3A81766E7BF0401CDF1761DF927705FF2414438CD8948767D7B73AC5A9B817361611351D11
                        Malicious:false
                        Preview:0./"..*.H......../.0./....1.0...`.H.e......0..x..+.....7.....i0..e0...+.....7......Q.~m.U@...(.t...210628164442Z0...+.....7.....0.."0....R7.0.A.F.4.C.3.4.3.A.3.4.E.1.2.E.F.0.B.B.2.7.5.7.8.9.8.6.B.4.7.C.B.2.2.4.4.8.8.6...1..0E..+.....7...17050...+.....7.......0!0...+........p.L4:4...'W...|.$H.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R9.D.9.E.A.0.2.9.0.A.E.7.8.9.0.0.E.D.3.4.8.0.D.B.C.4.5.F.3.B.2.2.4.0.0.5.8.4.0.F...1..0M..+.....7...1?0=0...+.....7...0...........0!0...+...........)....4..._;"@...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RF.4.D.4.2.B.E.4.1.7.7.B.C.9.5.A.3.E.4.C.B.0.F.6.F.7.7.6.6.3.D.F.C.5.9.8.9.6.4.7...1..0M..+.....7...1?0=0...+.....7...0...........0!0...+..........+..{.Z>L...vc...G0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0..N0..6........._....5+de.j0...*.H........0W1.0...U....BE1.0

                        C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd6x.inf

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Windows setup INFormation
                        Category:dropped
                        Size (bytes):2929
                        Entropy (8bit):5.067041406210606
                        Encrypted:false
                        SSDEEP:48:fzlob2Qb2ncb25AMPHwuTHYH9ewl9P8uPtS+iSFEY0dPFi+8PBDx:LzNnhZSkFwPBt
                        MD5:6212516D36440F07C9243B71676D20FE
                        SHA1:70AF4C343A34E12EF0BB27578986B47CB2244886
                        SHA-256:74B1946B6D24BB98433C0ED840E96A0D2E6256EDC77F6F5ED8F1A32AB4F2B923
                        SHA-512:AF1C53DF4B53F7E5E0B980EB03C4FE2E03DB75413C92AA09369BA66CE3BB2586241259119E8CF2E0BFFCC8CDD7DDA8DE00979DBA6EFE040115DB943C68B752CE
                        Malicious:false
                        Preview:[Version]....Signature = "$WINDOWS NT$"..Class = MEDIA..Provider = %VendorName%..ClassGUID = {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 06/28/2021, 4.65.3.11864..CatalogFile = vacscbkd6x.cat........[Manufacturer]....%VendorName% = DevSection, NTx86, NTamd64........[DevSection.NTx86]....%DeviceName% = DevInst, %HardwareId%........[DevSection.NTamd64]....%DeviceName% = DevInst, %HardwareId%........[DevInst.NT]....Include = ks.inf, wdmaudio.inf..Needs = KS.Registration, WDMAUDIO.Registration..CopyFiles = DevInst.DriverModules..AddReg = DevInst.AddReg..AddProperty = DevInst.Properties........;#####################################################################..;..; Services..; ========..;..;#####################################################################........[DevInst.NT.Services]....AddService = %ServiceId%, 0x2, SrvInstSection........[SrvInstSection]....DisplayName = %ServiceName%..ServiceType = %SERVICE_KERNEL_DRIVER%..StartType = %SERVICE_DEMAND_START%..ErrorControl =

                        C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbcp.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):159256
                        Entropy (8bit):5.095731794917183
                        Encrypted:false
                        SSDEEP:3072:q3e0hSHF6Kh0CDfaWEfp7lmpIitRlPxJCTO:0h1C0XWEf1lmBx
                        MD5:C739572A81F02471F60598D5439B36C8
                        SHA1:527CA671114B9DAFAD2888E251DDA19447E7FD48
                        SHA-256:AE745B0D02A48D4AE286C962C7431CDA85996C920649B4F7DEB6EE0DAE94298A
                        SHA-512:C27442140CA63CB43AF991E47F2CFB5FCDBB5738340BEFBEBF96FB8B5B4D1E13E26D4A3A0102A5C40D9EA5D3BFC728AC3F4198BED5592BC7746119C7DEC6DDBF
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................f.......f.......f..........v....f.......f.......f.......f......Rich............PE..d...q..`.........."......l...........;...................................................@.......... .......................................i.......................B...,...p......P................................................... ............................text....j.......l.................. ..`.data................p..............@....pdata...............r..............@..@.rsrc................~..............@..@.reloc.......p.......>..............@..B........................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sys

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (native) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):210968
                        Entropy (8bit):5.616528067156737
                        Encrypted:false
                        SSDEEP:3072:bwgplQDijxOrw3gPBA4nJPuneHoTx8ddqy6u7dGxYs7iBz:RpODMOMUnInD+CtusSz
                        MD5:963E174D5F1AC1E4773D3B42D92DD4B4
                        SHA1:A6A045AEF56C670C3B5E6801C69B93E9EAF13B69
                        SHA-256:9093C10A10F1019BB24506C417AE178CFE81BF890337DF753A7ADB2B24DD74D0
                        SHA-512:39B7D6CF123032B593C1B3AA6A88E5B3C4301EA1135D96F21F66DDE964DD5D72D5C44F0C91C5378B32851B53D70A27C79F45A5D8834EB1EFB4ADC863CD012A11
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q...............hs......hu.............he......hb......hr......hw.....Rich....................PE..d...q..`.........."..........F...............................................`......N...... ....................................................d...........p..|........$...P..L....................................................................................text...|........................... ..h.rdata..............................@..H.data...p....`.......B..............@....pdata..|....p.......H..............@..HPAGE....2............d.............. ..`INIT.................f.............. ....rsrc...............r..............@..B.reloc.......P......................@..B................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbcp.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):143896
                        Entropy (8bit):5.183132927402597
                        Encrypted:false
                        SSDEEP:3072:8oVk8cejy3zGDq9CwW5t1pNwLxZHCIdVO:I8+DQZwLxFC
                        MD5:CA8DC992F8F4EEEAB22E518C11993C93
                        SHA1:BADEAC70BCC6AAE812EFE2D5C21FD7A2DA1710EC
                        SHA-256:E8720BB51C825626C5F3CB184123A8F2CBA2B27408AC7E3624501A42EA18EA98
                        SHA-512:80BE89F148753B29ADF5D5AE9D122CF9953192E4C84CC6A9471CD312E1C6A8B3759156FB602843AF15672BE596F24A133DC19B15893DD3C08A64E7BAD32014B9
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x".j.q.j.q.j.q...q.j.q...q.j.q...q.j.q.j.q"j.q...q.j.q...q.j.q...q.j.qRich.j.q........PE..L...h..`.................*...................@...............................0......O[....@...... ...........................+.......P...................,..............................................................|............................text....).......*.................. ..`.data...<....@......................@....rsrc........P.......0..............@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sys

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):178192
                        Entropy (8bit):5.70956700996967
                        Encrypted:false
                        SSDEEP:3072:221LC++3tKrQesPZVJe2H5u3bJWllFYoDSo2R/UHKnVwmo3m:H+MrQeOwJQFyo6UHKnVO3m
                        MD5:72408521FCA0A5A39FC102C5AC66E362
                        SHA1:B4BD8388DAC3E7970B2BF2E9F305E8802CB81856
                        SHA-256:4FE88E24FA50D5870BCBAB4DBE70ADA6B280682FA17DAB008610465DDA4D58E7
                        SHA-512:A6FC2BC20A3E8DF7BB31A6D3CBC0CEE4869E9179DCC5D78600C2893F24C5936226F4AAE863FBC3A83537B4C69BA1A26BDFB1239D365C741C9E59B4C1EF911536
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?.sel.sel.sel.sdl.sel...l.sel...l.sel...l.sel...l.sel...l.sel...l.selRich.sel........PE..L...h..`................................................................................... ....................................d.... ..................$..............................................@............................................text....w.......x.................. ..h.rdata...U.......V...|..............@..H.data...............................@...PAGE....1........................... ..`INIT....@........................... ....rsrc....... ......................@..B.reloc..r............~..............@..B................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64\wdmdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):31144
                        Entropy (8bit):6.45005930112513
                        Encrypted:false
                        SSDEEP:768:0mnmSRBRQWj2jdkYpCMmzydjmNsc2pSTVEV3GPkj3UZ:HB7QKFGjmNsLITOEMK
                        MD5:5F85D1A6148263FA5B0F68368840E644
                        SHA1:890EF23C2592441AEEE5E54EDA628E25215F67B6
                        SHA-256:E7DACEF5ECC8289199FFFCFB6859EA6BC308C602DAA24684BCB3D6D9FDF9919C
                        SHA-512:7E491C0CC3EC1682D41BFB76C4FC10473F1D9F800BA7519C1DD1AFD8186DDD845ECCDE87F170A545A27D80AF4BA6AA2FA8FBD07D34256D2D7E54696CCA8BD091
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[Su..Su..Su..Z. .Qu..Z.&.^u..Su..nu..Z.6.Pu..Z.?.Wu..Z.!.Ru..Z.$.Ru..RichSu..........................PE..d......`.........."......<...........1....................................................@.......... .......................................D.......p..x....`.......N...+...........................................................................................text...<;.......<.................. ..`.data........P.......@..............@....pdata.......`.......B..............@..@.rsrc...x....p.......D..............@..@........................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86\wdmdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):28584
                        Entropy (8bit):6.610450236402353
                        Encrypted:false
                        SSDEEP:384:+CgU5TxIr4qwCedA/u2EnHvs1vJMQJK2CKV48VEVFJ8ZcGwGBk7/UMQ3W:+QFI0qwCedB/HvsA2pxVEV3GPkjf
                        MD5:10992B9F2436DE3DDF8B2E0AFD1040A0
                        SHA1:C9EFA7BADB2B1ABEB84586F47512F1649D8E8CF0
                        SHA-256:C5F1F14908488AA50D0584B1432386A838AA94117B7E16C1545FB158B1425522
                        SHA-512:18F9EE23094D2356ED0736D2DA05CA6B2D6C8F1E562194A6431A4453456A0C4C7A0E6A9A09786C9ED8F44144BAC2BDDDD908F087F174B4054FCE1F1B916CE5E3
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.)U/.G./.G./.G.&...-.G.&...-.G.&...".G./.F...G.&...+.G.&.....G.&.....G.Rich/.G.................PE..L......`.................2..........g*.......P............................................@...... ...........................;.......`..x............D...+...p.......................................................................................text....1.......2.................. ..`.data........P......................@....rsrc...x....`.......6..............@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\eula.rtf

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                        Category:dropped
                        Size (bytes):96092
                        Entropy (8bit):5.125892289083072
                        Encrypted:false
                        SSDEEP:768:qsgbCfsZDFVc0P8ad2o1x3osI1vNjlvcwAZ3V2mN6y+DR7I7QQoNXtBxXYco9XFm:qs+ZD/yIIAZwrbE0
                        MD5:3A84C8EADA945F4F7F041BC4BCD49F11
                        SHA1:F50F5FA1589371F29C4B195EFCB82D2DC2DFE18B
                        SHA-256:B83EE69EEA4EF9D0DB9E1A5214BFEF7295776BB1B6E007ECC021BAFF401032DF
                        SHA-512:C1C7F5B176CCB574B2C67F8ABA63ABC7212ED592C35C45603AAEC6761176AF129691C9467A1DF8D86EEAFEF650335CC997686A024901BFFCA001CC7A2C186E57
                        Malicious:false
                        Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\f42\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0302020204030204}Calibri Light;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbm

                        C:\Program Files\ScreenBeam\Conference\service\CreateProcessAsUser.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):18712
                        Entropy (8bit):6.7672893224094395
                        Encrypted:false
                        SSDEEP:384:yTrw7JCe+uOEGK4nghz4lIYiQ3YxrQAM+o/8E9VF0NybDLFK:g8FH+OJYiQtAMxkEi
                        MD5:327260A6280E98B5C3D9F797F7DEE9E7
                        SHA1:F9939EAD00E6B4A56A331DA9F15920196453522B
                        SHA-256:D651625EA9DC45486FB3543D3897D10776F14C8CA3998DA0033D2BF3DCBEE2A9
                        SHA-512:C2AC9882446F8172C9FFBC52F28D92AFAFA3864847CD70D478A70E33DCA505A4740BDE1C7059D1244901C081F270F79F1F4319C2690BBA7C8D3F2C21D198C7A1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>..........." ..0..............6... ...@....... ...............................&....@.................................g6..O....@............... ...)...`......t5..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................6......H.......8"..<............................................................0............~.......~........~..........(....,Y.....(....(............+:.......(....(...............(........{@...-...{>.......X......2...3.(........(....,...~.......(......(....&.*..0..........~.....................~............(....(....}).....(....-.r...ps....z .....-. ....+...`.....-..+..h}5.....ro..p}+.......(....-.r...ps....z...~....~.............(....-.(......r...p.......(....s....z(.......4.(...

                        C:\Program Files\ScreenBeam\Conference\service\Microsoft.Win32.Primitives.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.851590797215865
                        Encrypted:false
                        SSDEEP:384:yN9VWhX3WBIYiQ3Xn2AM+o/8E9VF0NyVz:yG7YiQn2AMxkET
                        MD5:EB7290DF2D1B7C7C7A172D41A5614DFF
                        SHA1:EEB7EE077130F88D18016EA0D165EDA5F3D49297
                        SHA-256:A8CE5080F3B7C8F95F6AEDDCF7AB236DB15560B0A22AFD35E28642BF00479141
                        SHA-512:9126B433292EBED3428FC7FC6B270206FE3B808D2F8A6A7292D00D9F3452FEF38A353FC1C43A63CBAE72B103B32ABCEB355112FC839D36BDA3756AA9CA82D835
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ..............................^.....@.................................T(..O....@..0................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                        C:\Program Files\ScreenBeam\Conference\service\NLog.config

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1470
                        Entropy (8bit):4.90143896769124
                        Encrypted:false
                        SSDEEP:24:JdNQjY88lsfEoKaQe1W04pyaMMW04FzMSMpbP3KabFx2ldnD2cc/Or:3b8ewngpXMzFzMSMdvClJ7r
                        MD5:0ECA7C05DCB6880312350E079D1CDA3E
                        SHA1:EFFC35AB59077DC1885443C5BB1FDE798CBBBEAC
                        SHA-256:497C6FD5714049D34FDA34066F2B877D5CA5EBEEC2CE956821055BEF29187C47
                        SHA-512:1E21B44F85DD65EEB273BA2DB2C2827F87D99B588293ECA5493D4647ECE0C1A968E0CAF2DECD289C32CB068458A7F95F125B4CF687EDA31AB84B568B4AED6E11
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. globalThreshold="On".. autoReload="true".. throwExceptions="false">.... <variable name="appName" value="ScreenBeam Conference Service" />.... <targets async="true">.. <target xsi:type="File".. name="default".. layout="${longdate} - ${level:uppercase=true}: ${message}${onexception:${newline}EXCEPTION\: ${exception:format=ToString}}".. fileName="${specialfolder:LocalApplicationData}\${appName}\Logs\${appName}_${shortdate}.log".. keepFileOpen="false".. archiveFileName="${specialfolder:LocalApplicationData}\${appName}\Logs\${appName}_${shortdate}.{##}.log".. archiveNumbering="Sequence".. archiveEvery="Day".. maxArchiveFiles="30".. />.... <target name="debugger".. xsi:type="Debugger"..

                        C:\Program Files\ScreenBeam\Conference\service\NLog.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):877336
                        Entropy (8bit):6.063787902054547
                        Encrypted:false
                        SSDEEP:12288:L9RFbNhtvN5FtwfJH1h1S3sg6U/qxurzEZWgb4s6swKbUsQB:L9RFbNhtvN5FtwfHHUwRL96sw6UsQB
                        MD5:A7F47B6CC98FAC742BB8D6B7C9E623F4
                        SHA1:E2AC85BE6C58ABD4E861E1A0AE99DCC2F4A574FA
                        SHA-256:D8A166D7FA974AF4670D053C7D1A1D3D2D6945DB31B0A0A4ACF0477EE86A68EF
                        SHA-512:060449AF59B0C6393567BC674951FE53448AAC5F04782FB01ADB71467E60363522DBF081BA11E4C11A1AD477C328CD38EEB73479FFB65825852E73757779BA65
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%............" ..0..,...........I... ...`....... ..............................|N....@.................................sI..O....`...............:...)...........H..T............................................ ............... ..H............text...T*... ...,.................. ..`.rsrc........`......................@..@.reloc...............8..............@..B.................I......H.......................t=......$H......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(Z...~....,.~.....o[......+...(......o\......,..(]....*........../7......"..(....*6.(.....(....*..0..........(.......o^...&.*.(....o_...*2(.....o[...*....0..?.......~..........(Z...~....,.~.....o[...+...(.....o`...&...,..(]....*.........,4.......0..?.......~..........(Z...~....,.~....oa......+...(....ob......,..(]..

                        C:\Program Files\ScreenBeam\Conference\service\NLog.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with very long lines (385), with CRLF line terminators
                        Category:dropped
                        Size (bytes):1645140
                        Entropy (8bit):4.575621274286417
                        Encrypted:false
                        SSDEEP:6144:3bDXjSkpsv6ZrgFFG3WeA32lxC78ZaRIHp8TEKcQonqDhIrMBc+6z+beKX:PJe5eyEKT
                        MD5:33F4C5EAE89E721F97931787B2CC53ED
                        SHA1:A94DF5F3B256C2871D75443777A2EF13F5442D73
                        SHA-256:5F67CA9E5B26279BF3E52F4DDDCE531E819633163A82E6811FFCE1725369963F
                        SHA-512:CAC58C2E0BB42029F40E4DC16ED8EA02C54B686370D15F75A24894FE82DA61041B61B01A5312974D1BDFAE58FEDD1B452FDBA4DFE2970CACF8D5753BB4F42556
                        Malicious:false
                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>NLog</name>.. </assembly>.. <members>.. <member name="T:JetBrains.Annotations.CanBeNullAttribute">.. <summary>.. Indicates that the value of the marked element could be <c>null</c> sometimes,.. so the check for <c>null</c> is necessary before its usage... </summary>.. <example><code>.. [CanBeNull] object Test() => null;.. .. void UseTest() {.. var p = Test();.. var s = p.ToString(); // Warning: Possible 'System.NullReferenceException'.. }.. </code></example>.. </member>.. <member name="T:JetBrains.Annotations.NotNullAttribute">.. <summary>.. Indicates that the value of the marked element could never be <c>null</c>... </summary>.. <example><code>.. [NotNull] object Foo() {.. return null; // Warning: P

                        C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):55064
                        Entropy (8bit):6.500133971589238
                        Encrypted:false
                        SSDEEP:1536:ou90jPoaa5+WLpcCAE8xDEccjEtXX8PsFvDYK57Q5xs:ou90jPo2cpcCALDza8sPYYK5MU
                        MD5:CC416B8CDE8FD94865AAFE0C9D113D93
                        SHA1:195E8A7B66210DED7611CC0A87509679A3FECE27
                        SHA-256:04DE045E29B13226B75DE0124264DF26383B6934A13DA9503ACC16B0BB40CF5F
                        SHA-512:EE87C8790EA8F78BF5D413846FD15632520C3EF5C3C336A8590A79B9767980E9FBA728A56C930A25EC844D16B5B8ABF1A07774D56F987831ED216774C4FA13A3
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v:De.........." ..0.................. ........... ....................... ............`.....................................O........................)........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........8..............X............................................0..........(@...*.*.0..o....... >P..(%....~.....o.....(....,..+..+.-..(0....(0...(.....o...... xP..(%....o......o.....,..+..+.-..(0...*.(0...*..0..........~.... .P..(%....(0...o...... .P..(%... .P..(%...(....o....o.... .P..(%...(.....(0...o.......,..+..+.-..o.....~.... .P..(%....(0...o...... .P..(%...~.....(0...o.......,..+..+.-..o.....*........@[...................0..........~.... .Q..(%....(0...o......

                        C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MSVC program database ver 7.00, 512*75 bytes
                        Category:dropped
                        Size (bytes):38400
                        Entropy (8bit):3.097681309335531
                        Encrypted:false
                        SSDEEP:384:CwFyFr8sKK8PuuN/qtMfrdAU8sKH8Pu1dL:CwFyFr8sKpPua/xdR8sKcPu1d
                        MD5:EE633CA4D9B35855BBE69FE010669F1D
                        SHA1:174460DC05E7272F4D7EED7457067849E60DB4F4
                        SHA-256:F3F3104207128C7DC15F0CFD00A3F7A0E4DCE8C3F3AF49EC34D8B4797CEE9E4C
                        SHA-512:9EAEF0A16F144CEC11B0BDE9297C6BE994A4E2BC9CF5C266B913E5F21CE613B2B1034E7C29001B84971B42B3CE2B316288534625898CF36ED3E3F9E975010FEA
                        Malicious:false
                        Preview:Microsoft C/C++ MSF 7.00...DS...........K...........G...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):68376
                        Entropy (8bit):6.387542606847366
                        Encrypted:false
                        SSDEEP:1536:IOo5WT/1rfZLmXv3zSJ7QcGutgcdB86TBrkbq09xvx2JC7QDxuR:HT1QcecdWgBUvxACMYR
                        MD5:6ACC353286F2E092142A69E5023D1C65
                        SHA1:DF6725D1A5D2AA944B49E4370AB2E17DC8A8CF60
                        SHA-256:1EF69716710ABD22B3964689E0A4811F186CC46E470204B256864E0D1D117381
                        SHA-512:D4E42A0F8792DD18C4BFF9EC94D2284745831C957F35ACDB7E60A0A49FB7F076AD411E7C91727647B08C71F0348811E1DAFAAF83FA8501488E5DD60126296433
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x:De.........."...0.................. ........@.. .......................@...........`.................................h...S........................)... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......H... J...........................................................0..........(m...*.*..(....*.0...........(].....,..+..+.-, .m..(R...(......(...+,..+..+.-...(].........,..+..+.-\..(......~....(....,..+..+.-?~.......(..........(......$.~....(....,..+..+.-..(....&.(....&..*.......l....$.....0..C.......~.........(]...(....,..+..+.-#(.... kl..(R...(.........(....o.....*..0...........~.....+;....(]...a..+"....(]...a.....(XE............9..../( .....+...(].........+....'YE...

                        C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exe.config

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):20025
                        Entropy (8bit):4.982975960150322
                        Encrypted:false
                        SSDEEP:96:hr4ojlKyuWEH+3HGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSL:hr4oB53mPUDCTHffI3
                        MD5:51761DEEA245E324DC8A3BD88B37C929
                        SHA1:70BEB9E6155395D90A96366BE1BA4B3FF49562A5
                        SHA-256:5B1A1ED1F20C95E0C5AE12DECAD909256F1247285290848F95D4425D4ACA317D
                        SHA-512:5F1EF64B9D8935DDB838AE9EC0A2CB6C5908B21A395135621DD7D0E82F02C6B6D0830F46B5073F92A6C59B67B0F3BCBE580405D00D21EC804D879BF79BBECFBA
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <system.serviceModel>.. <services>.. <service name="SBConference.Service.Service">.. <endpoint address="Service" binding="netTcpBinding" contract="SBConference.Common.IService" />.. <host>.. <baseAddresses>.. <add baseAddress="net.tcp://localhost:16669" />.. </baseAddresses>.. </host>.. </service>.. </services>.. <behaviors>.. <serviceBehaviors>.. <behavior>.. This should be false in production systems -->.. <serviceDebug includeExceptionDetailInFaults="true" />.. </behavior>.. </serviceBehaviors>.. </behaviors>.. <diagnostics>.. <messageLogging logEntireMessage="true".. logMessagesAtTransportLevel="true" />.. </diagnostics>-->.. </system.serviceModel>.. <system.diagnost

                        C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MSVC program database ver 7.00, 512*131 bytes
                        Category:dropped
                        Size (bytes):67072
                        Entropy (8bit):3.486225836795622
                        Encrypted:false
                        SSDEEP:768:ZpUCU7Rgu4iTcKPzBC6Jr+0ZOpj2oFcRgu4iTcK4cDF:kV7l+QOt2oFJiF
                        MD5:C547D45434E0F8F9112DBBDDAB020B38
                        SHA1:74681395C632E69B66DF2CFF0CD0B0828E936C09
                        SHA-256:6DAEF5CEBC27EA9779CB58250B4D5B36BAC74C04062E52B1638429D301DE2512
                        SHA-512:16F65DEE05733C3462B0D0A48F9C3A9E087A37189BE5E207F7C59826B36974CE873342F37721C711D3785A50C813DF3A664A4278B72213A6FEF5FE1D412F7F1E
                        Malicious:false
                        Preview:Microsoft C/C++ MSF 7.00...DS...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................|...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\service\System.AppContext.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.817217731848609
                        Encrypted:false
                        SSDEEP:384:LDNxWQFWAIYiQ3VAMAM+o/8E9VF0NyKSt7:LDNVSYiQGMAMxkEj7
                        MD5:5171A7A6E78FF818F4D036577C4C4398
                        SHA1:345BEDE97675A6A181C87B0AC03541F947D3156C
                        SHA-256:EF32F7BB1B9D51FD389875ADD7F68DC874B2EB2113DA5D70B39EE655726D99F1
                        SHA-512:1C5D8DA0BB23DACAFB77C35330B3CB6D8C4C222044DAE1F3FE663C9B5F910E2B8856D109ED78AD98A506FC4E9E883C4A4EA68DF72388F0839673E18C74FA04AD
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ...............................(....@..................................(..O....@...................)...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Collections.Concurrent.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.913268006657271
                        Encrypted:false
                        SSDEEP:384:tm2igOWnW8rWeIYiQ3ekAM+o/8E9VF0NyL:1tSYiQXAMxkE
                        MD5:42F942E88007D67871A6EAEA3308BFAF
                        SHA1:40C9D0647E73E0C4ED16DAA284D8E1B4FBAA95CD
                        SHA-256:B2FDE812B4385148F90F195702B7A4315B1056C407BFBAC5B6D68B3744C50F7C
                        SHA-512:F8EE7FD8C371C310899FDD4A37DDCE473235779BC280793DB0FF49A99067B88EE6E51222AE1995EB92026BDFF5E9EDDD34F45A397C4756680C44F007A073B423
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...................................@.................................t)..O....@..D................)...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Collections.NonGeneric.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.906537344562776
                        Encrypted:false
                        SSDEEP:384:qnapn1iwwPWcGW3IYiQ3I+AM+o/8E9VF0Ny6V1:5DugYiQZAMxkEm1
                        MD5:991B716982D04ACBCAF07AF26BAFAC2C
                        SHA1:B610D7900108B0B551FB9FB1358CD07160D09801
                        SHA-256:991C2A36EDC1055E10421A650697EABDAEA53435E2160C51032EB19F546D33E5
                        SHA-512:8AD67FDA59317E9D7EE65D2E5917C61D4F0E5FF43FFF4AAC5362FA38A0CBD31031D43A12A71B6F87786076BA27507F3BB0CDB26368D9D87181176D6EF555976E
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...................................@.................................p)..O....@..@................)...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Collections.Specialized.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.913351871711101
                        Encrypted:false
                        SSDEEP:384:aHLaEav5aaUa6arWVLWtIYiQ32dAM+o/8E9VF0NyAsJ:rPv5t/NO7YiQaAMxkEL
                        MD5:ECB9A03E70A45E6FF8185917D6611311
                        SHA1:F19F55AE97C7941E493F6ED3F100BE5BABA51247
                        SHA-256:9364EFD111A38480D2AD4B2035D62AB18FA0B983B3568BD7E42CD507354472C7
                        SHA-512:59E77CDE8D7131DEAF3A08CD93D0DDB53EA66680ED5798ADFDC1648C6CBB67A81CABC41C86D646533CEDFF2645B0E378255F5F670A4934970707866FAEB214D2
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................M....@..................................)..O....@..P................)...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Collections.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.773508996551501
                        Encrypted:false
                        SSDEEP:384:76iIJq56dOuWSKeW4IYiQ3ftVAM+o/8E9VF0Nyub/:ZiAhYiQPvAMxkEI
                        MD5:DC67270BAC22558A98A74BCAABCF2885
                        SHA1:F89411FBD6A2720FC248B8816D7FE1313BE053D6
                        SHA-256:7DF0927C494B9777C1C33380572F1646D272AC4DC4B46D38DE8790C760466A81
                        SHA-512:01C600B7D12D974D5EEF61F3F971A368020BF9F2C29612AB582229E727D853F20DAD4ADF2D104EC729CAB4B220F0211669B41C0AA516B53BAFB39B58568EFD6E
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...............................p....@..................................*..O....@...................)...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.EventBasedAsync.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.824196996084912
                        Encrypted:false
                        SSDEEP:384:cnzz+MpSaLWW0+WcIYiQ3Up3I9AM+o/8E9VF0Nyvg+y:qputYiQuIAMxkECP
                        MD5:0140B0C91D0BF5CBF78457948958205E
                        SHA1:415384DB2CB4DE08E3F2955FDB7890D568C561C7
                        SHA-256:FBC6671BC332B5D18CF65A6DDE0FC22513E14B71E82E4AAE90F67A79D2DB3B19
                        SHA-512:C7C478CDAE599B6FFEE8F71F2B7F396B86AE21ED0290913381B9EBEC33B46DC286A7BE1A8F8DFA1202484FF876C84F35A921E33122AAA295BDE562B35DA0C0ED
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ...............................n....@..................................)..O....@...................)...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.Primitives.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.8709755846296225
                        Encrypted:false
                        SSDEEP:384:XGhr+YUfyHxsW/HWqIYiQ3QNzAM+o/8E9VF0Nyel3:0kmyYiQMAMxkE
                        MD5:488A979CC39C881828851B30286801E5
                        SHA1:ACA14E68E63ED690E8F38EF9FC1635583BB8EAB8
                        SHA-256:5A1AACDF07E861E5F7712CCC4A80138F91E333905D4B802E389D3C9579A723CD
                        SHA-512:88683F2DAB577CE5B1EED8C4EC452CAA16A41093186DDF7F49B717467BD4800A8DE5F8F956F3EBAE1D47AE7B75ED9228DC629377613E1FB969B6A30CFA22788A
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ...............................1....@.................................<+..O....@..`................)...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.TypeConverter.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):17176
                        Entropy (8bit):6.801971113584305
                        Encrypted:false
                        SSDEEP:384:uRE+ruiA5vzWeNWsIYiQ3KLYPAM+o/8E9VF0NyxAGe:uS9beYiQyYPAMxkEEx
                        MD5:F28C9658F90B502F461A6C1079EFD3FE
                        SHA1:255556197C21D98F7CD167424BD3B902E697A697
                        SHA-256:4A66ADE0F0297E1AD33D89E07A621E00689C6F4B6E36F83FCE2B211D34FC4912
                        SHA-512:92C8962D6B12F9101517E7B28A994B3F15A24CF128A6CDB4D6B6965D9C318FF9E70E0763E26B8CDBAD770FBC2C1C5E46DB388B25C819AC2F156B0E0A02CA0B62
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ..............................Y.....@................................../..O....@..p................)...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.858786709703401
                        Encrypted:false
                        SSDEEP:384:+T+6ywnVvW0LWsIYiQ3fHHyAM+o/8E9VF0NyErD:+99QYiQ/HyAMxkECD
                        MD5:5EBAE08F76028A3484355C7D5DEE86AB
                        SHA1:DB6D6D286046989A613F2EAB8D4C7682584B162E
                        SHA-256:AE2A335A259F3A7C370B6B9262156D1C8A3A83A018302FB485A85E56F347F3A9
                        SHA-512:AE446BBEBC21EC0199E03C66E3094BAEC7697138F8E0C4D72CE413985A4220D5194F6091985FAAB581065D2F66AFA2166F0D2258FFF6A84D95653511CFA85FD5
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@...................)...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Console.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.855610146382851
                        Encrypted:false
                        SSDEEP:384:iRbzriaXT+WlEWbIYiQ3wAZ9oAM+o/8E9VF0Nyy1K:A7iciYiQlHoAMxkE4K
                        MD5:BCC56B13A9660020354B3C0B9987017F
                        SHA1:AC942502A39C80DCB6CFA108F9BDE8102ED624EF
                        SHA-256:0895BFEE9BFDC1464E326F538A438F8E5A3D98C284BA44930D71A3EC92F106DF
                        SHA-512:C37AAEBA5EA3C0AE505EF87B50F74301BB2EAFF1C5C276B823C8B79BF31DF125A6576239097A72E9E3254CA0668B3056D0FA4A9D83152F5549D5FD55921F9A54
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ....................................@..................................(..O....@...................)...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Data.Common.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):148760
                        Entropy (8bit):5.423847205077098
                        Encrypted:false
                        SSDEEP:3072:fdYO+3m9R6e1x03BZ6bDSzZ8B0uAP+PMd:x+2jv1x0ebezWiuw
                        MD5:1FC487CFA545925398DA92757AD3CA9F
                        SHA1:DE35C983126D3979C69AF83F8C80582894D215B2
                        SHA-256:8895C1A6965C8E3F635DC5BB61BC7FFEC5E46F4A61F5E540F1C96D83B111EA2D
                        SHA-512:FD8B1ACF9137E73AC25DD4ABDF58FB927ADCEA74DF1FB461385A4653875960D04D0744FAE3C340F4178290DC28EF8444B2B4CEFB213885F013DB9A93C12D2667
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ....................................@..................................,..O....@...................)...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                        C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Contracts.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.82419090967901
                        Encrypted:false
                        SSDEEP:384:ZRtRWjYW1IYiQ3Ha5AM+o/8E9VF0NyNmCE:JicYiQK5AMxkEHE
                        MD5:FEE1C1821934FB59804F1C0287411302
                        SHA1:549DAC59A3BFEF41418072D32DE5A8A27153A24A
                        SHA-256:18F9C3399B5F900F2EFF3FC479F52B9FA2B79A38BAD9BC5C6A92A8794EC4DA17
                        SHA-512:74A3BB837074246236C53495227DDAD336FBA3E57D0BF876EA4B410D61B46E90C6C54549F29E8D9028BC12FC831FB61B1E4053996ED307606BD8BDC001B33C65
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................B.....@.................................x*..O....@..@................)...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Debug.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.898985381119519
                        Encrypted:false
                        SSDEEP:192:wFxrIFWnoW5DIYiYF8uegv7cERKzKb9A5K+o/y2sE9jBF0NyBaq:geWnoWhIYiQ3mehAM+o/8E9VF0Nycq
                        MD5:62ECFBCA9346E8AE8221C985806FF3D1
                        SHA1:5ED40E9FD017A1982EA82992EF32E5C0B531E42A
                        SHA-256:B92685696D25B7630DB1AB61BC84F14C557AF1546FDE86A3C63AFBBD0F883E49
                        SHA-512:4A82DC9C198EDB75B2B6ECA46BF6DCDE3DF0C953359525719F81C28B6BC5B4B6BD7F6630186CA382199026841B4E7836A735CFDD732D1B0767AB29D6FA42A580
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................-.....@.................................X)..O....@..$................)...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.FileVersionInfo.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.862541326334219
                        Encrypted:false
                        SSDEEP:384:16oWJjWu2IYiQ32p1AM+o/8E9VF0NyX4iI:16v7YiQ4AMxkE
                        MD5:28DAD2204AA2903A35097EF3050A3A65
                        SHA1:489BFD7AC99ECE5EA1EBF96AF6E40B3E34E9EDE0
                        SHA-256:7859C38336B99C787E296B3AA18641AF765707F0FA484CF4E417915BB26DD1F0
                        SHA-512:3AAADD91B217C105075876B3A627660456B725D0D4F98A2A010844DE83080304627D2304602DA9B56D6F47E23290FB34524C3B8804802AEEEC60F7F8372F7185
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@.................................H(..O....@..p................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Process.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.785882317558724
                        Encrypted:false
                        SSDEEP:384:9qk53/hW3fZ+zWmLIYiQ3+cj5aBAM+o/8E9VF0Ny57p:9qk53M60YiQ79WAMxkEx
                        MD5:5D93B9F2881A43A04FABE0D5F93A0490
                        SHA1:F204D7C1AAEE75B54A912CEFBFD478C7A1EAE353
                        SHA-256:AAB10E4127AD92B4443BE1D736838A05573B4662F84EFEB9AACE3438C99F665C
                        SHA-512:2AD4B320DFDD84F7444F4E7C7D74B2C873C8FD2D1C73409EE9F095B80A5556B1ECD391E47A30F3DAFEF9CDFF014111C30A0F6915112C6559E9B976998EDFB627
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ...................................@..................................)..O....@..0................)...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.StackTrace.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):18200
                        Entropy (8bit):6.67242806982345
                        Encrypted:false
                        SSDEEP:384:LFCc4Y4OJWfOWqWWOWVIYiQ3/PdAM+o/8E9VF0Nyub:5CcyCSYiQndAMxkEQ
                        MD5:FCDAFF82741F170AA76955A1F82EC830
                        SHA1:EC6507AAEF50BA7769E57B87C28C466D14A18699
                        SHA-256:9671F04375426A9B90B54B77C99A8533EAB96C741BCDFBB12955C40177008697
                        SHA-512:E30513F4CAB64D344E902B4AA6C5A84F2C7BB8EBE3D3DE342CCBF90F4E2AA2A7C5EF9EE9C376E1F08A179794E8611DE133CA23B531535BDCA366FC4037947DBC
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ...............................k....@..................................-..O....@...................)...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                        C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TextWriterTraceListener.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.885811084073885
                        Encrypted:false
                        SSDEEP:192:BlTx93aWxMW5XIYiYF8uegv7cERIfKqYFA5K+o/y2sE9jBF0Nysax2WM:BAWxMWtIYiQ3UfHSAM+o/8E9VF0NyHpM
                        MD5:3C7C036748FB6E4FB3F6AF083C15A660
                        SHA1:71CD1502A73B58CB9D49E77262A0992C1F189C4A
                        SHA-256:ACEB1EBCD06EAE76CBDACDAE0012D3E82DC760CE7C1C06200240E6B1A42AB317
                        SHA-512:0C4F221EDA33CAB121FE5FA4A273DB7FCC74FAB43706A1928D04D8CA17452C8A40A258EC8E8F2E192F6504B2AB9A9B228A422A09A1573FEE85221C1536571A30
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................7....@..................................(..O....@...................)...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tools.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.861852485816793
                        Encrypted:false
                        SSDEEP:384:3AlcWHaWyIYiQ33+uNoAM+o/8E9VF0NyfBD:09TYiQ+NAMxkE
                        MD5:A3D843C6EF35C4D679A9AB8CE19B1900
                        SHA1:5CC4472BA418A2AA07611D8F32B9A6A60C76AC59
                        SHA-256:9DCA8E7B0285FB43761461AEB6679F9A1D53F30B33CF4BB96DD7A3B42DFDA576
                        SHA-512:A72E55C00BFB767B298DEB2457D5E83E19783BDADC7F5C0330D928B04471C22FF84E9B52AFB9B889F8E69D7DB35F9BA0B6D5989B988E6150F0374A1CB577128F
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ................)...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TraceSource.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.787081040810001
                        Encrypted:false
                        SSDEEP:384:nBIZnWlNWVIYiQ3lSLpAM+o/8E9VF0NyjE8X:BUytYiQYpAMxkED
                        MD5:AE2590608FB56BF2996EBF4C887ABEBB
                        SHA1:74074E7EBBCE4B58839FBE060DE9DF3C9D2FE876
                        SHA-256:81551E383507B1EF1C1367256494E14633D9841CA5C359F2737892B351F5EEF3
                        SHA-512:7AB3B54AEE80D5C226F40BAD2C6AEB216D985CE86120294BC554AD5A17DD9D9F19B4669C3ACC55CA4E7B5EC5E7518DE0E6F53A80257D5BD8B83AF69C2FBEBFB2
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ....................................@..................................)..O....@..P................)...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tracing.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):25880
                        Entropy (8bit):6.505056189852749
                        Encrypted:false
                        SSDEEP:384:jlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdWZIYiQ3gkAM+k:hQq33333333kX+TBi8lYiQZAMxkE
                        MD5:DC084560773AF56B87F95EC732DEE945
                        SHA1:95AB965AD4576E037FE747898098F796A86A0923
                        SHA-256:49DCF8CD784120B3C3435FB515600661AA707A0847830208A2222DA46C93A967
                        SHA-512:090ECAF864E372495777F1A815E743481671D6664324DF2473F773C16C655EEF94A880E3D1F6592E0BA8AAE72460BA59C2C3390CE525D80623141C586B99270A
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ..............................p.....@..................................L..O....`..x............<...)..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                        C:\Program Files\ScreenBeam\Conference\service\System.Drawing.Primitives.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.857441888771994
                        Encrypted:false
                        SSDEEP:384:E28YFlXulWY/WiIYiQ3lHeDvAM+o/8E9VF0NyyU:E0qOYiQV+DvAMxkED
                        MD5:995B2FD1E1782B19F65BBF7E506837EA
                        SHA1:AB143D09C72625A3986B823AA18151892BA5E71C
                        SHA-256:E9B62233362995BDB5136BF0BFAA9F13172E86815230A092B73F3BDE9BBDAB62
                        SHA-512:91389BD6B2AD74625A455202AC12E4047AC0AA3B85FCCB8A756BC8F08F06F71310F2DA8FD4965B216E3D934652E62449E3E178DC5F35E4C0719AD8EDB6A8BE4B
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................v....@..................................(..O....@.. ................)...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Dynamic.Runtime.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16664
                        Entropy (8bit):6.7392337845263395
                        Encrypted:false
                        SSDEEP:384:ZuMLcdQ5MW9MW+IYiQ3Dz7jGegMAM+o/8E9VF0NyfX:wOcSphYiQDjqMAMxkEp
                        MD5:03EDCB3200E219E0F25BE69E2DB9B2CE
                        SHA1:7997EB13B2EE6F0995860B53623CFF91FC23E110
                        SHA-256:D542F16B96646D72CA3F82E92C9305A14D792D9F68ED04256FC6368F5007259E
                        SHA-512:490A2951567520296EDA505CBB3DD59F545DD7649187FCD5EB98124BC7F069F305848538B2C36BF40B8306FC9BE5A4425B21B3055BA06D6F1EA3D523E8C27B28
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ..............................F.....@..................................+..O....@...................)...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Calendars.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.822673498680923
                        Encrypted:false
                        SSDEEP:384:uZ7RqXWDRqlRqj0RqFWlIYiQ3co9AM+o/8E9VF0Nyzt:O9qKqjqjuqNYiQr9AMxkED
                        MD5:AD12390A8D5EE130FD157362FBE0BB6B
                        SHA1:F3543E4D67DD40D092CB306B166767069C2AFA1C
                        SHA-256:5BF8BCB0BE6617D78088DE958A38C36BDD4E2BA0767AFDA31F6A3CE54BC8D810
                        SHA-512:29BF6757C4FB8C11772C5C95A2CA6145377522BAC99F425F1C0DE547FCE237DCFAE3AD584C89C239780F0A89D4A3BB3C20162415BB165AC1FEB8DFBFCF7E0CF9
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................6M....@.................................X*..O....@..P................)...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Extensions.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):20248
                        Entropy (8bit):6.638123089138583
                        Encrypted:false
                        SSDEEP:384:bNBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9WYIYiQ3SBAM+o/8E9VF0NyA9:bvMhF2SzNzwu/NljuSYiQwAMxkE0
                        MD5:3EF6F90B13F22E0E9AFA58047F324EAC
                        SHA1:21D7B693A6AC3ACA72C74603D40B68DC1AFFB871
                        SHA-256:FBBB9009A9DDF5700A4C00C55CCFEF850252259DDA5D96982359CD37325BB654
                        SHA-512:66839E9DD6F6DC41423063EE93CC753F5DB970326FB8597DD6159A1F034310DB4291CF322CB790C3E919857CEC1A75880C3DE149CD1783E34360E9DD3377077E
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ....................................@.................................a6..O....@...............&...)...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                        C:\Program Files\ScreenBeam\Conference\service\System.Globalization.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.907603414065472
                        Encrypted:false
                        SSDEEP:384:gZ4RLWdRfRJ0RZWlIYiQ3zNAM+o/8E9VF0NyX0KIE:gZK0pJuhYiQBAMxkEqZE
                        MD5:223CE0F535E15AD93E9ABADAD4E1E477
                        SHA1:8AE0DA4E78CFDA15C42B5D0A58B9D81B3C7EEA3D
                        SHA-256:0EE12DD0E88579EFBA1074C753704C254A509C2804CDEA3E8E994DF549F4BB50
                        SHA-512:38E273798740C70759DFE710229C288994671E6A148427AC86CF9D3D294B3CED981536263AF887D6D894F37116E03D8190A475CCCD0CD351BE37CD517CDA4556
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@...................)...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.ZipFile.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.803562506568744
                        Encrypted:false
                        SSDEEP:192:dFx+WTIEfW5zIYiYF8uegv7cERODwenA5K+o/y2sE9jBF0NyR7av:jYWsmWdIYiQ36senAM+o/8E9VF0NyQv
                        MD5:A8F8C8BD3D83900D7658A6E58AC6AF2C
                        SHA1:40BB70D5FA954879EAF95E8DCD645B4FD70A83D7
                        SHA-256:3342DDC86DE4E99493B2F42AB3B0BD37F04ADB41B8863B23A5591AC05F66C056
                        SHA-512:49726ABE77A844FCBF656667450882A39294B3B8E4AB7E2C15E4251BA775DEF8E77BFD2F9B0C017351C4284DFA26CBC84C07B02EC3053CBD87E37024689186AA
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ....................................@..................................'..O....@..@................)...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                        C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):105240
                        Entropy (8bit):6.3866782209232404
                        Encrypted:false
                        SSDEEP:1536:Svc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXQ7QRx0x:Ogk1tiLMYiDFvxqrWDWNoJXQMk
                        MD5:E1710A6F4F1EEC0E7AC914EA42315F65
                        SHA1:8BDEA4164A461750BD71D8728DD75D929D87F039
                        SHA-256:C3EA9EE8CCD46B0DA18BF200EFA68F574AEC0B58F283D11D0306D97D3E619DE3
                        SHA-512:BEC7949F7F47A70395890AAFAC34A62CC9D24ECCDC7B755AFE58695D4F4996277BC242231AA586BF9FC5DD248F00444EA0C74E28DA1E918B5833FEC8A19A712E
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................wm....@.................................5W..O....................r...)...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                        C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.DriveInfo.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.8647059473173515
                        Encrypted:false
                        SSDEEP:384:zKcuz1W1cWdIYiQ31+p6AM+o/8E9VF0NyjfDA:xu8gYiQTAMxkEZA
                        MD5:9A693270704B6DD6284F3E5F5BFEAA9B
                        SHA1:B10CF3D593F76F833C5C2719E4A0A300190C9222
                        SHA-256:05518A52C741B381E72A4597B95917154E457A3A5AE05587AC73CE7DBAFFC91B
                        SHA-512:EB6A4E91F55C41468A73807507F2B2D86F27F1EEEDE6437C18DFCE1ABB85778854E0D68348DD038C0FD98551BDC35CA18DF59B2EB9E3BA00F379DF41C299522B
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................!.....@..................................(..O....@..P................)...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Primitives.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.868978975796646
                        Encrypted:false
                        SSDEEP:192:GpXYpxjSSWikW5GIYiYF8uegv7cERB3BxA5K+o/y2sE9jBF0Nyoafu:Z+SWikWAIYiQ31RxAM+o/8E9VF0NybW
                        MD5:A8F2E4A826B1848FCBEF3FDF2AA8D009
                        SHA1:A9912255FCD49C28170C7F5CB4B35E3CC33E93DA
                        SHA-256:CE9DF185442CFF04F03762FB229A3F7F537B738B1C5AEB54B5408E279F6F19DF
                        SHA-512:D3F3CE58C817F5EC89C5D5DBD53DC201A914682A2A858C2BDE2BC9A1DD60CF2D8F6C66A1CD68FD63B8A6280E404E398C4087E24F664BDFE32DB5B988418ADAE2
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................c.....@..................................(..O....@..P................)...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Watcher.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.91583842826198
                        Encrypted:false
                        SSDEEP:384:AAWzgWEJIYiQ3GMy55AM+o/8E9VF0Ny8F64:AtBYiQxy/AMxkEy
                        MD5:3A1D78A0A00DCCBE5463E783DED289EE
                        SHA1:8E233800317C8D622470092E282668484D64E7CB
                        SHA-256:E15058B698BE4291DEDB81984D92B446AF558AC61B381DA631E05A8EE2EFDF60
                        SHA-512:B5BD93210C481D1E79FFF5845F86AE2B262FCAC4C5B987DF5BC091E2DCF9C0B7F6394399F0C785839E714862DA7CD55EC346CE668F677BFC0517B2AC4D5755EC
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................c....@.................................p)..O....@..@................)...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.870776618905153
                        Encrypted:false
                        SSDEEP:384:YBLRWbYWnIYiQ3UGoddAM+o/8E9VF0NyIJ:YB2+YiQBUdAMxkE
                        MD5:E1F912106B170806CA0E522E5B70BF8A
                        SHA1:E80A5E49E18FD6C1C2E0A8C4E53EFEE8CCCD3E2C
                        SHA-256:27610EB0C5058C001227F023572B9846E2B18E7A7A0852E79AE66B9ECC77D8FA
                        SHA-512:128D556C5EDE4CF8C7415FD38B645C55AFACF745CF1AD95DD52F9108625A852733E7D3D0A44EFD2179B0CB594950267D5DB3486BE424E01EDED1373EBCB7D120
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ..............................t.....@..................................)..O....@...................)...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.IO.IsolatedStorage.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.859194036772385
                        Encrypted:false
                        SSDEEP:384:rHW4/WOAIYiQ3GecAM+o/8E9VF0NyMehp:rrLJYiQQAMxkEDr
                        MD5:92DF8ED67B3094653B099A51DB194847
                        SHA1:CBCEB7F0A11BAFFFB34B3AFB17669B5C4CCB21C0
                        SHA-256:B354123A5D6140CCCE8FD456034D4939698B3113FE156A5C2379B1154F83C773
                        SHA-512:6A3DC03492E4C6CE63CE701E3587CDB5191D9F3D00FADF2763B96BC80D271E67BA33767E1D443F98FF6D34339F42B7B32011D1980FF1815374CE823FEAD421F0
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................>.....@..................................(..O....@.. ................)...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.IO.MemoryMappedFiles.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.916755759787803
                        Encrypted:false
                        SSDEEP:384:wvk7hWmCWJIYiQ3v5dAM+o/8E9VF0Ny1hh:ws7/yYiQRdAMxkEj
                        MD5:C9285CD20954B353860ADA299EC7B333
                        SHA1:4A6E23ED0DD836AA5CF11C5B172A1B2C8B9B9C90
                        SHA-256:A26D4EB54825A50B31DF15505BCDF2597C956B801FA67129F8D507A37008FEFC
                        SHA-512:1ADF60BE95C93C41B31C199A1B8AAA0138B23168B2B2C9078FE6F673F3E6FFBFADE970C18B03B19BDEEBFB243411452399FBDDBC445D36E4061606AC120CC336
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................\.....@.................................h)..O....@..0................)...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.IO.Pipes.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.879167828490933
                        Encrypted:false
                        SSDEEP:192:JUiW2xf+C/WCUW5JIYiYF8uegv7cERZFZIZA5K+o/y2sE9jBF0Nyea6vb:/GMWCUWvIYiQ3XSAM+o/8E9VF0NyJ6vb
                        MD5:E38268604805BA0749EC7C95B94B3BBF
                        SHA1:390F50C5D3899E18E11A4D95A3D06D6A0C9009A6
                        SHA-256:3CB3BE56103DA7B885A76BED5896B8C11CFFF848A599FA98F1BDA35568061B99
                        SHA-512:E02A4C691A4FA117085EC25D6406CA6755046E6199934FD624355CECA3153FF8AA8775547C0718B3C920EF4D2FFCDFD41C771AEFEB2B25A35ECDEEF60518C4B8
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................@)..O....@...................)...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.IO.UnmanagedMemoryStream.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.860502966777449
                        Encrypted:false
                        SSDEEP:384:lBhwI7WSQWrIYiQ3a2AM+o/8E9VF0NynB:lDwIByYiQRAMxkEP
                        MD5:4EEA731FCB2B11A909A0CA1883F56BA3
                        SHA1:E580CF3C54D4F35B4E038C446E8D7F94138A9E45
                        SHA-256:377DC5D80B98ADF1CE12AEDF69B734015E66D599E766ECB77E0FAE06971ED462
                        SHA-512:93216D810C980B104190F74521ED164855CF8C6977DDC5D78B7ABBE0C2FD32B2073F67494611C7CB5EA4759525077A80E0E071E13A20849415A9AE889F99D435
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................l(..O....@..P................)...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.IO.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.877101990360869
                        Encrypted:false
                        SSDEEP:384:8yvPRW4lWHIYiQ36ezAM+o/8E9VF0NyzM:939LYiQJAMxkEu
                        MD5:6214D0BBCB83A5614B09E0510EFFDCC7
                        SHA1:7FFB9EBA3CEAAD1C4D11E65E5D34E3CC284491DB
                        SHA-256:CC8B4B2E1705C3E9F36C36DB8EF79BBF9B26597978338AC4E1CDFDE5AF9AAD35
                        SHA-512:8FB2FAB4E41A8D17323D6896055F75DCC2F338B8C24ADE382FAAF0511F5A2989BA14AC7CD7C5BC0863DB3EAC88D13E658FC054B0FCF06C6AD3446B380768EFE3
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................dM....@..................................)..O....@...................)...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Linq.Expressions.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16664
                        Entropy (8bit):6.830858594561975
                        Encrypted:false
                        SSDEEP:192:nnhp+J2sx/5W6eW5JIYiYF8uegv7cERFQurA5K+o/y2sE9jBF0Nyyaz6:H6RW6eWnIYiQ3RQkAM+o/8E9VF0NyV
                        MD5:8806E911430CEB2F1626CEC0BF001955
                        SHA1:6C57EA64595D2165ABB1C4907A66332A7F68DF08
                        SHA-256:99818E60DE36D841FC5F8183B5DCA7B5AA36BAF5074F886142928F45CBF3AC82
                        SHA-512:2214BCBE653FA47C05FC9C62B3AB6B975AD23F341288BCE4AADFDE05BFB9CB55492A6DB948D6AE06DB755CFDA36855DEF06BC8FCF33242AC5404F1AD13174A62
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ....................................@..................................-..O....@...................)...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Linq.Parallel.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.865281356496289
                        Encrypted:false
                        SSDEEP:384:vSUP9W70WSIYiQ3NrgUAM+o/8E9VF0Ny2OC:aUehYiQdgUAMxkE
                        MD5:2E5D352C93CF7084100AA5773039C964
                        SHA1:E7968C7DD12CB6717FC424918394CFAF2D962BD2
                        SHA-256:C3D2CFD2AE67832708EA827E9F43B56FEF5AA0FFAA007DB4E8B67521A5F6F30E
                        SHA-512:E112DBDF17E8B6F380549CADAE25E30C026A4ECEC75CE6D68E85EAA02174D0CCA89AFB4BA376AF9CDA1C9BCDD48126096D5B62B9842A673F5B0E3AFAFFD52A1E
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................o....@..................................(..O....@...................)...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Linq.Queryable.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.861787785413967
                        Encrypted:false
                        SSDEEP:384:28yg07W0/WYIYiQ37BbAM+o/8E9VF0NyfnE:2BHcYiQVbAMxkEW
                        MD5:F66EB9B36D9E299D9B9EE76418A70460
                        SHA1:ABCD6FE4EE591BA264FE4A8887720931C978C140
                        SHA-256:A7B41D566A8F84E88BC72C768546643E33D96DB19D7A5DD2743569318C078A9E
                        SHA-512:7A1D538EB30930DC09986D4DE505195DE6F73146799830747CEED62B81820087522FF14CA5CBD22D5137F45DCA8FE057809B2CCF224433785485AB0D5D550B3E
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................e....@..................................(..O....@...................)...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Linq.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.825900568445449
                        Encrypted:false
                        SSDEEP:384:6e1WmRW/IYiQ33MpZnAM+o/8E9VF0NyE:6ejTYiQspxAMxkE
                        MD5:11AC162C0EE9D060E53CE34EA7B11EA7
                        SHA1:5983B61F913F9172B21265B9A298033995E8A2D9
                        SHA-256:C10ACAE4525A4427A689F3C3B5970A7C52EC73C9ED666A6F32036F7B96F5249C
                        SHA-512:81BDF4C24E7992AF7666C84B6A361BE004B525C24214F5FD42F55141F9919CD09FD6735CCC4440A2F8C9F83CADA79E7B3705ADEF5E2D775429E161650E048832
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................r....@.................................p(..O....@...................)...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Net.Http.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):192792
                        Entropy (8bit):6.117255183801723
                        Encrypted:false
                        SSDEEP:3072:veruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSghM8:SW60VcTvakcXcApO
                        MD5:81EFEE1B34B719385AB8A466BCFEAE6E
                        SHA1:28C1FC10968604B32CDBFA3EFD0223B597169BDF
                        SHA-256:2AF667C3E7C1B47E6E96531EE1C62D252C5A886748E28D9555A78F76766AF409
                        SHA-512:528BBCBCA368A7894B794A430CF4744773A64255E2DA254B0D8D22813F0180411E81ED739DD114E495C9C4B7123B66A3EC38DBC2A1BFA26B1B1FF9F423F8E43A
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... ............@.....................................O.......h................)........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                        C:\Program Files\ScreenBeam\Conference\service\System.Net.NameResolution.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.846789821549846
                        Encrypted:false
                        SSDEEP:192:1ZsxgyrWYLW552IYiYF8uegv7cER3Ga19A5K+o/y2sE9jBF0Ny9az5A7:T6ZWYLWaIYiQ3j7AM+o/8E9VF0Nyw
                        MD5:336EF35EA1BEA31C613C7766308F70C6
                        SHA1:B0E71451D09439355FE473115990D30717616A1D
                        SHA-256:70AAA4A7B913F8D721AD8555C6A34AA83374D020D7AE521B16CCFEC70A481E51
                        SHA-512:055F72A8C272D41CBB05B64E394CF38017E42FD04111631F712629514C2FEDC3FC0217B7299962851B8928A9902AD37CCAAD37C275BFC8E67C37893DB1459130
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Net.NetworkInformation.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16664
                        Entropy (8bit):6.803232736244289
                        Encrypted:false
                        SSDEEP:384:71W1WMQWlIYiQ3ln/yJAM+o/8E9VF0NyZfFxN:k1cYiQVuAMxkEt
                        MD5:E8C595ED2B3B85C2B6D37EF7B8BDEC3D
                        SHA1:C2422FFB6124AEA2ECA1E81DAA325454EAE52F85
                        SHA-256:76222B2E8BB38067C48348F7E2E4267C109779FE8F2F955BB91FCE0C3F15BFEF
                        SHA-512:622D277D635561BEC3A7B48BB67304E23D78578B26040B39F27D671E4C8FD9BCEF2A28179F4394856ABA8FB82C073C779F17A0F2CB6DD48355005085F58484DA
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ...............................O....@..................................,..O....@..@................)...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Net.Ping.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.843104854083415
                        Encrypted:false
                        SSDEEP:384:ydSWSKWZIYiQ3NInAM+o/8E9VF0NytTHm:kOaYiQ9gAMxkEbHm
                        MD5:3C4B29F163987B93A356120C8B8021FB
                        SHA1:417E8B5F93FDD447ABD6541BD1B38FDC19BFBF73
                        SHA-256:4EADF53A68CC3DEEA7DCE2DF033F3B2E4106107932DCD59FCF00E5F01E694C4A
                        SHA-512:2BB6BAB026AA51D0148DD19572FAE4BB1CE396CD22F848BD16A5C12A6F72F1503D50E3367A24BE3B98FDA925EBCD0BEDD89E0B43E5C3B593E37536216C435D63
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...................................@..................................(..O....@...................)...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Net.Primitives.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16664
                        Entropy (8bit):6.756544464200284
                        Encrypted:false
                        SSDEEP:384:5JEYA2WkIWtIYiQ3G34tAM+o/8E9VF0Nykchtk:5yYA8YYiQa4tAMxkE73k
                        MD5:44C99E5F2B662D284F5A6F9BB2B535BE
                        SHA1:65C9E5B075A206DBDAEF23012EFC480185D197D8
                        SHA-256:000F800D7549778168C5DEFB8B6C4A0EB2B3207DEC98C65D1EE50B76213C0DFF
                        SHA-512:8C357F854F9A9862D90A119ECFBB4C32E67B6A6545853D31C6EE02B088020B3A96AAA486421FC6240D46994E2007D49387F266FA1496E885BC87C4E9F72BA61D
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ....................................@................................. ,..O....@...................)...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Net.Requests.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.8834574175832435
                        Encrypted:false
                        SSDEEP:192:ul0qgopJ5xBcWe4W5SIYiYF8uegv7cERQcsA5K+o/y2sE9jBF0NyQabcdru/:qJGWe4W8IYiQ3U9AM+o/8E9VF0NyzbuS
                        MD5:E2135D32AFD4B61A12ED10B3110FF7D2
                        SHA1:17506BC7CA3EF8447C093CDE1E76BD90AFC7FEB9
                        SHA-256:246342A9128A78867449C86CBA8DBFDB35B5F9723C09F9D599C668D98723030B
                        SHA-512:CA87F663EACDB690D253B433955B4C74FE6E9CAFD1D8A06F47279D38C8ED3634012EB76B003E6F9BD751EC4D8116E50F173C4561AB6C8FC661027EEDCEDA1667
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................0)..O....@...................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Net.Security.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.797103619010875
                        Encrypted:false
                        SSDEEP:384:cdW1w3WesWpIYiQ31VAM+o/8E9VF0NyFyxO:F1wxsYiQ/AMxkEl
                        MD5:32B525A3222B2AB003B9995487E32B9F
                        SHA1:C8ED7AD274DEFAA99877FA6193063C2D698C9F24
                        SHA-256:9B1CE75760F2B4C2D86FFFB7CB5B904596A08531FE1DC86A75E317D92C07F8F9
                        SHA-512:5793267BA032209251D4C42BF3DC49290163247EA362BE2DFACD242BC69B81DE4BF8F047C1EBE1CFB6FB6FB97334C52C612B36E4E889CD2C5B9C1A3B9AE48338
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ...............................@....@.................................,*..O....@...................)...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Net.Sockets.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):24856
                        Entropy (8bit):6.604120015564585
                        Encrypted:false
                        SSDEEP:384:LylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsWTGIYiQ3UQAz:Lyp12Bhkg3qnV/sBbYiQ/AMxkEM
                        MD5:660C3723CFEB1AC9F53B22610CD5EFEE
                        SHA1:D89A1C9AF16925F9B4197F7B6CA9990CF8273BD4
                        SHA-256:9042AB4674659EC2FA56964915EA6902738ECF04009ACC7746F2C4286207CA18
                        SHA-512:7D93701B34728343A402587A0099F6C9475BEA14ED0AC5ABE3CA2EA1A3628CFB71D5CAE7A7E338444F3659365CB2178B541BD57C5E45406500BE2E69B5049363
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ...............................&....@.................................gI..O....`...............8...)...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                        C:\Program Files\ScreenBeam\Conference\service\System.Net.WebHeaderCollection.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.864239907985737
                        Encrypted:false
                        SSDEEP:384:gHPAW1bWsIYiQ3iDc/AM+o/8E9VF0Nypt:UrYYiQTAMxkEZ
                        MD5:85FFF3D073AB8E1F81F8293EA10DDA74
                        SHA1:9E5A348B9F4DD112E798A3209B7344D19F54BBB1
                        SHA-256:7BA0DF88689DEF5703D01B0C82CCF18D7E29F800149EFE0E6E9F473AA8AABFFF
                        SHA-512:8A703E40201180C110756087B00CA639E4A629E11D21F5854645F2EEE15D40C3DD08BDB0102125AEAF53A6CAE2745BAA9E4A30DC41B618BDCE9CAB94DEC9C857
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................+.....@..................................(..O....@..P................)...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.Client.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.862911486255781
                        Encrypted:false
                        SSDEEP:192:1+TxwFqWD7W5oIYiYF8uegv7cERgMCQA5K+o/y2sE9jBF0NyRaAP:UNoqWD7WuIYiQ38CAM+o/8E9VF0NyM4
                        MD5:E6F874D5803476AE5AFF4C21C65C0C17
                        SHA1:F47EA61A2F4F17FDF09A1D64BE826498277D86CC
                        SHA-256:3A67BCC0549BDAB50D2ED466345DA03241429377C9AF0F71F4DCEF0C3E8080FD
                        SHA-512:68C4C3E1EC4CCD8BFEC7D18B59D5EB2CCDDF82256739B07D28975C0285AC28511222FE3999040071D80210E3AB40539C385A41680134C3701A5040AD8961C8C6
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................O.....@.................................|(..O....@..@................)...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.872030086077553
                        Encrypted:false
                        SSDEEP:384:87GETSAWUEW6IYiQ3dLOAM+o/8E9VF0NyDy/2:8/T1FYiQYAMxkEoO
                        MD5:BC05DFB2E13C10470E97EA50A2488654
                        SHA1:84AA73A4B575AF521D581615F604F05C4BCB914E
                        SHA-256:7BAAA4EEBA87898C04EEF5C5B095915DAF88A399258D483DC4DD8A9A71A80515
                        SHA-512:CC8C94AFBBBDE16399FC79447A1AFFB97475441627C92A46F1F52F41DB43A7E3DE1865585FFCF763049AEFC16B3F60C3A2EFEC06694DF59FEB2AA9E5D48F4FC9
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ...............................#....@..................................(..O....@...................)...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.ObjectModel.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.857432518969259
                        Encrypted:false
                        SSDEEP:384:hcDagtDApWSKJWaIYiQ3TRaAM+o/8E9VF0NyU3jW:hPKBYYiQEAMxkEcW
                        MD5:232F3EDC1CC89C81C783EFADE079CBE8
                        SHA1:B3BE37231F5021D55F6B003CE85A7E52EF996AED
                        SHA-256:7CFA4D2C17F461F49B7390A25A31C041ED9EA56B15C1FFB1DF7C087C03B3D6AC
                        SHA-512:DC5815B669554B7516ACA441EAC5C5D3270233B55FE7941E4F7D3D7D5254565650E384597A34D82BDDEF4FE02CAEADB11F0A0EBBB21C330C7CEDE829F259448C
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ....................................@.................................0+..O....@...................)...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Extensions.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.862756150391791
                        Encrypted:false
                        SSDEEP:192:s6NxhqWD4W5JIYiYF8uegv7cEREcMKCWA5K+o/y2sE9jBF0Nyoawo:ZIWD4WvIYiQ34cvAM+o/8E9VF0Nyb
                        MD5:535F272B1DFDCCF9B18B6E57307985CB
                        SHA1:0C2204CCABA985196340102934D574071A0D45BB
                        SHA-256:36B5412E22A3D5E80D2BE0DEDE4B02B488FB71AEB36A5EB4EA56ED0C7ED103B2
                        SHA-512:43010CE821DF70E208555804E020C6DD3BF84AA5D1F4F8E5A7EC0DB0FAC28D2296569EB2138D3B5362B18678CA83B12AADD7E9AD1E88E494BA21CC845FBF14C3
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...................................@..................................(..O....@..@................)...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Primitives.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.794727351120919
                        Encrypted:false
                        SSDEEP:384:eMWzQWnIYiQ3aNc9pAM+o/8E9VF0Nylt+:e56YiQmiAMxkEN+
                        MD5:7F69119B9F5ABD71A569FD5B19790AC8
                        SHA1:32038B7C797EA979540BC3241F8000977BF0275C
                        SHA-256:42C6DF70722DDAEFFAF91A9FA2DC6E87835A50321F0ECB5BE5FB57F4EDCA67A8
                        SHA-512:C7BE2164167575CDE095EE500920D3DC66725EEA2A21EC15925511E6AE33E1C0F4D80112554660EFF0823319ABE334E21F7D3EB6FA0BEE9E0F9322FAC31EC2D6
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ....................................@..................................)..O....@..@................)...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Reflection.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16664
                        Entropy (8bit):6.731545171836857
                        Encrypted:false
                        SSDEEP:384:2xDHKWAMW8IYiQ3sRvqAM+o/8E9VF0NyA:yD87YiQcqAMxkE
                        MD5:E15C6C2651753DBB01EFE4D0DD708018
                        SHA1:E0442322760287E532C73EFF8CC89BCBE769C595
                        SHA-256:07CF6E129AF0461E1F74652465270ABB1FE1BB86AA2075A44DEFBBD03D71A383
                        SHA-512:05F7D1BC04D7408F8D988A34DF37B3BAB2FB4FECE035C9E250EFAFE35718DD04E7B6C51402983DF89B476056E6271A35EA03C9011FB4334CBE194F3C0BA8D132
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...............................T....@................................. ,..O....@...................)...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Resources.Reader.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.841056130462272
                        Encrypted:false
                        SSDEEP:384:1LNBEW6pWgIYiQ3t0Lm3AM+o/8E9VF0Nyfri:1bMSYiQA+AMxkEk
                        MD5:8C01F76ED4123EDBB94C8223451C25AC
                        SHA1:66898F2D44737C249C66D2A111BC7756AFCCAF90
                        SHA-256:91B8F7C439ECB19898EE77B90C029BDCD8C31625851C76DDAD8B6E9C65EF776E
                        SHA-512:32BBC47D2FA4A102211C9DB143A550AF3D3DD682DC830FFAF5EA2A7E30221DF1D6E80719C66F8695A02D3C6860562885F40D3AFBCA637B704389122371EA846D
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................T.....@.................................D(..O....@...................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Resources.ResourceManager.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.890648399952795
                        Encrypted:false
                        SSDEEP:384:EKkHKW/tW6IYiQ3h7fuGQAM+o/8E9VF0NyiVy:puAYiQxG1AMxkE
                        MD5:8D125088784821B8AFEF27FC7DD698B9
                        SHA1:7A756EB1233659482652B268AC6743F9D8607A22
                        SHA-256:B5AE5B69AA1D0C92C9BD5023AD548837C085C17211F5EE4555B626D975EC764A
                        SHA-512:FCA22C93DEE14146F3866F6EB134160DFD7B3AF03F4BCFD738E2BDE862954EC9E14F46C8A453E741ED539068374A11B74CEB07C8714573AC11CFDC9831DCA41B
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................>(....@..................................(..O....@..`................)...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Resources.Writer.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.839938521798858
                        Encrypted:false
                        SSDEEP:384:YLnfIWqrWpIYiQ3pvwsAM+o/8E9VF0Nyp+:YDf4PYiQzAMxkE
                        MD5:6FD147B724B5E49473947780FD4C0B33
                        SHA1:4620F278068F7CFBB339276456C54B4E3156607E
                        SHA-256:06A74B43B8477A134A5BE4842425CF64D5EBFBCDF81C2FD78EB036A4ACF44244
                        SHA-512:1AF8884EFD44E7A141827D2E7FBF56F9BF8C57D31534084BE11CE976F34E5B879E3378CE07DD27752AE475FECD2B67E4144C4B2F80AB11C6450B1A3B422226B3
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................!.....@.................................D(..O....@...................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.CompilerServices.VisualC.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.8205164518684525
                        Encrypted:false
                        SSDEEP:384:lna8WK1WrIYiQ3pG4+AM+o/8E9VF0Ny8UEWD:lna0/YiQGAMxkEDE
                        MD5:B9F7FC792A6BA1F054CD5546FEA7E103
                        SHA1:1F70B72379AC81BF61284B556B6351BFBEEB50A7
                        SHA-256:10AB23F1A1C961194D72CC629090C70149AB86FAA1C2F4783240AB375E9F804E
                        SHA-512:0384F78E53AA73B91329A905F0C1DF5FFE7C1635B300BEF8B7C0883B6DA70FB7294279104D2C871437489A3B43FF007320C47CC2760B1ABB8FF1BB435A39F3B0
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ....................................@..................................*..O....@...................)...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Extensions.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.778279304968589
                        Encrypted:false
                        SSDEEP:384:CBSWITW4IYiQ3NxMqLLAM+o/8E9VF0NynrsH:C6AYiQDMqfAMxkEyH
                        MD5:68D3F3F0D01F8D8D0EC4C8950D41D835
                        SHA1:06142F14F77A73FFFDEFD5CD9315E486E51C8E1F
                        SHA-256:CB68B5604B98A245BD8E24D2B6A712364DB7C6C62F61FA2AB37CCA4D435DDB09
                        SHA-512:98515079DE32359A17F81DA40EF103FA815CCCECBAE31053C914DD80B716202A641AA4FF4FD831F3A082BFE66D2982C10015A504DB76F77648ECA44FC5ACBFE5
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ..............................o.....@..................................)..O....@.. ................)...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Handles.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.882370026240375
                        Encrypted:false
                        SSDEEP:384:I88cIIWNoWWIYiQ3pqdAM+o/8E9VF0NykqxG:I9cUZYiQQdAMxkEhxG
                        MD5:877F8F0793DEFD1C4D28B3AEE219B5E9
                        SHA1:E7D0378336A76A346EC2DB91E4E86411F27B5B41
                        SHA-256:07B314B2B22CAEABD69475D4EB4E7806104F0A0368EE0F3F3A9B49ACC6B0F2AA
                        SHA-512:29E89BBF983F30050D174B387C53F12B7D371ACC9BF0695EF9A074298A0CBA464E014438DF942782BB7075E3530A9D6FEB63D8EE9760BC71A433460C24A3EB2B
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ....................................@..................................)..O....@...................)...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.RuntimeInformation.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):22808
                        Entropy (8bit):6.627869000409553
                        Encrypted:false
                        SSDEEP:384:skUwx9rm5go1fWKmmW4oqN5dWjaW+IYiQ3m+jCAM+o/8E9VF0NyAFM:brmoFmWXXPYiQtCAMxkEc
                        MD5:8BE9A28F64DB3C94CDE5D57B0AC6AACD
                        SHA1:0D830CD51D6EBC4ABB6035A7372485F8A54096E0
                        SHA-256:EE920C06CCA185F4231019C1D03B58A27AC27D40A4CFEA0DE1A1214A9FB1FFF2
                        SHA-512:5F3AD022F669C4A43A1908B009D7D32F5363916B243ADC97BF1A38C1514D0D566F538763D2E7A201F343C5F7E27213FD766D52FE62BF8B88C057BDBD33BFB83A
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ...................................@.................................PE..O....`..x............0...)...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):18712
                        Entropy (8bit):6.6852073634649924
                        Encrypted:false
                        SSDEEP:384:P09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVsu:eOAghbsDCyVnVc3p/i2fBVlAO/BRU+pU
                        MD5:C37C74E88F0969CDA3D7BEEBA2862400
                        SHA1:F2CDDA74E48D4E3AC2FCE65DB618BC8524F5BA19
                        SHA-256:F0BB97F5AC966C12BCC0EB8A64DC80EE07E9654A8239669A3CBF4EA0BBA124EF
                        SHA-512:440068F64C952547D9294E9D58FAA6C779AD578FDE2AFBE2F22A99C0F8BFA9658F80CC426F39D35851CD258ABA42119E84D7F67364CAA5FE5E73CFA1F28F2379
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ....................................@................................. 5..O....@..P............ ...)...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Numerics.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.846144839410192
                        Encrypted:false
                        SSDEEP:192:cPTYx4AW6RW54IYiYF8uegv7cERzq5A5K+o/y2sE9jBF0NyNaH:gy7W6RWuIYiQ33q5AM+o/8E9VF0Nyg
                        MD5:F4D84BEF7AE2B8DCB608DCD257B42726
                        SHA1:A953E061172D5726D393E5FC664913025C795397
                        SHA-256:24565F3D8A37FE0B32DE0D9B497A83FD1E49CFDD5F723CD423F3592F2E7DAEE4
                        SHA-512:A6573420E88DC4994F919B5ECA5CEF0E7B69E6F9E88CA3919D1A2AA37734F90E4A50FC60749997D06D7DEDE89FCB58635CAD4017484604AB8CCEC55EC14CD13B
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................@....@.................................T(..O....@...................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Formatters.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.929800288547012
                        Encrypted:false
                        SSDEEP:384:pI5HeWFwTBsWiIYiQ3sOgAM+o/8E9VF0Ny1Pndm:pI5HFwTBpYiQjgAMxkEZm
                        MD5:5E07837E813372CD7D298652E2C06EB9
                        SHA1:37F1D970E8251CEC66E34A0F192452DB20026826
                        SHA-256:9E6E9AFF205AEE743DB9BB527BC5CCF28974C521E85EFFA7F90DCFB4CBAA0D7C
                        SHA-512:14B525D47F7582FFF72AE87CB9672249DCD4CAA4E1C2178EBAE65850E4500829510C4B706654B1713C269B38021F83EEFB22F378E4FF9F56FE22E338A36BEC32
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................1....@.................................|)..O....@...................)...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Json.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.899254452610612
                        Encrypted:false
                        SSDEEP:384:rAJpVWbfkBnWkIYiQ3StZAM+o/8E9VF0NykEV:rAJpWfkBQYiQOAMxkEVV
                        MD5:88AF98A7A340BE19EFAE18FB3E5A8994
                        SHA1:31E19A6CBA723CB031E5E7E5900A8523ACA9D725
                        SHA-256:97EE530A30812E6E8DD2997F056FF17F3DD2ED98657DB40FE6E55244ABE3055B
                        SHA-512:BF2076F45A0677CCB58CAAFB12CF3441D057B88E6F1BE0234FAA56115164B9862FE2285AF89D713555E734C8E21A3495422D23356C6C144BCF66DD67B21B848E
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... .............................. .....@..................................(..O....@..`................)...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Primitives.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):21272
                        Entropy (8bit):6.553812573673458
                        Encrypted:false
                        SSDEEP:384:58R71h7yzt94dHWFgQBVWeHWFyTBVWDIYiQ3ZNEwAM+o/8E9VF0Ny8xXb:41dyAqgQBfqyTBnYiQJuwAMxkEUb
                        MD5:72DDACEFC813D449418331AE97D1EE4A
                        SHA1:9BD0A3DB88D29279017C819650C526EFA03E4384
                        SHA-256:6D9E8D9BF963623BAAAA7FBBC4086E8AC31053E13ED72BABA180998B7F294667
                        SHA-512:402138A352B2817D4063848EF0D40CEB1D21236ACAE5F81CF730B7B075E5E4BC3218562ED2D440BEBACD8FC7F39BFA34FE219CD18EC3D308113DEC670462A945
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ....................................@..................................8..O....@..8............*...)...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Xml.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):19224
                        Entropy (8bit):6.693628333625581
                        Encrypted:false
                        SSDEEP:384:apsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWBIYiQ3koPAM+o/8E9VF0Ny4u:AsPMQMI8COYyi4oBNw4tBmYiQBAMxkE
                        MD5:DD96185B5436A2D3CFA47F667A706C15
                        SHA1:9468306C3A5134553F23C844093018EB6D5CA626
                        SHA-256:500CF5D2F8FB644F853F755224FF29D57D36BB7AF2C6EC8DC4AA311E15AC17EA
                        SHA-512:66453132FF9E8815C16A0F4FCA5DD65F2E42D4B107A69F1E257235D6F0CFFE9F28E980DB4572D4401C97D5E74F7E694EED7861BF9C515CB29F439A82C1743402
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ....................................@..................................3..O....@..............."...)...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):22808
                        Entropy (8bit):6.59340231976262
                        Encrypted:false
                        SSDEEP:384:ZB9g5l+A3VVdCRdtOfd7TCUBQ4BX8JZa6Si5HsOgrE2WGCWLIYiQ3I4ER7AM+o/m:/9g5HVVX12fsOgrE+QYiQREtAMxkEK
                        MD5:93B2B9FAA87093390C4C63DD34FABFDD
                        SHA1:DB1F2F737416A21B403267ED101D7B48FA4B8180
                        SHA-256:F09E7F6F63005D6DA9AB6CF8C14F47ABDB4F20FE59D72EC88DD5BE2C3B444E4F
                        SHA-512:8A1979E91AE4B9D6D75484592A7854597C8B54B371D4BFCADAC4F51466AEE6890E5E6ED7E72E0110B36DFE1F290485C405E4CA45B372CEA63759C483B229B9EA
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP...........!.....&...........E... ...`....... ..............................x.....`..................................E..S....`...............0...)........................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H.......<#..\"..................P ......................................'o...Ab]+.^nz..w..fBw..W.r..D..0...|..fc.x.@.J.S......_..t....&].. ~.8...t..j.j.W...g...d %..:/`b..X.q~....s.[G!]otwD..m...*..*..*..*..*..*..*..*..*..*..*..*..*..*...0...................*...0...................*...0...................*...0...................*..*..*..*..*..*..*..*..*..*..*..*..*..*..*..*..*..(....*..*..*..*..*..*..*.*.*.*.*.*.*..*..*..*..*..*..*.s....z*#........*.**#........*.*..*..

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.xml

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (541), with CRLF line terminators
                        Category:dropped
                        Size (bytes):76981
                        Entropy (8bit):4.819464476297391
                        Encrypted:false
                        SSDEEP:384:YNa7Vx5ughg2y1eEics/2cLtU+61hYg45bmZiNjcAjdKvj59znKSe5+YjTjljcKZ:YHeEUZtgsccITKSFYjxcKSskiKS1
                        MD5:3A4E05CD88971CC7988F3179977192CA
                        SHA1:C0F796775FB852E6F9F75AB70846EE49619D9988
                        SHA-256:576D49F78CEDFC37A7F7452EA7519EBF690642EBB87D01AC777605FFDBC648B0
                        SHA-512:4E649FE654160B8D2595927CB215F078E1D97EE5B1D366D0651743E143DD990867FFB3E6C69AC19AFEF0D75C9B8B28E36977AAA4D64C5FFD24B0037B04828479
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<doc>.. <assembly>.. <name>System.Runtime.WindowsRuntime</name>.. </assembly>.. <members>.. <member name="T:System.WindowsRuntimeSystemExtensions">.. <summary>Provides extension methods for converting between tasks and Windows Runtime asynchronous actions and operations. </summary>.. </member>.. <member name="M:System.WindowsRuntimeSystemExtensions.AsAsyncAction(System.Threading.Tasks.Task)">.. <summary>Returns a Windows Runtime asynchronous action that represents a started task. </summary>.. <returns>A Windows.Foundation.IAsyncAction instance that represents the started task. </returns>.. <param name="source">The started task. </param>.. <exception cref="T:System.ArgumentNullException">.. <paramref name="source" /> is null. </exception>.. <exception cref="T:System.InvalidOperationException">.. <paramref name="source" /> is an unstarted task. </exception>.. </member>.. <member na

                        C:\Program Files\ScreenBeam\Conference\service\System.Runtime.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):23832
                        Entropy (8bit):6.335825533219835
                        Encrypted:false
                        SSDEEP:384:rbhigwLAuZtM66g/Id7WVXW2IYiQ312AM+o/8E9VF0NyCcPy:rbhzkKsqYiQMAMxkEdy
                        MD5:DB5FD81791F7AE1ADD92800D49466B88
                        SHA1:5D62F47EDBC31EFCE935CDA894326115A387C5DD
                        SHA-256:16425E8CFFD0EFC9325F60EF24536B8D613F9CC4F484DEB723C1591BBBE6A6A1
                        SHA-512:D0AF844DE5393555E38402FEB422BA431C8E4FA4AA801AF5CE2E5E7008973DD9E1592E8C2F19F70854E8DB0EF328316D1C453002125A2C68D40B882DA3AF6692
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ..............................{.....@..................................G..O....`...............4...)...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Security.Claims.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.8741062642791775
                        Encrypted:false
                        SSDEEP:384:NUcX6W9aWoIYiQ345ZC5zAM+o/8E9VF0NyBwv:NUch1YiQ485zAMxkE8
                        MD5:317B40B2AEA3F2FE5FAAEE7706315D17
                        SHA1:62516C7CAF46EA32C2586C8742622F107CA32D05
                        SHA-256:22BA1BE002841A969E2D15F2168F8A4C00B1599E7A4B30D003A25BECDEF1FA26
                        SHA-512:B2BF35D7236F6763A006BD74F1A06FCC5EBC4844BB02D85A278B718CC669E961BCFCDEEF84CE043AC2E1752034EC6E4BAC8DE28802AF83DB0FC1C66F9B5CD90A
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ...............................I....@..................................(..O....@...................)...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Algorithms.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):41240
                        Entropy (8bit):5.967319357264578
                        Encrypted:false
                        SSDEEP:768:BoBj7kS+8mjvHTeaWKs0Sd4eetYiQ2DnAMxkE:8Pmb9WKs0Peet7QYx
                        MD5:F4B33B005D05BBBCE5D7BF04C5ABE7EA
                        SHA1:4A5F6A67E8E62AA750402B7A7FDE48134CD7CB42
                        SHA-256:04DEA8E4CB20F08DD5802174EC09841D61AC709191438C46EC12D6C099C9DB24
                        SHA-512:9ABAE38219F9D044B6E4EC5F551EE9A1A1B93427219540BAD51985E14E7BDC523BBAFCD0A373DB55DAECB51F5F4531828CBAFB825E135F3B0AC61CDB4A03F8E3
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ....................................@.................................u...O.......8............x...)........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                        C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Csp.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.903077584901388
                        Encrypted:false
                        SSDEEP:192:cttTL/WxOT6LoWPzW57IYiYF8uegv7cERaazCiJ6A5K+o/y2sE9jBF0Ny9a9:sTI2pWPzW1IYiQ3OjAM+o/8E9VF0Nyw
                        MD5:A77177BF556491A234429FADD6F2086C
                        SHA1:A8E222201995C417FE67EE5C8FCF21F75AD1DE93
                        SHA-256:0DCDDB47EE1050158E2995041D43025AE1764E1FAE436B21FA7C1A1728494521
                        SHA-512:DCBD22350BEB2F9C4E8CDAED47D4387E367BCEF200EF59ED8C6E0633ED60A3DD75C72B691AF52CAF6C6D8675C051D5EBA93E775A151DD7170565325A3615E53F
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ....................................@..................................)..O....@..`................)...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Encoding.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.915657513952599
                        Encrypted:false
                        SSDEEP:384:vcezoy4W04WhFIYiQ3pltAM+o/8E9VF0Ny06:vBzoy+mYiQHtAMxkEn
                        MD5:800166795D392E04CDBBA043C644B146
                        SHA1:C89405DC32537949C2C7DDC121375A2609A8E810
                        SHA-256:81EC050550B771DC113D09DF11D3AB79F64DD287EBEEEB41AFC5E5A60FD9ADD1
                        SHA-512:9C5D0FA3F59FF4E558783C417B587A40B0F9139BA57854C1652EC1EC493AFD55EBF349526E044FFFD5F8A1A2DA5F8EEAEEDA7BAF0C2A4079442AD679666DA51D
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ..............................h.....@.................................,)..O....@...................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Primitives.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.809042489008279
                        Encrypted:false
                        SSDEEP:384:sH/JWKpWWIYiQ3ywSaJUAM+o/8E9VF0NyMx:sH/jEYiQNdGAMxkE+
                        MD5:3F495772EE807E2A973CDFD9CD7CFB52
                        SHA1:A96A894122EC5BF0CC6E5E4D536A3F9A63F46FCD
                        SHA-256:178D89A7FD7CE5F9AA7BBA4A10E18F5479A895CA44934F431AC0C4455F929285
                        SHA-512:1909F69B0755C0E954A8DD30443D8B9FFF0217ECEB77EE671BA7BA144680780713D9A541BD541170E8ED1041E4C95BCABEB711D219C07E7AFC200A5CCB73CCDC
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ...............................y....@..................................)..O....@...................)...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.X509Certificates.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):17176
                        Entropy (8bit):6.754316397985461
                        Encrypted:false
                        SSDEEP:384:FTjbocNsWMhWyIYiQ3ih+bUAM+o/8E9VF0NyYRo:ZboYyEYiQmAMxkE3
                        MD5:C4375428C62F0A69B9FB186470A886CD
                        SHA1:80AB1DC4CD27BCA3D3EEF2A59931144F78B93A8C
                        SHA-256:A396936B1792B9A86D02B34E07DCDB29B3DE0D84CD101EA0EC8BA44F5FE0CE34
                        SHA-512:479331E371EF0DDAEB34C9A655FF2A19E6578049F10C7D9123D35EF1728101965B7BFFFBD2390DCCE12AE2E7575EDF7AD5721C036A74C98488A5FE740947DE8C
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ...............................m....@..................................-..O....@...................)...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Security.Principal.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.85782301989131
                        Encrypted:false
                        SSDEEP:384:ZSKiWIhWLIYiQ3vNKkEAM+o/8E9VF0NyC5:ZSK8LYiQ1lEAMxkE
                        MD5:AF0A13CA807B9861FB75463BBDD35F26
                        SHA1:CB29BE7B6E3B30724C1D8F3D5EE498069BF5D1E5
                        SHA-256:BB0A34DE62D3709B6644725389CEFEE5BEE25BAC8C67D489A14EFFA26AFCC165
                        SHA-512:CDA18BBC719DA133EBC5A7578A3EB9AB9561B3E676A5152FF1A7432A85C43ACB88B2FC1A045B86FF70FE58C02FA3FCF7B2978F540F0F4E21F597A43DD9DB4F1E
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................[....@.................................t(..O....@.. ................)...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Security.SecureString.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16664
                        Entropy (8bit):6.795989284219934
                        Encrypted:false
                        SSDEEP:384:C0KbZWApWmWTpWmIYiQ3H3AM+o/8E9VF0NyQN:lKRyYYiQnAMxkE
                        MD5:6C23C48749553C2C951FE8A8C3B80009
                        SHA1:35782F6752EBD4936491B7D56E53AD70B21553E4
                        SHA-256:B278F6DD45BA628CD7E8C2A43048623A3FD07D817973507BE74A5F8502799A4C
                        SHA-512:1F563FADE9D460C0A185A856E6A60CE7E3C6A4205BDB2BD87047E35AE726173883FC5401A6975F3FB75A9FF322C6B6D281F4998DB17D3D320B7BDA02CBB02015
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ..............................._....@.................................>)..O....@...................)...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                        C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.Extensions.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.885074328795784
                        Encrypted:false
                        SSDEEP:384:yb1nWCXWDIYiQ3LRtceAM+o/8E9VF0NyLv2fW:M7RYiQnTAMxkEdh
                        MD5:A66AA279E154B949FB434742F4AE66AF
                        SHA1:6B98556AD8C64BB59DDB128ADE2F451B6698B2F7
                        SHA-256:56AEBD66806C4BCB4AB628F80F2BC91FB2E1455F9759A9D91C6CA396312DC8B9
                        SHA-512:EDFF91ED07622E595E1A702CD20BA0937AE91B5C786B54F21CDFB72E32C20905055D736F51A1E79008FDA7D29F2602BEF00DEF83E54B71D21F7E10E9F3E872E9
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................<....@..................................(..O....@..T................)...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.786250286533486
                        Encrypted:false
                        SSDEEP:192:crD6cYxmPlW7TW5CIYiYF8uegv7cERI+2BJA5K+o/y2sE9jBF0NykaK:ocyW7TWIIYiQ3loAM+o/8E9VF0Nyv
                        MD5:EEBDF3713241481AB659D8BBDF7F0F4C
                        SHA1:3FB4F02FF50EE423F8A821B326374066373F7898
                        SHA-256:77D1BBE1012A380F2052CA23E5AC92839A08A0BCE99D1B846D0233591888C776
                        SHA-512:17DA16D6FDBC17F0AA49E69CB6D76A53425698916BF58B74311B89B4B71BF003CE78946C2B254322526F893E788404C13544A1A5164E5FD793D81CE061320AF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ....................................@..................................)..O....@...................)...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Text.RegularExpressions.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.916026441175419
                        Encrypted:false
                        SSDEEP:384:e6Rb32WVzWxIYiQ3ABW8tAM+o/8E9VF0NyUYAj:ZRb3d7YiQQEaAMxkEzs
                        MD5:BB17C3464C2C8BDBE75E2E6EA9B56D46
                        SHA1:7D807D42731782D4CFFD37E81F48B13339540B10
                        SHA-256:482A96E0B907372B2D0077CB0FF1909B2DAA4AED09C4CDD5610E0AD8F25E5D14
                        SHA-512:DC555F9EE225E6F53A07189E491DE4EBE515AB75FB20870D46004770B77E5FB78CEE14C8B4B084AE23246E71075C9F3121E00FC42DC82B9E80319B00E217FBCD
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................t)..O....@..P................)...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Threading.Overlapped.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):32024
                        Entropy (8bit):6.548810949759388
                        Encrypted:false
                        SSDEEP:768:2u5I+sqOylryry8qqIfUc7a58YiQTAMxkEkI:2YIVBpry8qqIfUcm587QTx4I
                        MD5:2FF960CA0F5808208E9C97EDF2FF815D
                        SHA1:D2E08A4550F6F27CD84EBBA21C7961526E180320
                        SHA-256:8586DFD77747008CB22554B00802EA1F4B3595E4345BA43FE014F9349232B9F6
                        SHA-512:50D1060D90EFB36A52ABDCD3A225AA1664FF53AC232C079BA7268D13D47FA3B6A1B14C8819FBEAAC0DD125BD0B24B00DDF0C051D00A74F6966881F2515850C35
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ....................................@..................................c..O.......x............T...)...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                        C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.Parallel.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.878714730010423
                        Encrypted:false
                        SSDEEP:384:wvn4HREpWiQWHIYiQ3oaAM+o/8E9VF0Ny9xs:HSGYiQBAMxkExs
                        MD5:86546DFEC3750FA5377275C51D375EE9
                        SHA1:1DC59F2E486B5C84EF32C36186F3B8E9A38E7CCA
                        SHA-256:A1CA48C35C577EB51DA7700D0A5F5523F56CE44D6E5BDE47FE78FDBE1E9F9739
                        SHA-512:7F6D542307F00A1088D0200D78DA2F289CCF47FA83D687128E5803EC215CF0E419DA035B3683410417DD6C232686A1D11C6CF8EA2B5689F6BE533C492E8FD9E3
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................].....@..................................(..O....@..P................)...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16664
                        Entropy (8bit):6.780781994334352
                        Encrypted:false
                        SSDEEP:384:q8MjKb47T3UCcqFMkJ59WdtWoIYiQ3j/C2AM+o/8E9VF0Nyo/kIw:3MjKb4vcGdOeYiQO2AMxkEFL
                        MD5:BA7CB6321380082469D29A414BF8E3BA
                        SHA1:A616292021F3F08ED61DD88BE8C94908BD2D7495
                        SHA-256:8DE6EA6456011E7D56AA79F7FD925C62D665117324A312724E0744A6A5D86BF0
                        SHA-512:246BDC3B9D7F5546E02C1835368B7D64BC31742A766AE2844E32381D33BA971DA683F615939CAE87DF6FECAAB0E3C2618B65FE61036E35904AFF682B30AC2C11
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@.................................`,..O....@...................)...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Threading.Thread.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.869397186829087
                        Encrypted:false
                        SSDEEP:384:pzyNXd4+BW6FWZIYiQ3IUUAM+o/8E9VF0Nyr:0zFYiQ1UAMxkE
                        MD5:5BAEB4A9FC79FE62D388F5B523F7977E
                        SHA1:D45DF7FEBAAD1D56D8E2FC234A53BDBE7EE817C5
                        SHA-256:4E505DF1AD228F4372FBA7AF847EBFA80566CE1FDDFDF4954BF7FE8820CB29B1
                        SHA-512:4B3BB05A96D841D61C56EBDBD58D37F972D4343EA4BCF0CE510CD9E6C3C03A9D1A9C3472427CE34A043160792D24676E7D437CF99E69CED5063A55F63795EFDB
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@...................)...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Threading.ThreadPool.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.866724017748257
                        Encrypted:false
                        SSDEEP:384:qvs2Q3HKJNrWWRWZIYiQ3kPQXqwAM+o/8E9VF0NyAuHc:quMVYiQ8wAMxkEFH
                        MD5:53BD3D7540311C9EF57358C28390E465
                        SHA1:E2962EB1D68F924F1965CD2A53B3DF403A8F9EFB
                        SHA-256:C59B4CBA9E2EA0A0B56D6B71DD72D551F724B85E738698884E00BD27DD879494
                        SHA-512:F28686EF16206F7B009276E747A9F04C1D05CEB45FF2E8E231C4D4F47AC62A3947DEBA31238324385988FFB1CE8C4802C43E74C3A511DD7F7ACF138196948BDA
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...................................@..................................(..O....@..4................)...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Threading.Timer.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.839501992789332
                        Encrypted:false
                        SSDEEP:384:fFz0Q6gcqRhcsMWdMWDIYiQ3wg+hAM+o/8E9VF0NyY2l:fFz1c6iYiQSAMxkENl
                        MD5:54A40384640585D72B0DA7AF85853231
                        SHA1:29EBCCE4318337DED874A4C1B0FF8DD3D104FEC1
                        SHA-256:18C793A59F4910548E49A1A353DF775769EBB73B965501965D19B183F1D4B340
                        SHA-512:089B7C3686F45FAF999D6B98682D9735A7F4D2A4017ED2118595AD7E8CBCC1881ED9F75E044C7C874905ACED9CA48A62CB333A18F119F24B36F01ACB655F83CB
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................^....@.................................L(..O....@...................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Threading.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16664
                        Entropy (8bit):6.733503432066376
                        Encrypted:false
                        SSDEEP:384:i6xWA3W4aW/NWFIYiQ3xOECAM+o/8E9VF0Nyv:iaBpYiQ8nAMxkE
                        MD5:A60870497F1C3E853A0B992A173047CF
                        SHA1:7349FD87EB60B21ABC9AA63341D92D2B605E80C0
                        SHA-256:1FF8A607E925ED48A14DCF9DF9249D16D7447ED4FA4D88E51ED4BA8A4C5142C2
                        SHA-512:2AA427502BB8311C1C3FD7BDF9E23263EC71EA29EF01ACA183700936D5B54C2C828E2ABA658C044F651A7F64784CB9848AF467C0E85BA659B6B6452BE2682446
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@...................)...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.ValueTuple.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):73496
                        Entropy (8bit):5.9275817365118835
                        Encrypted:false
                        SSDEEP:1536:FIumja0tbe16pSc45EfL+4vD4SuJbhjXuE3FMqF1KAy4kHo05ureseh7907Q/x3:FIuAaGbeGq5rKASI0ICh0MN
                        MD5:00DAB9DD6FCD9C843DBFF3AA7F93377C
                        SHA1:B6159BA7547E591405B751D48AF5EF2C515CC1BC
                        SHA-256:41A3363DA4F7FD225806FFEB90F49E2227F8C303EDA9D8BD5052E53300C9DFB5
                        SHA-512:AD0C061CBB8CC424024198FB0C9016F5897D7DCF9FC390A91BDCB523F79C207ADC2B4D67068F6398A075B46E6C42EE1C15E71EA7A168EC362A0B8E4BEFD0C8EC
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............~.... ... ....... .......................`......:9....@.................................,...O.... ..x................)...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...x.... ......................@..@.reloc.......@......................@..B................`.......H.......................d.......t.......................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o...........o ...........o!........*...o"..........o#..........o$...........o%...........o&........*....0..L.........o'..........o(..........o)...........o*...........o+...........o,........*.0..Y.........o-..........o...........o/...........o0...........o1...........o2...........o3.... ...*....0..k.........o4....

                        C:\Program Files\ScreenBeam\Conference\service\System.Xml.ReaderWriter.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.85723470123121
                        Encrypted:false
                        SSDEEP:384:er97WquWbIYiQ3fSfAM+o/8E9VF0NyE1d:eRJ0YiQQAMxkE2
                        MD5:6D2530CEA31BD19744070FA976B1388C
                        SHA1:2EB4B8E924CF1330A2B2FE660708C860D6667CCE
                        SHA-256:9EDAAF4C3F20DC1AC52E19209DFFA30D876614EBFACFC2FE035CAFCDFBF807E5
                        SHA-512:B61B8A7F0D23BF43962C5A2420C84156B322F1191FA4EB88C1FF195BB983905E9AC177653463189FB62E8DE11482D29DDD9501013AF58695E4531551E3DFA93C
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ....................................@.................................\+..O....@...................)...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Xml.XDocument.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.80554960390915
                        Encrypted:false
                        SSDEEP:384:616eWLDWSIYiQ36/hAM+o/8E9VF0NyYx:26LuYiQWhAMxkEk
                        MD5:A21478CD545FBF3C2CCE002595ADE4E1
                        SHA1:BD58B505FAC592F65A756589B47743524550AF77
                        SHA-256:9AB14D021C0B8552C5503BCEB49E276B5A909ACD0AE5E07615303702AA958F1F
                        SHA-512:8477511F63D68BC232A7F3921098B44A19F8AAF3383AD8CF04EB1E6C5101A0F0FD3E464FA00DF7F415BD7963745A560E7E6E7C80052140A0A5DF323349DF2AC6
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ..............................."....@.................................|*..O....@...................)...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.XDocument.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):17176
                        Entropy (8bit):6.800575021746729
                        Encrypted:false
                        SSDEEP:384:p8G4YC2W+wW8WpwWyIYiQ3EZu3tAM+o/8E9VF0Ny3sM:mGZ5JYiQmu3tAMxkE
                        MD5:6E8D5477AA018E5AE1756C198D90FBB4
                        SHA1:565F5A4F1E9DF88DFFE436EF85D12031A19B695A
                        SHA-256:8163AD79D846B265EDE18B72C13E73945D4510E8E57CB6FCB3F93540E2461A90
                        SHA-512:249AE11B580041F886EBCCEFB254C07F936E308C2E2276D768729A12C99F33170C6788445773AC14FA67C5FCFA26042FA276F4D54DC5ED0EFB9F9125774584B0
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ..............................W.....@.................................z+..O....@..x................)...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                        C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):15640
                        Entropy (8bit):6.907256348680271
                        Encrypted:false
                        SSDEEP:384:06ziqTEkGWvRWCIYiQ3V/hAM+o/8E9VF0Ny/g:0YT1cYiQhhAMxkEG
                        MD5:AF9E4EEA468D978B92D39D72218B5FDA
                        SHA1:C1A774A21B821A8B70C64631C340CD78DA145EF9
                        SHA-256:30D078EC3E35D67DDB5A80E76179F7E77F0293ABD58985A6632A938D60ED0E7A
                        SHA-512:A5FD65CBE803FD9EBB491A1453C8FB06377BA46341B64B11700BD32DF8FFC82A8E2EFBE277EFFF7C1DCB04DEFDCB889CD3D11D3B40515EF81919107C6101A913
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@...................)...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlDocument.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.817700460559589
                        Encrypted:false
                        SSDEEP:384:FUv7c7iWNCWAIYiQ3ODSlAM+o/8E9VF0NyOIx:FM7c1VYiQ+EAMxkEv
                        MD5:DEB330E56E95C455D9FF63DF4DC55E1C
                        SHA1:D858047D7BE4D8BE33D064113373F1063542F656
                        SHA-256:4BB0229DB80C6F69C4A00BDAD4372D0C8EF842A88446E0F8A7A7E2298549F9E3
                        SHA-512:AB6AF46D4C137001F0ABD4D9EDB7FDA32F6AC3AE2C15092DC55814461BC81E1D4F0F16B835F0E46B41FF08C2C8BF108E289CCEBFEC00C6EE7EDC702DE6754E78
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ....................................@..................................*..O....@...................)...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                        C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlSerializer.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):16152
                        Entropy (8bit):6.860916927726189
                        Encrypted:false
                        SSDEEP:384:/SWnRWuIYiQ3/bAM+o/8E9VF0Ny2Lt3oh:/zsYiQjAMxkEKt3
                        MD5:16FCD714077DB0EF4CDB8B344457EAB4
                        SHA1:582041E74A55C948C72DECEBD81BE9E5D3F62DE9
                        SHA-256:5EF45543972814C96A484A5F56EAE41C9BB5E5B9D308054B660C631669EFCEBA
                        SHA-512:A93C7E879C023E4C4E36E1F424239F13D4788975E8634667D667F491929E85649E361F1EE43BB6B96FF7DA1BA2B172B8F20A6543E047FB31C04669963CAB849C
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ..............................Qv....@.................................L+..O....@..$................)...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                        C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):20248
                        Entropy (8bit):6.6725038383477
                        Encrypted:false
                        SSDEEP:384:KfNieVZaksEEwXJj12hIYiQ3VSLwAM+o/8E9VF0NyNy6:2XJj1xYiQMcAMxkE
                        MD5:7108918DEE88A4BA1755661D41BB22F3
                        SHA1:11C88D7C7AED6B01C0B34CC7C81A99C20CF8D90D
                        SHA-256:A1AEE048D351B8D2F6E2A3FDD43F9966DC4E01B393345F86498715D607AAB472
                        SHA-512:EA1C56ADA9A315096C1C9D6D7AEA0F170535A5D0C5CA73D3FFC406C5B0DC10522E005DE818871B4AA0ACD463ADBF844BBF357C7D1F78A4389932D57CC2B0404D
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............b;... ...@....@.. ....................................`..................................;..O....@...............&...)...`......L:..8............................................ ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B................C;......H.......x$...............................................................~....*.......*.~....*.......*.~....*.......*....0..I.........i./%(....r...p.o....(....o....rQ..p(....*...(....s....(....(....(....&*....0..........(....,.(....ri..po....*(....r...po....r#..p......%.r...p..(....(....(......%......s.....%......s...........s....(...+(......%......s.....%.. ...s...........s!...(...+(....o"...*....0..........s.......}....(...........s#...o$.....9......{....o%...(....r...p.o&.

                        C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exe.config

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):189
                        Entropy (8bit):4.975451013309139
                        Encrypted:false
                        SSDEEP:3:JLWMNHU8LdgCzMvHcIMOofMuQVQDURAmIRMNHjFHr0lUfEyhTRLelFvREBAW4QIT:JiMVBdTMkIGMfVJ7VJdfEyFRLefJuAWq
                        MD5:DA0EED2F114F1288C8DE452D5B95596E
                        SHA1:1CF8A57C6DF6C309F373A2114A88B980A49D03E5
                        SHA-256:AE5E7FA8373B273FAD07E0486CEBFD88C18F9517BA609C2B8E6534F5D9E53DCB
                        SHA-512:A2B2F1CD8A772AA3EF074864DD1CE8A37FDB2A1A811B476DFB360F1C71FC787560E9F188916E2C73B290EDA74A56251DDD8EF85DD462515DF12D2E073DA9CF38
                        Malicious:false
                        Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>..</configuration>

                        C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.pdb

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MSVC program database ver 7.00, 512*51 bytes
                        Category:dropped
                        Size (bytes):26112
                        Entropy (8bit):2.404591342759292
                        Encrypted:false
                        SSDEEP:192:9P3APpAPDAPpAPthp1VOj9KbXouYVIMIhTbbOEe4QsENbpe4qgM:BMKgKbVOoPAi
                        MD5:0151FC741197C424E672E759DB5BDA70
                        SHA1:2647089388A60A10159ECF7AE491C701A36110C8
                        SHA-256:7428A28A358CD23C0483E7DD934248DA83F60E5385D3CDB0DE33A497AFDC2066
                        SHA-512:D2F047ED16F4A54EECAFD0CAE68EC257859FD705FCCE84BE34FFBE531C1BD849788AFFC20B0DF65FED512C60A9145B30DF4F99F24B65FFDF0730EEACDC69B65B
                        Malicious:false
                        Preview:Microsoft C/C++ MSF 7.00...DS...........3...........0............................................................................................................................................................................................................................................................................................................................................................................................................................................................................O......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.FoundationContract.winmd

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):24064
                        Entropy (8bit):5.436377150873873
                        Encrypted:false
                        SSDEEP:384:nOeNiCPJ8d//4CMSKtmVbFhFMTuzO3zoVOgvevU3+uARkArvLU8Wyt:/x8d/i49z7cgWvwARkwvLU8
                        MD5:D0854E8DB0D1AFBDAB9CEDB8464561A7
                        SHA1:7550E1257E2D243AC0A12439D2A55C74718753D4
                        SHA-256:363DC1FDC0C50618C9049F87BF6E2C6EB9D9CE4AC08960373BF778EF854D78AD
                        SHA-512:CAF5CB38121FE12A560CEBE4E1AC3266AEFB3C7AB0635EFF26D1AB7DE8CD349F52CB8F9FD4F8E05CF6E496FF07083961881517298FF80A07691B22EF2B317A3D
                        Malicious:false
                        Preview:MZ......................@...................................@...PE..L......\...........!..............................@..................................o....@..........................................p..`...............................................................................................H............text....V.......X.................. ..@.rsrc...`....p.......Z..............@..@........................................................................................................................H.......P...hV..................................................................BSJB............WindowsRuntime 1.4......t...x3..#~...3......#Strings.....G......#US..G......#GUID....H..`...#Blob...........W.........%3........h...a...m...9...........)...S.......................,... ...............!.....0.........l.e...~.............................5.....b.e...g.....s...........................................................&.....>.....L.....V.....o.e...v.........................e.....

                        C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.UniversalApiContract.winmd

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):5773312
                        Entropy (8bit):5.68640191645299
                        Encrypted:false
                        SSDEEP:49152:OVINVwJzGKybK12T5yb9ksyZWPsADcn0XjOTQVm8fGwoAIMHFqG:/NVwJzVSs+Wp4xyD
                        MD5:2B71864142900544334292C45C9A9A21
                        SHA1:763865F2163F8B3A294BB156D1E36B9E73A9EBAB
                        SHA-256:94687C2812CD4B0DF1F93C3D083BAA730CAB07E9D9C3931FA6557C808BCEF49B
                        SHA-512:DD73C7832A2B43774D18A83AC08CEE5A6F7D76F870A98A344B3FDD1DE61CD9B7362D31009F443592F138EFFB9ED7CDD9E4F8A7282C699B7AF3F434ABE74F215E
                        Malicious:false
                        Preview:MZ......................@...................................@...PE..L......\...........!..............................@..........................@X......AX...@..........................................0X.`...............................................................................................H............text.....X.......X................. ..@.rsrc...`....0X.......X.............@..@........................................................................................................................H.......P...L.X.................................................................BSJB............WindowsRuntime 1.4......t...t(>.#~...(>..O..#Strings.....xK.....#US..xK.....#GUID....xK.x...#Blob...........W..........3........d.......c$......b"......sV......'.......A...P....s.......a................2...........p...i.....u.......................i.........................6.........o.......................................%.........I.........g...............................................

                        C:\Program Files\ScreenBeam\Conference\service\Windows.WinMD

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):174080
                        Entropy (8bit):4.838714488862786
                        Encrypted:false
                        SSDEEP:1536:BXlu9HOsrxLLC581nfkhTf85SfD/8E8pMyF2fIK2E3ZMrf/GXTdXg7A/w:b41x7v54sMyov2+Mrf/GXKA
                        MD5:6AEB1C3E0470912D776EF79DC180AEF6
                        SHA1:C35A83124548142B7AF868166EEB9B9A8DEDCA03
                        SHA-256:249D4EBDCB399002F7B6DCB50384AD0DF3AB6A7CF7087161EDA4E43052128E6D
                        SHA-512:3AA0D6D8BFB0788353A85E5C0F88B0D0B0CD80F200C78932D8BD4FCF0711EF6577F9C3F4036BB88A4EC7BCF58ED2C4A48FC003324B47A0FAB51E2A1B73436DE4
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......U.........." ..................... ........@.. ....................................@.......................................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................................H.......H ..............................................................BSJB............WindowsRuntime 1.3......t...@...#~.......s..#Strings....`.......#US.h.......#GUID...x.......#Blob......................3................$.......................................................6=............................................iA......................cE.......................F.......................C.......................A.......................@......................PC................

                        C:\Program Files\ScreenBeam\Conference\service\netstandard.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):92952
                        Entropy (8bit):5.492555957913617
                        Encrypted:false
                        SSDEEP:1536:22Ec05j4eAH64rh5fSt5T9nFcI94Wh7Qvx:1lK4eA7mDmWhM
                        MD5:EAE42DDC05583089A3857A403557BE23
                        SHA1:7DD660FC30CA49FE11D7EE31032DD3BA07278DD8
                        SHA-256:1D09A9E4F9FD19DB4062A7117603B4D06771C9D3EBE7423DB9619A51A169DAA6
                        SHA-512:323231BA235BEE4F244A3C1B7815E8101010B3E33E065110A5CC35981E4AEBF7547A118F17135C8512EDBF54F8EEB5D1A5B76CBCD5CAC0FF7D1159728B6A7B26
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\ScreenBeam\Conference\service\netstandard.dll, Author: Joe Security
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ....................................@..................................U..O....`..,............B...)........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                        C:\Program Files\ScreenBeam\Conference\service\qf4net.dll

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):39192
                        Entropy (8bit):5.110314901377917
                        Encrypted:false
                        SSDEEP:768:f+ZpbHSTTUa8x+qvvIojhPYiQQdrAMxkEw:f+Zpb8T2x+CvP7Q2Lxk
                        MD5:5D60C7C7D829671BA2F18D4ACD514801
                        SHA1:AB530AC1C3BE8CB757329F018CC7666ED8650309
                        SHA-256:D3631E8D6FE5899FB03C9CAD168355492C50C89602EC9E142087CBA344958E50
                        SHA-512:8747DB85C1CDD9D1616BAD243D011CA8DC04D39538FD61FC7735888CF5941A86BB38238212A4725B69AB6E21F30A0E9DF9998CA893ABCF91B0ED04AFF2B3A112
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....KV.........." ..0..@... ......J^... ...`....... ...............................}....`..................................]..O....`..<............p...)...........]............................................... ............... ..H............text...P>... ...@.................. ..`.rsrc...<....`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\service\vac\instrmv.cmd

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1552
                        Entropy (8bit):5.186308371779243
                        Encrypted:false
                        SSDEEP:24:CBc6mGOPDSgJqX7Blu7BW7BhXli/3g/EXOOVyOpzU/OVdEisFJROVyOLJX:0Vg8X7Blu7BW7BhXg3g/EXNiAXaYH1
                        MD5:121B6A8B1EB8AC1E00DBADAE6AA64BDB
                        SHA1:F673C058A5424B15D373B5A0887C59517988A044
                        SHA-256:AA87F20FC3BDF08B632DF62E421C2E98ABC3C9F3565108C81F053D7E875234E4
                        SHA-512:8C0EF3527787E686A9DC8D48318E99F429BA8E8CAEDEE4C689A853D78187BFD23A7F9B9939B0440479B9AD23D69E7C790EFF23F19340EBEA7F8F2CE53837C2FE
                        Malicious:false
                        Preview:@echo off....setlocal....set "DriverInfFile=vacscbkd.inf"..set "DeviceHwId=ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5"..set "DeviceInstId=Root\{aafa5613-1d56-4309-9c3a-c3911d766be5}\0000"....set Mode=....if /i "%1" == "install" set Mode=install..if /i "%1" == "remove" set Mode=remove....if "%Mode%" == "" (.... echo Parameter 1 must be "install" or "remove".. REM pause.. exit /b 1....)....if /i "%PROCESSOR_ARCHITECTURE%" == "x86" (.... set ProcDir=x86....) else if /i "%PROCESSOR_ARCHITECTURE%" == "AMD64" (.... set ProcDir=x64....) else (.... echo Unsupported architechture %PROCESSOR_ARCHITECTURE%.. REM pause.. exit /b 1....)....for /f "tokens=2 delims=[]" %%S in ('ver') do (.... for /f "tokens=2-5 delims=. " %%A in ("%%S") do (.... set /a Ver1=%%A.. set /a Ver2=%%B.. set /a Ver3=%%C.. rem set /a Ver4=%%D.... )....)....set InfFileSfx=....if %Ver1% LEQ 6 set InfFileSfx=6x....for %%F in ("%DriverInfFile%") do set DriverInfFile=%%~nF%InfFileSfx%%%~xF..

                        C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd.cat

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):11415
                        Entropy (8bit):7.16083998344546
                        Encrypted:false
                        SSDEEP:192:qAnS5fRPFJC43ngEw9JPgXkhYCJxobQo21EhqnajTFASwlA:qA87XuLh3JxCQrsl3FA5A
                        MD5:5676894C48A102867C178C55BA9FDA67
                        SHA1:EE74D4BFA8A9D73261D3FB55D125DE6E3F49AD0F
                        SHA-256:74632BF0BE064DE0185FB59718B706108F1AD525CF554D423614E9C74F5CF5DD
                        SHA-512:D715A43A417E5C8874641AA1792F31B5918B9A81EAD7C39CC475DF3FAB3F484E20A7E9F7DF93BA7B0B4FBB9C0C507FECB46F8C76CD6A95DA2F39882BFF199AE2
                        Malicious:false
                        Preview:0.,...*.H........,.0.,....1.0...`.H.e......0.....+.....7......0...0...+.....7......0.q.M A.y..._cB..210423040957Z0...+.....7.....0...0.....F..QM.2..?1..6..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...s.y.s...0.... =r.`vpe.r.N.L..?..'..W\..a.'[..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... =r.`vpe.r.N.L..?..'..W\..a.'[..0.... `.]......~....5.J...e...'>.X..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... `.]......~....5.J...e...'>.X..0.... x..I...Sd...Rd...R3...\A:.b.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d.

                        C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd.inf

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Windows setup INFormation
                        Category:dropped
                        Size (bytes):2927
                        Entropy (8bit):5.065642316551494
                        Encrypted:false
                        SSDEEP:48:fzlvb2Qb2ncb25AMPHwuTHYH9ewl9P8uPtS+iSFEY0dPFi+8PBDx:L8NnhZSkFwPBt
                        MD5:33262035005119B64E258A3B28415ADD
                        SHA1:FDA3AF6BBAC88CB53C282A916232FD442887084A
                        SHA-256:781BC7498AFA165364E09E8F5264B609C15233AFBDC95C413A966212F8D0FC1D
                        SHA-512:85CD2EB68DCC51A3A2695C4C122EAE348EED9D6F9251694804C200CD3E1C6944E97E44B37321ABA2E4EED03183A2811396DA99D57B64E3837EE27E5ECCBC5F70
                        Malicious:false
                        Preview:[Version]....Signature = "$WINDOWS NT$"..Class = MEDIA..Provider = %VendorName%..ClassGUID = {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 04/19/2021, 4.65.0.11554..CatalogFile = vacscbkd.cat........[Manufacturer]....%VendorName% = DevSection, NTx86, NTamd64........[DevSection.NTx86]....%DeviceName% = DevInst, %HardwareId%........[DevSection.NTamd64]....%DeviceName% = DevInst, %HardwareId%........[DevInst.NT]....Include = ks.inf, wdmaudio.inf..Needs = KS.Registration, WDMAUDIO.Registration..CopyFiles = DevInst.DriverModules..AddReg = DevInst.AddReg..AddProperty = DevInst.Properties........;#####################################################################..;..; Services..; ========..;..;#####################################################################........[DevInst.NT.Services]....AddService = %ServiceId%, 0x2, SrvInstSection........[SrvInstSection]....DisplayName = %ServiceName%..ServiceType = %SERVICE_KERNEL_DRIVER%..StartType = %SERVICE_DEMAND_START%..ErrorControl = %

                        C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd6x.cat

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):12070
                        Entropy (8bit):7.457999528354426
                        Encrypted:false
                        SSDEEP:192:n8qp5UMQVMeKazCKVHGzexo44/VUVFKmqdBC4/C+Q3ISVSWMZMQ3bRg:n+MQJK2CKVjy/VUVFheCGBk7/UMQ3ba
                        MD5:FA12FB4E8459A07B36C5A95FD167D077
                        SHA1:99E0B4900057767ED7FFA71A082D8D3AE22AA3F3
                        SHA-256:176FF202131A269A36EDCA62C2F1DAEC1DB8BBA1EC3F480572B48D6434A12727
                        SHA-512:BA97E1805D05C23DA4A4AC88995D9F7DC0018D5B7289B040FA1B5F7A43CB89A4F62EFBBD81037078F86BE843C71CCE3C4DCA0B701680156885F7D42E096E3BFD
                        Malicious:false
                        Preview:0./"..*.H......../.0./....1.0...`.H.e......0..x..+.....7.....i0..e0...+.....7.....3.Q.."\@..k.i5.W..210419120904Z0...+.....7.....0.."0....R1.2.4.6.0.1.D.C.A.5.5.1.4.D.E.5.8.E.3.2.A.3.9.2.3.F.3.1.9.D.E.E.3.6.C.9.8.3.8.5...1..0M..+.....7...1?0=0...+.....7...0...........0!0...+.........F..QM.2..?1..6..0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R8.A.0.B.3.1.D.D.C.7.2.6.4.8.D.1.2.3.8.8.8.4.B.E.1.C.6.3.9.B.4.7.8.8.D.8.4.B.B.0...1..0M..+.....7...1?0=0...+.....7...0...........0!0...+..........1..&H.#....c.G..K.0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RC.1.4.8.F.B.9.6.6.5.0.8.6.B.8.C.4.0.5.A.E.5.5.2.C.8.A.4.7.5.D.3.5.B.6.2.C.B.E.A...1..0E..+.....7...17050...+.....7.......0!0...+.........H..e.k.@Z.R.u.[b..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0..N0..6........._....5+de.j0...*.H........0W1.0...U....BE1.0

                        C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd6x.inf

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Windows setup INFormation
                        Category:dropped
                        Size (bytes):2929
                        Entropy (8bit):5.0674748908058245
                        Encrypted:false
                        SSDEEP:48:fzlhb2Qb2ncb25AMPHwuTHYH9ewl9P8uPtS+iSFEY0dPFi+8PBDx:LmNnhZSkFwPBt
                        MD5:D07F07C26859DAB89970D4AD96D3F108
                        SHA1:C148FB9665086B8C405AE552C8A475D35B62CBEA
                        SHA-256:8B8A375ED4FEE5F3BB2CC42543409A0ACC6DDFB8FD5A1EF8F235442D54ABDD13
                        SHA-512:7EAD667ECC295857988F0192ED30904A5CBFBF5180742E54F3DB890CF7903379D11FE3FCB2718908A6948B94D6D3BA5FF8B6F917190A699CD6A3C963C1857E3C
                        Malicious:false
                        Preview:[Version]....Signature = "$WINDOWS NT$"..Class = MEDIA..Provider = %VendorName%..ClassGUID = {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 04/19/2021, 4.65.0.11554..CatalogFile = vacscbkd6x.cat........[Manufacturer]....%VendorName% = DevSection, NTx86, NTamd64........[DevSection.NTx86]....%DeviceName% = DevInst, %HardwareId%........[DevSection.NTamd64]....%DeviceName% = DevInst, %HardwareId%........[DevInst.NT]....Include = ks.inf, wdmaudio.inf..Needs = KS.Registration, WDMAUDIO.Registration..CopyFiles = DevInst.DriverModules..AddReg = DevInst.AddReg..AddProperty = DevInst.Properties........;#####################################################################..;..; Services..; ========..;..;#####################################################################........[DevInst.NT.Services]....AddService = %ServiceId%, 0x2, SrvInstSection........[SrvInstSection]....DisplayName = %ServiceName%..ServiceType = %SERVICE_KERNEL_DRIVER%..StartType = %SERVICE_DEMAND_START%..ErrorControl =

                        C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbcp.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):171544
                        Entropy (8bit):5.144201025595193
                        Encrypted:false
                        SSDEEP:3072:nuQ0x55l3sW/GuUCxgJ4Ij+5I4sHFOZTDDaDVXx+ECq:nSxbZuQgulC4sHFOaXx
                        MD5:AD9BFFA5A4628861E3F26AC346CD48A9
                        SHA1:8556B7C3A15AE76D7264E3CF07910BD20EF1E80C
                        SHA-256:349337C2B77F987F54461D9980BA06495DB1451D47B2C756A3A03BA6D31411FB
                        SHA-512:E9AC2AF35EBD4CA5DD118ED9616A5344A715AF216E3ECDFF41D93D13B194C77E0925AD233F6B14C3642124BE53C8C7B9B292ABB3F87A7A8464D20CE73D9C3E13
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PV.L.7...7...7...OR..7...OO..7...OI..7...7...7...OY..7...O^..7...ON..7...OK..7..Rich.7..........................PE..d....r}`.........."..................f..............................................5.....@.......... ......................................|...................,....r...,......h...P................................................... ............................text...|........................... ..`.data...............................@....pdata..,...........................@..@.rsrc...............................@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbkd.sys

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (native) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):222072
                        Entropy (8bit):5.804502367233001
                        Encrypted:false
                        SSDEEP:3072:YB1m2wrx1VKY72mPKO0x/icVbbOnRhTjuax+KU0jIruawI906bLqhg:ym2ORPKUcVWnHqnKUdhwIutg
                        MD5:79F9861A0DF7104FEEF268498E811713
                        SHA1:A811773C25D920E6BF7B3CDECB895C99D0612C54
                        SHA-256:78936EE611D9DE99D96711E23A736C2F5FF8D82B9044C7B50F416BC599DF35E6
                        SHA-512:22AFF07D8B267E2071BED597E542F6777B232877D28F1E27C26A0007CD12EEB5CF0D5A05865B49551E980295DB7D049FA2244C23DF5FB5CB6ABCABD3A6314963
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................3.....5............%.....".....2.....7....Rich....................PE..d....r}`.........."..........D...............................................P......V...... ....................................................d............`..X.......xU...@..P....................................................................................text...\........................... ..h.rdata..l...........................@..H.data...d....P.......<..............@....pdata..X....`.......B..............@..HPAGE....2............^.............. ..`INIT.................`.............. ....rsrc................l..............@..B.reloc.......@......................@..B................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbcp.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):153624
                        Entropy (8bit):5.25201729531026
                        Encrypted:false
                        SSDEEP:3072:o1kBmhlHK7tYi3v5cfLWEbp9FzeF+7xegoHq:HBcJs/+zA+7xv
                        MD5:92544DA55C0757D9D744D4A08C050326
                        SHA1:2EDDACBC3D0C148141D969EB1522D84BF0543E36
                        SHA-256:7A37866D3907B636D9526414F2BE2A800DDAA21B8829BFE7BEA549473E421B54
                        SHA-512:667139084EB90F8AA35B127F7BD9095E2031EA37B7B134333F5ACEA437724C9303C8A519562C4FE01836857BEF95949E524F16C282FCF61EA00B66644B237F25
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M.................................................)...................Rich............................PE..L....r}`.................N..........p........`...............................P............@...... ...........................P.......p...............,...,...0..........................................................|............................text....M.......N.................. ..`.data...D....`.......R..............@....rsrc........p.......T..............@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbkd.sys

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (native) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):190328
                        Entropy (8bit):5.902831736440124
                        Encrypted:false
                        SSDEEP:3072:rSTpXKD1n5ezPlXUw7MZMQ+xonXSukakW+HhvqtJ:Pn5e5kMMfLnXSukaNJ
                        MD5:09045E437761DA7330051D73ACE4A50B
                        SHA1:393370AE29298BC008FFADDB2BF98A6A63BACAAC
                        SHA-256:CCC8EA107515C0EBA76AC2B9ECAF68F85E19E6D825C946F723A12224802B38BB
                        SHA-512:552B70CE7FFD85E41FFE50CCCE323D91A0B25BFE9A5CDC6A6CA60965FF1D21BDA7C3979D29CD0EAEE7CB1BE34366687F89B2A1B4A279CD62BE635172557C8AE3
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......""..fC.fC.fC.fC..C.o;t.oC.o;r.nC.o;d.`C.o;c.\C.o;s.gC.o;v.gC.RichfC.................PE..L....r}`............................................................................\'..... ....................................d.... ..................xU..............................................@............................................text....u.......v.................. ..h.rdata...T.......V...z..............@..H.data...............................@...PAGE....1........................... ..`INIT....@........................... ....rsrc........ ......................@..B.reloc..X............|..............@..B........................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64\wdmdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (console) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):30320
                        Entropy (8bit):5.90570007486787
                        Encrypted:false
                        SSDEEP:384:lHa22nq7FZhYCb1FbHr3yV6x8MObXjhrI8oLbzsFA0/GDGwDbh:xaZn+ZhN1RHuVmGubzs2DGsbh
                        MD5:13D95C331BCFB3F6D7CC24229E5A5AEE
                        SHA1:8E2FF63978F745E4365E4A6BF510F0494CD8D173
                        SHA-256:AEB7EE052321C77A78132B2D74C58EA8E9AE3651C40939D998DB95FABE56255A
                        SHA-512:8BBA05E7FE33435E2267537B6129EAF1ED2E6B2E4AD2F8FB9D5F124481C9F6DB1A4D5D31E851E0F6216913F4CE5815EB16284CA03E27116826A0C39006514B02
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g:..#[..#[..#[.."6..![..F=../[.."6..![.."6.."[..*#b.&[..#[..a[...6..'[...6.."[...6.."[..Rich#[..........................PE..d......`.........."......(...6......0(.........@....................................'y....`.................................................PV..........x....p.......\..p...........`S..T............................................@..0............................text....'.......(.................. ..`.rdata..z....@... ...,..............@..@.data...D....`.......L..............@....pdata.......p.......N..............@..@_RDATA...............P..............@..@.rsrc...x............R..............@..@........................................................................................................................................................................................................................................................

                        C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86\wdmdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):30832
                        Entropy (8bit):6.201578076414463
                        Encrypted:false
                        SSDEEP:384:1gf2tTNqOvDzfnAGEAToFnDSy5NyuVEAsQNxd+A0/GDGwFFBh:1/zfnAGEwo9+ybEAsebDGGh
                        MD5:0F01442195D5273B6EC07EBD4930E234
                        SHA1:B527CF7281903B61F2933885A11C4FCFDE1F73D6
                        SHA-256:103FB48D168E992EDA3BADD679167DCCE4A95F0380505169CCE313006CF547FE
                        SHA-512:9647E8971D59F4127807560793BC58EEEC882C99BB1E96EE12AA8AB8F844B9E4669ECE866C433F27D9617237A0ACB5BB6A52BDF26C9E5FEE6DCD097B908D91B1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g:..#[..#[..#[.."6..![..F=../[.."6..![.."6.."[..*#f.&[..#[..`[...6..'[...6.."[...6.."[..Rich#[..................PE..L...x..`.....................2.......&.......@....@..................................a....@.................................$S.......p..x............^..p.......h....Q..T............................................@.. ............................text...d,.......................... ..`.rdata..6....@.......2..............@..@.data...8....`.......N..............@....rsrc...x....p.......P..............@..@.reloc..h............Z..............@..B........................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ScreenBeam\Conference\ScreenBeam Conference.lnk

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                        Category:dropped
                        Size (bytes):2615
                        Entropy (8bit):2.6189385541778747
                        Encrypted:false
                        SSDEEP:48:8hI7PYftDpjd/DcsdSv5/Dcmtbl9ZSpgW/Dc:8hMPYxnbM5bbtb/3Wb
                        MD5:DC3A29C65C695744F4D5A5050789B766
                        SHA1:A68F50FB24E0F7CF8916B8140E15CAA22C198F8E
                        SHA-256:5C8C904C1A6F82B7D1D5B73F61B27EA35303BDF30FB093B427483734E114F61A
                        SHA-512:08D5802D14F08718E32E5721B510A440E25DCF385E8347B200CE3F5F661096BA7302BB8DFFEAE1243B9A276D8B8641B47ADD140CEDB18CA5694C2A4778CFC65E
                        Malicious:false
                        Preview:L..................F.P...........................................................P.O. .:i.....+00.../C:\...................V.1.....DWP`..Windows.@......OwHmW......3.....................q.-.W.i.n.d.o.w.s.....\.1.....mW...Installer.D......O.ImW...........................R]D.I.n.s.t.a.l.l.e.r.......1.....mW...{C6004~1..~......mW.mW......H........................{.C.6.0.0.4.8.6.B.-.8.1.2.F.-.4.9.E.D.-.B.0.C.B.-.A.3.F.0.8.D.9.6.3.5.0.E.}.....j.2.>B..mW.!.SCREEN~1.EXE..N......mW.mW......H........................S.c.r.e.e.n.B.e.a.m...e.x.e.........S.c.r.e.e.n.B.e.a.m. .C.o.n.f.e.r.e.n.c.e...e.x.e.\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.C.6.0.0.4.8.6.B.-.8.1.2.F.-.4.9.E.D.-.B.0.C.B.-.A.3.F.0.8.D.9.6.3.5.0.E.}.\.S.c.r.e.e.n.B.e.a.m...e.x.e.+.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.S.c.r.e.e.n.B.e.a.m.\.C.o.n.f.e.r.e.n.c.e.\.a.p.p.\.J.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.C.6.0.0.4.8.6.B.-.8.1.2.F.-.4.9.E.D.-.B.0.C.B.-.A.3.F.0.8.D.9.6.3.5.0

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:CSV text
                        Category:dropped
                        Size (bytes):651
                        Entropy (8bit):5.348956889965525
                        Encrypted:false
                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6KhaOK9eDLI4MNOK9XGK9yiv:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoM
                        MD5:7CFF259EE7A28D8B8BA9D28BE3288747
                        SHA1:89023672C346B4101410DF25D4CB42BD3FB38285
                        SHA-256:D6EE41ADE037CF4F71E67C00CC8A98EA5BD5A6E3370CD36093EBA31DCE7B421A
                        SHA-512:34224680DE9604686778FC1B4C3DAF83A47A248F6431E1BDA97F753043D760B701F8A5BB8BE0AA9FE16995C75410FC3336CE5E4A88F47EE6DFB9344912C1F0CA
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sbdrvmgr.exe.log

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):42
                        Entropy (8bit):4.0050635535766075
                        Encrypted:false
                        SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                        MD5:84CFDB4B995B1DBF543B26B86C863ADC
                        SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                        SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                        SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DefMic.exe.log

                        Download File
                        Process:C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):42
                        Entropy (8bit):4.0050635535766075
                        Encrypted:false
                        SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                        MD5:84CFDB4B995B1DBF543B26B86C863ADC
                        SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                        SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                        SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                        C:\Users\user\AppData\Local\Temp\MSI69BF.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI6A5C.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI6A9B.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
                        Category:dropped
                        Size (bytes):532677
                        Entropy (8bit):7.237703223170959
                        Encrypted:false
                        SSDEEP:6144:c8XqvLwHL0otXjsg0q+D3qc3nkpcf6fZnUe4T19trX1sitaq6QGLsDuoVt/Eyue7:6wHL0D1DaOkCoBuXtPMYGORJ1QSF8c
                        MD5:D45098AEFBACB8E2E93240A9949C7926
                        SHA1:44E9753F680C086192175E273465BF93715C8820
                        SHA-256:A9FA33BAD2F6022357CF45FCC622306FF44C82AC3E924101655C1F248A9395BD
                        SHA-512:DE38B6EE32EE4F8A28B6250E380B72369062E1E544F95C6CDB7EDA636D973B9073D5677D68444852C643A1A4A460A050E24D7A37874ECFF59C39D23CF4431277
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\ByomCustomAction.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):4.842712781484382
                        Encrypted:false
                        SSDEEP:768:rzmYFEr6mMN+c28dt0n0cmD9K8CaME86El8aJAvg5vinwl8o:7ErpO28Un0cmDo8CaME86El8aJAvghiU
                        MD5:2B9870D6E142AADDC2930A25C816DFBB
                        SHA1:98E2E6F4B0292628AFA55A94D4482A3192F98714
                        SHA-256:54C5426FE99867BE80C8B7B42B99ECF30A655E4800C2835E63E590DD1C51AF22
                        SHA-512:479F8A4B77DF2583449FA6F8012711A8CCC622C0D6E64E1BAE6E4B226C218C21BA904145AC1272140C5C72C9C72BE5BB6E7C7DC5B7315247D739CE5BBB84E284
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%;De.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

                        C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\CustomAction.config

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1493
                        Entropy (8bit):4.732294656481805
                        Encrypted:false
                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
                        MD5:01C01D040563A55E0FD31CC8DAA5F155
                        SHA1:3C1C229703198F9772D7721357F1B90281917842
                        SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
                        SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                        C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):28784
                        Entropy (8bit):6.08346118574361
                        Encrypted:false
                        SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
                        MD5:F03298C90AB58E72A04E1AA310608B4C
                        SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
                        SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
                        SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

                        C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):184240
                        Entropy (8bit):5.876033362692288
                        Encrypted:false
                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):701992
                        Entropy (8bit):5.940787194132384
                        Encrypted:false
                        SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
                        MD5:081D9558BBB7ADCE142DA153B2D5577A
                        SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                        SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                        SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\sbdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):34984
                        Entropy (8bit):6.000650459314047
                        Encrypted:false
                        SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
                        MD5:C7EEAC397EC6B4EC895E89D0E43C652D
                        SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
                        SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
                        SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

                        C:\Users\user\AppData\Local\Temp\MSI6C23.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI6C43.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI6C63.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI6D10.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):726848
                        Entropy (8bit):6.4584085143991095
                        Encrypted:false
                        SSDEEP:12288:ogaGWXLiDt5i+jfNIQTVhQNvj3jAszYzGLwQq63Trzzt5O0Qn2enGCeoa:FrBT6vj3cszYO5O0Qn2oGCeoa
                        MD5:9863AD412FA5529D5A712EF228AC6E2B
                        SHA1:BDA741FD705277C29379B01100A162E922F76583
                        SHA-256:502CCBE31FE0F984A2FA0610EE6385A3E478CD866E19208E229B6EF8FCFB2934
                        SHA-512:8F64B1AC2423EB6EBBD2853A985711C030F54279599382B3CBC3DE4EBB90A98A0273172A85D65E5E78CAE419E928FB787715EA9F2C8285662C89B25D6B584CB0
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..B>...>...>......3............./......&......'......`......?......)...>...N...*..v...*..?...*.].?...>.5.?...*..?...Rich>...........PE..L.../..d.........."!...$.............}....................................... ......].....@.........................@M......\N..........h...............@=.......n...@..p....................A..........@....................K..@....................text............................... ..`.rdata..Xb.......d..................@..@.data....'...p.......N..............@....rsrc...h............d..............@..@.reloc...n.......p...j..............@..B........................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI6D5F.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):1126208
                        Entropy (8bit):6.47547142761303
                        Encrypted:false
                        SSDEEP:24576:tBbmgYewSBprKpygTqkg0z/f2sbQEiwiUt52wD5YqQc3w0RZqTkqMUM0zVQZo:tBflKp/Dz/f2sbQEidUt52Q5hz3w0RZI
                        MD5:821A9095657D59C7CD66C28B3FD50ACE
                        SHA1:AEF8A82D7D3DF689AF403BD0CCAB7ED04EC77609
                        SHA-256:D5411A4C65860343B846D5503686181D3487CC324FC0562B4E5F3CD1662B80FE
                        SHA-512:A885068D950307F1ABCF08DF41D3476174F02641105707EF3B81515D84F0F305DE84F6EA900421D250011EBFD4F3AFC1498CC4F3B14040E536CCB27FF6214C06
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J"..+L..+L..+L..YO..+L..YI.z+L.kUH..+L.kUO..+L.kUI..+L..YH..+L..YM..+L..+M..*L..TE..+L..TL..+L..T...+L..+..+L..TN..+L.Rich.+L.........PE..L......d.........."!...$.t..........0u.......................................P......(.....@.........................`...t...............................@=.......A.../..p....................0..........@...............4............................text...^s.......t.................. ..`.rdata...U.......V...x..............@..@.data...8...........................@....rsrc...............................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI6D8F.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI6DB0.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI72CD.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
                        Category:dropped
                        Size (bytes):532677
                        Entropy (8bit):7.237703223170959
                        Encrypted:false
                        SSDEEP:6144:c8XqvLwHL0otXjsg0q+D3qc3nkpcf6fZnUe4T19trX1sitaq6QGLsDuoVt/Eyue7:6wHL0D1DaOkCoBuXtPMYGORJ1QSF8c
                        MD5:D45098AEFBACB8E2E93240A9949C7926
                        SHA1:44E9753F680C086192175E273465BF93715C8820
                        SHA-256:A9FA33BAD2F6022357CF45FCC622306FF44C82AC3E924101655C1F248A9395BD
                        SHA-512:DE38B6EE32EE4F8A28B6250E380B72369062E1E544F95C6CDB7EDA636D973B9073D5677D68444852C643A1A4A460A050E24D7A37874ECFF59C39D23CF4431277
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\ByomCustomAction.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):4.842712781484382
                        Encrypted:false
                        SSDEEP:768:rzmYFEr6mMN+c28dt0n0cmD9K8CaME86El8aJAvg5vinwl8o:7ErpO28Un0cmDo8CaME86El8aJAvghiU
                        MD5:2B9870D6E142AADDC2930A25C816DFBB
                        SHA1:98E2E6F4B0292628AFA55A94D4482A3192F98714
                        SHA-256:54C5426FE99867BE80C8B7B42B99ECF30A655E4800C2835E63E590DD1C51AF22
                        SHA-512:479F8A4B77DF2583449FA6F8012711A8CCC622C0D6E64E1BAE6E4B226C218C21BA904145AC1272140C5C72C9C72BE5BB6E7C7DC5B7315247D739CE5BBB84E284
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%;De.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

                        C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\CustomAction.config

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1493
                        Entropy (8bit):4.732294656481805
                        Encrypted:false
                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
                        MD5:01C01D040563A55E0FD31CC8DAA5F155
                        SHA1:3C1C229703198F9772D7721357F1B90281917842
                        SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
                        SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                        C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):28784
                        Entropy (8bit):6.08346118574361
                        Encrypted:false
                        SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
                        MD5:F03298C90AB58E72A04E1AA310608B4C
                        SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
                        SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
                        SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

                        C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):184240
                        Entropy (8bit):5.876033362692288
                        Encrypted:false
                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):701992
                        Entropy (8bit):5.940787194132384
                        Encrypted:false
                        SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
                        MD5:081D9558BBB7ADCE142DA153B2D5577A
                        SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                        SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                        SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):34984
                        Entropy (8bit):6.000650459314047
                        Encrypted:false
                        SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
                        MD5:C7EEAC397EC6B4EC895E89D0E43C652D
                        SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
                        SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
                        SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

                        C:\Users\user\AppData\Local\Temp\MSI978D.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
                        Category:dropped
                        Size (bytes):532677
                        Entropy (8bit):7.237703223170959
                        Encrypted:false
                        SSDEEP:6144:c8XqvLwHL0otXjsg0q+D3qc3nkpcf6fZnUe4T19trX1sitaq6QGLsDuoVt/Eyue7:6wHL0D1DaOkCoBuXtPMYGORJ1QSF8c
                        MD5:D45098AEFBACB8E2E93240A9949C7926
                        SHA1:44E9753F680C086192175E273465BF93715C8820
                        SHA-256:A9FA33BAD2F6022357CF45FCC622306FF44C82AC3E924101655C1F248A9395BD
                        SHA-512:DE38B6EE32EE4F8A28B6250E380B72369062E1E544F95C6CDB7EDA636D973B9073D5677D68444852C643A1A4A460A050E24D7A37874ECFF59C39D23CF4431277
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\ByomCustomAction.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):4.842712781484382
                        Encrypted:false
                        SSDEEP:768:rzmYFEr6mMN+c28dt0n0cmD9K8CaME86El8aJAvg5vinwl8o:7ErpO28Un0cmDo8CaME86El8aJAvghiU
                        MD5:2B9870D6E142AADDC2930A25C816DFBB
                        SHA1:98E2E6F4B0292628AFA55A94D4482A3192F98714
                        SHA-256:54C5426FE99867BE80C8B7B42B99ECF30A655E4800C2835E63E590DD1C51AF22
                        SHA-512:479F8A4B77DF2583449FA6F8012711A8CCC622C0D6E64E1BAE6E4B226C218C21BA904145AC1272140C5C72C9C72BE5BB6E7C7DC5B7315247D739CE5BBB84E284
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%;De.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

                        C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\CustomAction.config

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1493
                        Entropy (8bit):4.732294656481805
                        Encrypted:false
                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
                        MD5:01C01D040563A55E0FD31CC8DAA5F155
                        SHA1:3C1C229703198F9772D7721357F1B90281917842
                        SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
                        SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                        C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):28784
                        Entropy (8bit):6.08346118574361
                        Encrypted:false
                        SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
                        MD5:F03298C90AB58E72A04E1AA310608B4C
                        SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
                        SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
                        SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

                        C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):184240
                        Entropy (8bit):5.876033362692288
                        Encrypted:false
                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):701992
                        Entropy (8bit):5.940787194132384
                        Encrypted:false
                        SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
                        MD5:081D9558BBB7ADCE142DA153B2D5577A
                        SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                        SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                        SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\sbdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):34984
                        Entropy (8bit):6.000650459314047
                        Encrypted:false
                        SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
                        MD5:C7EEAC397EC6B4EC895E89D0E43C652D
                        SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
                        SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
                        SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

                        C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
                        Category:dropped
                        Size (bytes):532677
                        Entropy (8bit):7.237703223170959
                        Encrypted:false
                        SSDEEP:6144:c8XqvLwHL0otXjsg0q+D3qc3nkpcf6fZnUe4T19trX1sitaq6QGLsDuoVt/Eyue7:6wHL0D1DaOkCoBuXtPMYGORJ1QSF8c
                        MD5:D45098AEFBACB8E2E93240A9949C7926
                        SHA1:44E9753F680C086192175E273465BF93715C8820
                        SHA-256:A9FA33BAD2F6022357CF45FCC622306FF44C82AC3E924101655C1F248A9395BD
                        SHA-512:DE38B6EE32EE4F8A28B6250E380B72369062E1E544F95C6CDB7EDA636D973B9073D5677D68444852C643A1A4A460A050E24D7A37874ECFF59C39D23CF4431277
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\ByomCustomAction.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):4.842712781484382
                        Encrypted:false
                        SSDEEP:768:rzmYFEr6mMN+c28dt0n0cmD9K8CaME86El8aJAvg5vinwl8o:7ErpO28Un0cmDo8CaME86El8aJAvghiU
                        MD5:2B9870D6E142AADDC2930A25C816DFBB
                        SHA1:98E2E6F4B0292628AFA55A94D4482A3192F98714
                        SHA-256:54C5426FE99867BE80C8B7B42B99ECF30A655E4800C2835E63E590DD1C51AF22
                        SHA-512:479F8A4B77DF2583449FA6F8012711A8CCC622C0D6E64E1BAE6E4B226C218C21BA904145AC1272140C5C72C9C72BE5BB6E7C7DC5B7315247D739CE5BBB84E284
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%;De.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

                        C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\CustomAction.config

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1493
                        Entropy (8bit):4.732294656481805
                        Encrypted:false
                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
                        MD5:01C01D040563A55E0FD31CC8DAA5F155
                        SHA1:3C1C229703198F9772D7721357F1B90281917842
                        SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
                        SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                        C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):28784
                        Entropy (8bit):6.08346118574361
                        Encrypted:false
                        SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
                        MD5:F03298C90AB58E72A04E1AA310608B4C
                        SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
                        SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
                        SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

                        C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):184240
                        Entropy (8bit):5.876033362692288
                        Encrypted:false
                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):701992
                        Entropy (8bit):5.940787194132384
                        Encrypted:false
                        SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
                        MD5:081D9558BBB7ADCE142DA153B2D5577A
                        SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                        SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                        SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):34984
                        Entropy (8bit):6.000650459314047
                        Encrypted:false
                        SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
                        MD5:C7EEAC397EC6B4EC895E89D0E43C652D
                        SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
                        SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
                        SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

                        C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
                        Category:dropped
                        Size (bytes):532677
                        Entropy (8bit):7.237703223170959
                        Encrypted:false
                        SSDEEP:6144:c8XqvLwHL0otXjsg0q+D3qc3nkpcf6fZnUe4T19trX1sitaq6QGLsDuoVt/Eyue7:6wHL0D1DaOkCoBuXtPMYGORJ1QSF8c
                        MD5:D45098AEFBACB8E2E93240A9949C7926
                        SHA1:44E9753F680C086192175E273465BF93715C8820
                        SHA-256:A9FA33BAD2F6022357CF45FCC622306FF44C82AC3E924101655C1F248A9395BD
                        SHA-512:DE38B6EE32EE4F8A28B6250E380B72369062E1E544F95C6CDB7EDA636D973B9073D5677D68444852C643A1A4A460A050E24D7A37874ECFF59C39D23CF4431277
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\ByomCustomAction.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):4.842712781484382
                        Encrypted:false
                        SSDEEP:768:rzmYFEr6mMN+c28dt0n0cmD9K8CaME86El8aJAvg5vinwl8o:7ErpO28Un0cmDo8CaME86El8aJAvghiU
                        MD5:2B9870D6E142AADDC2930A25C816DFBB
                        SHA1:98E2E6F4B0292628AFA55A94D4482A3192F98714
                        SHA-256:54C5426FE99867BE80C8B7B42B99ECF30A655E4800C2835E63E590DD1C51AF22
                        SHA-512:479F8A4B77DF2583449FA6F8012711A8CCC622C0D6E64E1BAE6E4B226C218C21BA904145AC1272140C5C72C9C72BE5BB6E7C7DC5B7315247D739CE5BBB84E284
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%;De.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

                        C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\CustomAction.config

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1493
                        Entropy (8bit):4.732294656481805
                        Encrypted:false
                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
                        MD5:01C01D040563A55E0FD31CC8DAA5F155
                        SHA1:3C1C229703198F9772D7721357F1B90281917842
                        SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
                        SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                        C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\DefMic.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):28784
                        Entropy (8bit):6.08346118574361
                        Encrypted:false
                        SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
                        MD5:F03298C90AB58E72A04E1AA310608B4C
                        SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
                        SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
                        SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

                        C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):184240
                        Entropy (8bit):5.876033362692288
                        Encrypted:false
                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):701992
                        Entropy (8bit):5.940787194132384
                        Encrypted:false
                        SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
                        MD5:081D9558BBB7ADCE142DA153B2D5577A
                        SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                        SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                        SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):34984
                        Entropy (8bit):6.000650459314047
                        Encrypted:false
                        SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
                        MD5:C7EEAC397EC6B4EC895E89D0E43C652D
                        SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
                        SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
                        SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

                        C:\Users\user\AppData\Local\Temp\MSIB401.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):726848
                        Entropy (8bit):6.4584085143991095
                        Encrypted:false
                        SSDEEP:12288:ogaGWXLiDt5i+jfNIQTVhQNvj3jAszYzGLwQq63Trzzt5O0Qn2enGCeoa:FrBT6vj3cszYO5O0Qn2oGCeoa
                        MD5:9863AD412FA5529D5A712EF228AC6E2B
                        SHA1:BDA741FD705277C29379B01100A162E922F76583
                        SHA-256:502CCBE31FE0F984A2FA0610EE6385A3E478CD866E19208E229B6EF8FCFB2934
                        SHA-512:8F64B1AC2423EB6EBBD2853A985711C030F54279599382B3CBC3DE4EBB90A98A0273172A85D65E5E78CAE419E928FB787715EA9F2C8285662C89B25D6B584CB0
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..B>...>...>......3............./......&......'......`......?......)...>...N...*..v...*..?...*.].?...>.5.?...*..?...Rich>...........PE..L.../..d.........."!...$.............}....................................... ......].....@.........................@M......\N..........h...............@=.......n...@..p....................A..........@....................K..@....................text............................... ..`.rdata..Xb.......d..................@..@.data....'...p.......N..............@....rsrc...h............d..............@..@.reloc...n.......p...j..............@..B........................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSIB431.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):726848
                        Entropy (8bit):6.4584085143991095
                        Encrypted:false
                        SSDEEP:12288:ogaGWXLiDt5i+jfNIQTVhQNvj3jAszYzGLwQq63Trzzt5O0Qn2enGCeoa:FrBT6vj3cszYO5O0Qn2oGCeoa
                        MD5:9863AD412FA5529D5A712EF228AC6E2B
                        SHA1:BDA741FD705277C29379B01100A162E922F76583
                        SHA-256:502CCBE31FE0F984A2FA0610EE6385A3E478CD866E19208E229B6EF8FCFB2934
                        SHA-512:8F64B1AC2423EB6EBBD2853A985711C030F54279599382B3CBC3DE4EBB90A98A0273172A85D65E5E78CAE419E928FB787715EA9F2C8285662C89B25D6B584CB0
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..B>...>...>......3............./......&......'......`......?......)...>...N...*..v...*..?...*.].?...>.5.?...*..?...Rich>...........PE..L.../..d.........."!...$.............}....................................... ......].....@.........................@M......\N..........h...............@=.......n...@..p....................A..........@....................K..@....................text............................... ..`.rdata..Xb.......d..................@..@.data....'...p.......N..............@....rsrc...h............d..............@..@.reloc...n.......p...j..............@..B........................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\MSIB461.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):726848
                        Entropy (8bit):6.4584085143991095
                        Encrypted:false
                        SSDEEP:12288:ogaGWXLiDt5i+jfNIQTVhQNvj3jAszYzGLwQq63Trzzt5O0Qn2enGCeoa:FrBT6vj3cszYO5O0Qn2oGCeoa
                        MD5:9863AD412FA5529D5A712EF228AC6E2B
                        SHA1:BDA741FD705277C29379B01100A162E922F76583
                        SHA-256:502CCBE31FE0F984A2FA0610EE6385A3E478CD866E19208E229B6EF8FCFB2934
                        SHA-512:8F64B1AC2423EB6EBBD2853A985711C030F54279599382B3CBC3DE4EBB90A98A0273172A85D65E5E78CAE419E928FB787715EA9F2C8285662C89B25D6B584CB0
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..B>...>...>......3............./......&......'......`......?......)...>...N...*..v...*..?...*.].?...>.5.?...*..?...Rich>...........PE..L.../..d.........."!...$.............}....................................... ......].....@.........................@M......\N..........h...............@=.......n...@..p....................A..........@....................K..@....................text............................... ..`.rdata..Xb.......d..................@..@.data....'...p.......N..............@....rsrc...h............d..............@..@.reloc...n.......p...j..............@..B........................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\shi6D39.tmp

                        Download File
                        Process:C:\Windows\SysWOW64\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):80800
                        Entropy (8bit):6.781496286846518
                        Encrypted:false
                        SSDEEP:1536:FRk1rh/be3Z1bij+8xG+sQxzQF50I9VSHIecbWZOUXYOe0/zuvY:FRk/+Z1z8s+s+QrTmIecbWIA7//gY
                        MD5:1E6E97D60D411A2DEE8964D3D05ADB15
                        SHA1:0A2FE6EC6B6675C44998C282DBB1CD8787612FAF
                        SHA-256:8598940E498271B542F2C04998626AA680F2172D0FF4F8DBD4FFEC1A196540F9
                        SHA-512:3F7D79079C57786051A2F7FACFB1046188049E831F12B549609A8F152664678EE35AD54D1FFF4447428B6F76BEA1C7CA88FA96AAB395A560C6EC598344FCC7FA
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.Dq..*"..*"..*"..+#..*".."..*"..+"4.*"}.)#..*"}..#..*"}./#..*"}.*#..*"}.."..*"}.(#..*"Rich..*"........................PE..L...7.O.........."!... .....................................................P............@A........................0........ .......0...................'...@.......$..T............................#..@............ ...............................text...D........................... ..`.data...............................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\shiC140.tmp

                        Download File
                        Process:C:\Windows\SysWOW64\msiexec.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):80800
                        Entropy (8bit):6.781496286846518
                        Encrypted:false
                        SSDEEP:1536:FRk1rh/be3Z1bij+8xG+sQxzQF50I9VSHIecbWZOUXYOe0/zuvY:FRk/+Z1z8s+s+QrTmIecbWIA7//gY
                        MD5:1E6E97D60D411A2DEE8964D3D05ADB15
                        SHA1:0A2FE6EC6B6675C44998C282DBB1CD8787612FAF
                        SHA-256:8598940E498271B542F2C04998626AA680F2172D0FF4F8DBD4FFEC1A196540F9
                        SHA-512:3F7D79079C57786051A2F7FACFB1046188049E831F12B549609A8F152664678EE35AD54D1FFF4447428B6F76BEA1C7CA88FA96AAB395A560C6EC598344FCC7FA
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.Dq..*"..*"..*"..+#..*".."..*"..+"4.*"}.)#..*"}..#..*"}./#..*"}.*#..*"}.."..*"}.(#..*"Rich..*"........................PE..L...7.O.........."!... .....................................................P............@A........................0........ .......0...................'...@.......$..T............................#..@............ ...............................text...D........................... ..`.data...............................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\viewer.exe

                        Download File
                        Process:C:\Windows\SysWOW64\msiexec.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):440152
                        Entropy (8bit):6.5861742939465
                        Encrypted:false
                        SSDEEP:12288:qbiQnSDqYisDEiD3jbTFiuiSiO+kP53nUNlQ:qbvnSDqJsDEiD3PTFTFiS53UNW
                        MD5:D73CEA0A5254F5136A6B75E22F2E441F
                        SHA1:9BB66AD6624FE9873543422FC21266461FBC8037
                        SHA-256:33BA1C23E0EA57A391C3AA530F0E271019F6D1B7D507C52ACB68E34D212C66AF
                        SHA-512:673EFD3EEC8E836A0CFA0E85FF73D045DB8A5DCF558B00E4DF6E088333336AD849EC41A1F6678E6D25ECDDD3CFD0CCB06E90AFBD96912600FC9D382F1456E59B
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..M~m..~m..~m......sm.......m......mm......im....../m......im.......m......gm..~m...m..j...dm..j.s..m..~m...m..j....m..Rich~m..........PE..L......d.........."....$.........................@.......................................@..................................4..........8...............X).......:..@...p...............................@...............l............................text...F........................... ..`.rdata...R.......T..................@..@.data....7...P.......,..............@....rsrc...8............F..............@..@.reloc...:.......<...R..............@..B................................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\41b49e.msi

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {A2531866-B2EC-411C-9FA0-D7A27AEA7C46}, Number of Words: 2, Subject: ScreenBeam Conference, Author: ScreenBeam Inc., Name of Creating Application: ScreenBeam Conference, Template: x64;1033, Comments: ScreenBeam Conference Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 3 00:13:59 2023, Number of Pages: 200
                        Category:dropped
                        Size (bytes):102195712
                        Entropy (8bit):7.970382678486891
                        Encrypted:false
                        SSDEEP:3145728:1De0/dkW7EDe0/yjQjM3DTLVANzw0k/5L5zgagQ1iN+A:1De0OWgDe0razCzw0Ml1zgQst
                        MD5:622DB211DF1391E36131E016DCF4B456
                        SHA1:0C710B9DAEEE0B989AB3DAA033325E7423F540F1
                        SHA-256:6857BA1332BB238DB99876920D901449091D1C6031A16A0E5B0E759AC1FAB8EB
                        SHA-512:F1DB0E1FE0D71E2BA9629A35125637FA41283441B41CAD92EF676747973CED70723139830A9D7A5EAED7BF505DFFF34C704BD806B4465624FF653E35337A7BAD
                        Malicious:false
                        Preview:......................>............................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~...........................u...............................................................5...E.......................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\41b4a0.msi

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {A2531866-B2EC-411C-9FA0-D7A27AEA7C46}, Number of Words: 2, Subject: ScreenBeam Conference, Author: ScreenBeam Inc., Name of Creating Application: ScreenBeam Conference, Template: x64;1033, Comments: ScreenBeam Conference Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 3 00:13:59 2023, Number of Pages: 200
                        Category:modified
                        Size (bytes):102195712
                        Entropy (8bit):7.970382678486891
                        Encrypted:false
                        SSDEEP:3145728:1De0/dkW7EDe0/yjQjM3DTLVANzw0k/5L5zgagQ1iN+A:1De0OWgDe0razCzw0Ml1zgQst
                        MD5:622DB211DF1391E36131E016DCF4B456
                        SHA1:0C710B9DAEEE0B989AB3DAA033325E7423F540F1
                        SHA-256:6857BA1332BB238DB99876920D901449091D1C6031A16A0E5B0E759AC1FAB8EB
                        SHA-512:F1DB0E1FE0D71E2BA9629A35125637FA41283441B41CAD92EF676747973CED70723139830A9D7A5EAED7BF505DFFF34C704BD806B4465624FF653E35337A7BAD
                        Malicious:false
                        Preview:......................>............................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~...........................u...............................................................5...E.......................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSI10E7.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
                        Category:dropped
                        Size (bytes):532677
                        Entropy (8bit):7.237703223170959
                        Encrypted:false
                        SSDEEP:6144:c8XqvLwHL0otXjsg0q+D3qc3nkpcf6fZnUe4T19trX1sitaq6QGLsDuoVt/Eyue7:6wHL0D1DaOkCoBuXtPMYGORJ1QSF8c
                        MD5:D45098AEFBACB8E2E93240A9949C7926
                        SHA1:44E9753F680C086192175E273465BF93715C8820
                        SHA-256:A9FA33BAD2F6022357CF45FCC622306FF44C82AC3E924101655C1F248A9395BD
                        SHA-512:DE38B6EE32EE4F8A28B6250E380B72369062E1E544F95C6CDB7EDA636D973B9073D5677D68444852C643A1A4A460A050E24D7A37874ECFF59C39D23CF4431277
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

                        C:\Windows\Installer\MSI10E7.tmp-\ByomCustomAction.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):4.842712781484382
                        Encrypted:false
                        SSDEEP:768:rzmYFEr6mMN+c28dt0n0cmD9K8CaME86El8aJAvg5vinwl8o:7ErpO28Un0cmDo8CaME86El8aJAvghiU
                        MD5:2B9870D6E142AADDC2930A25C816DFBB
                        SHA1:98E2E6F4B0292628AFA55A94D4482A3192F98714
                        SHA-256:54C5426FE99867BE80C8B7B42B99ECF30A655E4800C2835E63E590DD1C51AF22
                        SHA-512:479F8A4B77DF2583449FA6F8012711A8CCC622C0D6E64E1BAE6E4B226C218C21BA904145AC1272140C5C72C9C72BE5BB6E7C7DC5B7315247D739CE5BBB84E284
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%;De.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

                        C:\Windows\Installer\MSI10E7.tmp-\CustomAction.config

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1493
                        Entropy (8bit):4.732294656481805
                        Encrypted:false
                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
                        MD5:01C01D040563A55E0FD31CC8DAA5F155
                        SHA1:3C1C229703198F9772D7721357F1B90281917842
                        SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
                        SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                        C:\Windows\Installer\MSI10E7.tmp-\DefMic.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):28784
                        Entropy (8bit):6.08346118574361
                        Encrypted:false
                        SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
                        MD5:F03298C90AB58E72A04E1AA310608B4C
                        SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
                        SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
                        SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

                        C:\Windows\Installer\MSI10E7.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):184240
                        Entropy (8bit):5.876033362692288
                        Encrypted:false
                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSI10E7.tmp-\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):701992
                        Entropy (8bit):5.940787194132384
                        Encrypted:false
                        SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
                        MD5:081D9558BBB7ADCE142DA153B2D5577A
                        SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                        SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                        SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Windows\Installer\MSI10E7.tmp-\sbdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):34984
                        Entropy (8bit):6.000650459314047
                        Encrypted:false
                        SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
                        MD5:C7EEAC397EC6B4EC895E89D0E43C652D
                        SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
                        SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
                        SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

                        C:\Windows\Installer\MSI114.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
                        Category:dropped
                        Size (bytes):532677
                        Entropy (8bit):7.237703223170959
                        Encrypted:false
                        SSDEEP:6144:c8XqvLwHL0otXjsg0q+D3qc3nkpcf6fZnUe4T19trX1sitaq6QGLsDuoVt/Eyue7:6wHL0D1DaOkCoBuXtPMYGORJ1QSF8c
                        MD5:D45098AEFBACB8E2E93240A9949C7926
                        SHA1:44E9753F680C086192175E273465BF93715C8820
                        SHA-256:A9FA33BAD2F6022357CF45FCC622306FF44C82AC3E924101655C1F248A9395BD
                        SHA-512:DE38B6EE32EE4F8A28B6250E380B72369062E1E544F95C6CDB7EDA636D973B9073D5677D68444852C643A1A4A460A050E24D7A37874ECFF59C39D23CF4431277
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

                        C:\Windows\Installer\MSI114.tmp-\ByomCustomAction.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):4.842712781484382
                        Encrypted:false
                        SSDEEP:768:rzmYFEr6mMN+c28dt0n0cmD9K8CaME86El8aJAvg5vinwl8o:7ErpO28Un0cmDo8CaME86El8aJAvghiU
                        MD5:2B9870D6E142AADDC2930A25C816DFBB
                        SHA1:98E2E6F4B0292628AFA55A94D4482A3192F98714
                        SHA-256:54C5426FE99867BE80C8B7B42B99ECF30A655E4800C2835E63E590DD1C51AF22
                        SHA-512:479F8A4B77DF2583449FA6F8012711A8CCC622C0D6E64E1BAE6E4B226C218C21BA904145AC1272140C5C72C9C72BE5BB6E7C7DC5B7315247D739CE5BBB84E284
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%;De.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

                        C:\Windows\Installer\MSI114.tmp-\CustomAction.config

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1493
                        Entropy (8bit):4.732294656481805
                        Encrypted:false
                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
                        MD5:01C01D040563A55E0FD31CC8DAA5F155
                        SHA1:3C1C229703198F9772D7721357F1B90281917842
                        SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
                        SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                        C:\Windows\Installer\MSI114.tmp-\DefMic.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):28784
                        Entropy (8bit):6.08346118574361
                        Encrypted:false
                        SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
                        MD5:F03298C90AB58E72A04E1AA310608B4C
                        SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
                        SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
                        SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

                        C:\Windows\Installer\MSI114.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):184240
                        Entropy (8bit):5.876033362692288
                        Encrypted:false
                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSI114.tmp-\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):701992
                        Entropy (8bit):5.940787194132384
                        Encrypted:false
                        SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
                        MD5:081D9558BBB7ADCE142DA153B2D5577A
                        SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                        SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                        SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Windows\Installer\MSI114.tmp-\sbdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):34984
                        Entropy (8bit):6.000650459314047
                        Encrypted:false
                        SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
                        MD5:C7EEAC397EC6B4EC895E89D0E43C652D
                        SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
                        SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
                        SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

                        C:\Windows\Installer\MSI16A5.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):353600
                        Entropy (8bit):6.524155130898608
                        Encrypted:false
                        SSDEEP:6144:/4xsB95xMzgFkesmW1XAOKoUSUU++VWRAItCcoL:/4xC95xMMFd8JUSWRAIUcoL
                        MD5:BE89B6F7002085A772991D0A12F74750
                        SHA1:F80538233AC4B4E72E945683FB4DBC3B30115F51
                        SHA-256:FBA201FCA51358E2CF0368CEF6DF81D593F48581B85A97E29CEB9F64BE0172EB
                        SHA-512:4D0D5DAAE8EA2389F92B795AF0FFCB413504BF829D3ED593CD164100251A7BE3D14483C32A7721ED68F6BA2F8D46D1A2CAF3B72C60A2146E7BAC12AED159469B
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A5.Q [^Q [^Q [^.RX_\ [^.R^_. [^.^__^ [^.^X_F [^.^^_. [^.R__I [^.RZ_@ [^Q Z^. [^E_R_J [^E_[_P [^E_.^P [^Q .^P [^E_Y_P [^RichQ [^................PE..L...!..d.........."!...$............?........................................p.......Q....@.......................................... ..x............(..@=...0...4...l..p...................@m.......k..@...............0............................text...V........................... ..`.rdata..NR.......T..................@..@.data...$...........................@....rsrc...x.... ......................@..@.reloc...4...0...6..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSI3F9A.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):353600
                        Entropy (8bit):6.524155130898608
                        Encrypted:false
                        SSDEEP:6144:/4xsB95xMzgFkesmW1XAOKoUSUU++VWRAItCcoL:/4xC95xMMFd8JUSWRAIUcoL
                        MD5:BE89B6F7002085A772991D0A12F74750
                        SHA1:F80538233AC4B4E72E945683FB4DBC3B30115F51
                        SHA-256:FBA201FCA51358E2CF0368CEF6DF81D593F48581B85A97E29CEB9F64BE0172EB
                        SHA-512:4D0D5DAAE8EA2389F92B795AF0FFCB413504BF829D3ED593CD164100251A7BE3D14483C32A7721ED68F6BA2F8D46D1A2CAF3B72C60A2146E7BAC12AED159469B
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A5.Q [^Q [^Q [^.RX_\ [^.R^_. [^.^__^ [^.^X_F [^.^^_. [^.R__I [^.RZ_@ [^Q Z^. [^E_R_J [^E_[_P [^E_.^P [^Q .^P [^E_Y_P [^RichQ [^................PE..L...!..d.........."!...$............?........................................p.......Q....@.......................................... ..x............(..@=...0...4...l..p...................@m.......k..@...............0............................text...V........................... ..`.rdata..NR.......T..................@..@.data...$...........................@....rsrc...x.... ......................@..@.reloc...4...0...6..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSI4EE.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSI7EC.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):803131
                        Entropy (8bit):6.5485786331805445
                        Encrypted:false
                        SSDEEP:12288:gBe4xC95xMMFd8JUSWRAIUcoB4xC95xMMFd8JUSWRAIUco3:feC95xMicwCIUcoBeC95xMicwCIUco3
                        MD5:948F6577D49F9E286F37A6ABBACE8709
                        SHA1:366AFF19565601B28DD1CC2AC2649517634A186A
                        SHA-256:6DCE4D0184BBA37178264DEB1C7E96552B58D2EBC69ACF293B89737F41A71748
                        SHA-512:56FECB8A75D8962E06997DF8665188072B3390D5DB4F489D8B16D00DDE5B8D6254A910846BB1A305EF376A7B3B4D7CD41BFA57C27B6014A1B009F14528AD9453
                        Malicious:false
                        Preview:...@IXOS.@.....@.mW.@.....@.....@.....@.....@.....@......&.{C600486B-812F-49ED-B0CB-A3F08D96350E}..ScreenBeam Conference!.ScreenBeam_Conference_Windows.msi.@.....@.....@.....@......ScreenBeam.exe..&.{A2531866-B2EC-411C-9FA0-D7A27AEA7C46}.....@.....@.....@.....@.......@.....@.....@.......@......ScreenBeam Conference......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{7199D981-9853-484B-8139-2C2B34F1FA2A}'.C:\Program Files\ScreenBeam\Conference\.@.......@.....@.....@......&.{EC32DB67-553E-42DB-8AB0-D93C26D64C7E}:.22:\Software\ScreenBeam Inc.\ScreenBeam Conference\Version.@.......@.....@.....@......&.{85245CA4-064E-4C9A-A44A-343774C760F3}9.C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dll.@.......@.....@.....@......&.{041A7DD2-445F-4C98-9186-26507D7F21CB}9.C:\Program Files\ScreenBeam\Conference\app\ControlzEx.xml.@.......@.....@.....@......&.{842B369E

                        C:\Windows\Installer\MSI80C.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
                        Category:dropped
                        Size (bytes):532677
                        Entropy (8bit):7.237703223170959
                        Encrypted:false
                        SSDEEP:6144:c8XqvLwHL0otXjsg0q+D3qc3nkpcf6fZnUe4T19trX1sitaq6QGLsDuoVt/Eyue7:6wHL0D1DaOkCoBuXtPMYGORJ1QSF8c
                        MD5:D45098AEFBACB8E2E93240A9949C7926
                        SHA1:44E9753F680C086192175E273465BF93715C8820
                        SHA-256:A9FA33BAD2F6022357CF45FCC622306FF44C82AC3E924101655C1F248A9395BD
                        SHA-512:DE38B6EE32EE4F8A28B6250E380B72369062E1E544F95C6CDB7EDA636D973B9073D5677D68444852C643A1A4A460A050E24D7A37874ECFF59C39D23CF4431277
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

                        C:\Windows\Installer\MSI80C.tmp-\ByomCustomAction.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):4.842712781484382
                        Encrypted:false
                        SSDEEP:768:rzmYFEr6mMN+c28dt0n0cmD9K8CaME86El8aJAvg5vinwl8o:7ErpO28Un0cmDo8CaME86El8aJAvghiU
                        MD5:2B9870D6E142AADDC2930A25C816DFBB
                        SHA1:98E2E6F4B0292628AFA55A94D4482A3192F98714
                        SHA-256:54C5426FE99867BE80C8B7B42B99ECF30A655E4800C2835E63E590DD1C51AF22
                        SHA-512:479F8A4B77DF2583449FA6F8012711A8CCC622C0D6E64E1BAE6E4B226C218C21BA904145AC1272140C5C72C9C72BE5BB6E7C7DC5B7315247D739CE5BBB84E284
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%;De.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

                        C:\Windows\Installer\MSI80C.tmp-\CustomAction.config

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1493
                        Entropy (8bit):4.732294656481805
                        Encrypted:false
                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
                        MD5:01C01D040563A55E0FD31CC8DAA5F155
                        SHA1:3C1C229703198F9772D7721357F1B90281917842
                        SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
                        SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                        C:\Windows\Installer\MSI80C.tmp-\DefMic.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):28784
                        Entropy (8bit):6.08346118574361
                        Encrypted:false
                        SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
                        MD5:F03298C90AB58E72A04E1AA310608B4C
                        SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
                        SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
                        SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

                        C:\Windows\Installer\MSI80C.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):184240
                        Entropy (8bit):5.876033362692288
                        Encrypted:false
                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSI80C.tmp-\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):701992
                        Entropy (8bit):5.940787194132384
                        Encrypted:false
                        SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
                        MD5:081D9558BBB7ADCE142DA153B2D5577A
                        SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                        SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                        SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):34984
                        Entropy (8bit):6.000650459314047
                        Encrypted:false
                        SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
                        MD5:C7EEAC397EC6B4EC895E89D0E43C652D
                        SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
                        SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
                        SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

                        C:\Windows\Installer\MSIC027.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIC0B4.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIC0D5.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIC114.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):726848
                        Entropy (8bit):6.4584085143991095
                        Encrypted:false
                        SSDEEP:12288:ogaGWXLiDt5i+jfNIQTVhQNvj3jAszYzGLwQq63Trzzt5O0Qn2enGCeoa:FrBT6vj3cszYO5O0Qn2oGCeoa
                        MD5:9863AD412FA5529D5A712EF228AC6E2B
                        SHA1:BDA741FD705277C29379B01100A162E922F76583
                        SHA-256:502CCBE31FE0F984A2FA0610EE6385A3E478CD866E19208E229B6EF8FCFB2934
                        SHA-512:8F64B1AC2423EB6EBBD2853A985711C030F54279599382B3CBC3DE4EBB90A98A0273172A85D65E5E78CAE419E928FB787715EA9F2C8285662C89B25D6B584CB0
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..B>...>...>......3............./......&......'......`......?......)...>...N...*..v...*..?...*.].?...>.5.?...*..?...Rich>...........PE..L.../..d.........."!...$.............}....................................... ......].....@.........................@M......\N..........h...............@=.......n...@..p....................A..........@....................K..@....................text............................... ..`.rdata..Xb.......d..................@..@.data....'...p.......N..............@....rsrc...h............d..............@..@.reloc...n.......p...j..............@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIC183.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):726848
                        Entropy (8bit):6.4584085143991095
                        Encrypted:false
                        SSDEEP:12288:ogaGWXLiDt5i+jfNIQTVhQNvj3jAszYzGLwQq63Trzzt5O0Qn2enGCeoa:FrBT6vj3cszYO5O0Qn2oGCeoa
                        MD5:9863AD412FA5529D5A712EF228AC6E2B
                        SHA1:BDA741FD705277C29379B01100A162E922F76583
                        SHA-256:502CCBE31FE0F984A2FA0610EE6385A3E478CD866E19208E229B6EF8FCFB2934
                        SHA-512:8F64B1AC2423EB6EBBD2853A985711C030F54279599382B3CBC3DE4EBB90A98A0273172A85D65E5E78CAE419E928FB787715EA9F2C8285662C89B25D6B584CB0
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..B>...>...>......3............./......&......'......`......?......)...>...N...*..v...*..?...*.].?...>.5.?...*..?...Rich>...........PE..L.../..d.........."!...$.............}....................................... ......].....@.........................@M......\N..........h...............@=.......n...@..p....................A..........@....................K..@....................text............................... ..`.rdata..Xb.......d..................@..@.data....'...p.......N..............@....rsrc...h............d..............@..@.reloc...n.......p...j..............@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIC1B2.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
                        Category:dropped
                        Size (bytes):532677
                        Entropy (8bit):7.237703223170959
                        Encrypted:false
                        SSDEEP:6144:c8XqvLwHL0otXjsg0q+D3qc3nkpcf6fZnUe4T19trX1sitaq6QGLsDuoVt/Eyue7:6wHL0D1DaOkCoBuXtPMYGORJ1QSF8c
                        MD5:D45098AEFBACB8E2E93240A9949C7926
                        SHA1:44E9753F680C086192175E273465BF93715C8820
                        SHA-256:A9FA33BAD2F6022357CF45FCC622306FF44C82AC3E924101655C1F248A9395BD
                        SHA-512:DE38B6EE32EE4F8A28B6250E380B72369062E1E544F95C6CDB7EDA636D973B9073D5677D68444852C643A1A4A460A050E24D7A37874ECFF59C39D23CF4431277
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIC1B2.tmp-\ByomCustomAction.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):4.842712781484382
                        Encrypted:false
                        SSDEEP:768:rzmYFEr6mMN+c28dt0n0cmD9K8CaME86El8aJAvg5vinwl8o:7ErpO28Un0cmDo8CaME86El8aJAvghiU
                        MD5:2B9870D6E142AADDC2930A25C816DFBB
                        SHA1:98E2E6F4B0292628AFA55A94D4482A3192F98714
                        SHA-256:54C5426FE99867BE80C8B7B42B99ECF30A655E4800C2835E63E590DD1C51AF22
                        SHA-512:479F8A4B77DF2583449FA6F8012711A8CCC622C0D6E64E1BAE6E4B226C218C21BA904145AC1272140C5C72C9C72BE5BB6E7C7DC5B7315247D739CE5BBB84E284
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%;De.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

                        C:\Windows\Installer\MSIC1B2.tmp-\CustomAction.config

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1493
                        Entropy (8bit):4.732294656481805
                        Encrypted:false
                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
                        MD5:01C01D040563A55E0FD31CC8DAA5F155
                        SHA1:3C1C229703198F9772D7721357F1B90281917842
                        SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
                        SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                        C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):28784
                        Entropy (8bit):6.08346118574361
                        Encrypted:false
                        SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
                        MD5:F03298C90AB58E72A04E1AA310608B4C
                        SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
                        SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
                        SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

                        C:\Windows\Installer\MSIC1B2.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):184240
                        Entropy (8bit):5.876033362692288
                        Encrypted:false
                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIC1B2.tmp-\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):701992
                        Entropy (8bit):5.940787194132384
                        Encrypted:false
                        SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
                        MD5:081D9558BBB7ADCE142DA153B2D5577A
                        SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                        SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                        SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):34984
                        Entropy (8bit):6.000650459314047
                        Encrypted:false
                        SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
                        MD5:C7EEAC397EC6B4EC895E89D0E43C652D
                        SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
                        SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
                        SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

                        C:\Windows\Installer\MSICADB.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSICB1B.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
                        Category:dropped
                        Size (bytes):532677
                        Entropy (8bit):7.237703223170959
                        Encrypted:false
                        SSDEEP:6144:c8XqvLwHL0otXjsg0q+D3qc3nkpcf6fZnUe4T19trX1sitaq6QGLsDuoVt/Eyue7:6wHL0D1DaOkCoBuXtPMYGORJ1QSF8c
                        MD5:D45098AEFBACB8E2E93240A9949C7926
                        SHA1:44E9753F680C086192175E273465BF93715C8820
                        SHA-256:A9FA33BAD2F6022357CF45FCC622306FF44C82AC3E924101655C1F248A9395BD
                        SHA-512:DE38B6EE32EE4F8A28B6250E380B72369062E1E544F95C6CDB7EDA636D973B9073D5677D68444852C643A1A4A460A050E24D7A37874ECFF59C39D23CF4431277
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

                        C:\Windows\Installer\MSICB1B.tmp-\ByomCustomAction.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):4.842712781484382
                        Encrypted:false
                        SSDEEP:768:rzmYFEr6mMN+c28dt0n0cmD9K8CaME86El8aJAvg5vinwl8o:7ErpO28Un0cmDo8CaME86El8aJAvghiU
                        MD5:2B9870D6E142AADDC2930A25C816DFBB
                        SHA1:98E2E6F4B0292628AFA55A94D4482A3192F98714
                        SHA-256:54C5426FE99867BE80C8B7B42B99ECF30A655E4800C2835E63E590DD1C51AF22
                        SHA-512:479F8A4B77DF2583449FA6F8012711A8CCC622C0D6E64E1BAE6E4B226C218C21BA904145AC1272140C5C72C9C72BE5BB6E7C7DC5B7315247D739CE5BBB84E284
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%;De.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

                        C:\Windows\Installer\MSICB1B.tmp-\CustomAction.config

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1493
                        Entropy (8bit):4.732294656481805
                        Encrypted:false
                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
                        MD5:01C01D040563A55E0FD31CC8DAA5F155
                        SHA1:3C1C229703198F9772D7721357F1B90281917842
                        SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
                        SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                        C:\Windows\Installer\MSICB1B.tmp-\DefMic.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):28784
                        Entropy (8bit):6.08346118574361
                        Encrypted:false
                        SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
                        MD5:F03298C90AB58E72A04E1AA310608B4C
                        SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
                        SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
                        SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

                        C:\Windows\Installer\MSICB1B.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):184240
                        Entropy (8bit):5.876033362692288
                        Encrypted:false
                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSICB1B.tmp-\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):701992
                        Entropy (8bit):5.940787194132384
                        Encrypted:false
                        SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
                        MD5:081D9558BBB7ADCE142DA153B2D5577A
                        SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                        SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                        SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Windows\Installer\MSICB1B.tmp-\sbdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):34984
                        Entropy (8bit):6.000650459314047
                        Encrypted:false
                        SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
                        MD5:C7EEAC397EC6B4EC895E89D0E43C652D
                        SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
                        SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
                        SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

                        C:\Windows\Installer\MSIE49F.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIEABA.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):602432
                        Entropy (8bit):6.4696654484377945
                        Encrypted:false
                        SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                        MD5:A9941233B9415B479D3B4F3732161EAB
                        SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                        SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                        SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIEAFA.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
                        Category:dropped
                        Size (bytes):532677
                        Entropy (8bit):7.237703223170959
                        Encrypted:false
                        SSDEEP:6144:c8XqvLwHL0otXjsg0q+D3qc3nkpcf6fZnUe4T19trX1sitaq6QGLsDuoVt/Eyue7:6wHL0D1DaOkCoBuXtPMYGORJ1QSF8c
                        MD5:D45098AEFBACB8E2E93240A9949C7926
                        SHA1:44E9753F680C086192175E273465BF93715C8820
                        SHA-256:A9FA33BAD2F6022357CF45FCC622306FF44C82AC3E924101655C1F248A9395BD
                        SHA-512:DE38B6EE32EE4F8A28B6250E380B72369062E1E544F95C6CDB7EDA636D973B9073D5677D68444852C643A1A4A460A050E24D7A37874ECFF59C39D23CF4431277
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIEAFA.tmp-\ByomCustomAction.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):4.842712781484382
                        Encrypted:false
                        SSDEEP:768:rzmYFEr6mMN+c28dt0n0cmD9K8CaME86El8aJAvg5vinwl8o:7ErpO28Un0cmDo8CaME86El8aJAvghiU
                        MD5:2B9870D6E142AADDC2930A25C816DFBB
                        SHA1:98E2E6F4B0292628AFA55A94D4482A3192F98714
                        SHA-256:54C5426FE99867BE80C8B7B42B99ECF30A655E4800C2835E63E590DD1C51AF22
                        SHA-512:479F8A4B77DF2583449FA6F8012711A8CCC622C0D6E64E1BAE6E4B226C218C21BA904145AC1272140C5C72C9C72BE5BB6E7C7DC5B7315247D739CE5BBB84E284
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%;De.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

                        C:\Windows\Installer\MSIEAFA.tmp-\CustomAction.config

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1493
                        Entropy (8bit):4.732294656481805
                        Encrypted:false
                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
                        MD5:01C01D040563A55E0FD31CC8DAA5F155
                        SHA1:3C1C229703198F9772D7721357F1B90281917842
                        SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
                        SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                        C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):28784
                        Entropy (8bit):6.08346118574361
                        Encrypted:false
                        SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
                        MD5:F03298C90AB58E72A04E1AA310608B4C
                        SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
                        SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
                        SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

                        C:\Windows\Installer\MSIEAFA.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):184240
                        Entropy (8bit):5.876033362692288
                        Encrypted:false
                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIEAFA.tmp-\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):701992
                        Entropy (8bit):5.940787194132384
                        Encrypted:false
                        SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
                        MD5:081D9558BBB7ADCE142DA153B2D5577A
                        SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                        SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                        SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):34984
                        Entropy (8bit):6.000650459314047
                        Encrypted:false
                        SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
                        MD5:C7EEAC397EC6B4EC895E89D0E43C652D
                        SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
                        SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
                        SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

                        C:\Windows\Installer\MSIF962.tmp

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
                        Category:dropped
                        Size (bytes):532677
                        Entropy (8bit):7.237703223170959
                        Encrypted:false
                        SSDEEP:6144:c8XqvLwHL0otXjsg0q+D3qc3nkpcf6fZnUe4T19trX1sitaq6QGLsDuoVt/Eyue7:6wHL0D1DaOkCoBuXtPMYGORJ1QSF8c
                        MD5:D45098AEFBACB8E2E93240A9949C7926
                        SHA1:44E9753F680C086192175E273465BF93715C8820
                        SHA-256:A9FA33BAD2F6022357CF45FCC622306FF44C82AC3E924101655C1F248A9395BD
                        SHA-512:DE38B6EE32EE4F8A28B6250E380B72369062E1E544F95C6CDB7EDA636D973B9073D5677D68444852C643A1A4A460A050E24D7A37874ECFF59C39D23CF4431277
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIF962.tmp-\ByomCustomAction.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):4.842712781484382
                        Encrypted:false
                        SSDEEP:768:rzmYFEr6mMN+c28dt0n0cmD9K8CaME86El8aJAvg5vinwl8o:7ErpO28Un0cmDo8CaME86El8aJAvghiU
                        MD5:2B9870D6E142AADDC2930A25C816DFBB
                        SHA1:98E2E6F4B0292628AFA55A94D4482A3192F98714
                        SHA-256:54C5426FE99867BE80C8B7B42B99ECF30A655E4800C2835E63E590DD1C51AF22
                        SHA-512:479F8A4B77DF2583449FA6F8012711A8CCC622C0D6E64E1BAE6E4B226C218C21BA904145AC1272140C5C72C9C72BE5BB6E7C7DC5B7315247D739CE5BBB84E284
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%;De.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

                        C:\Windows\Installer\MSIF962.tmp-\CustomAction.config

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1493
                        Entropy (8bit):4.732294656481805
                        Encrypted:false
                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
                        MD5:01C01D040563A55E0FD31CC8DAA5F155
                        SHA1:3C1C229703198F9772D7721357F1B90281917842
                        SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
                        SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                        C:\Windows\Installer\MSIF962.tmp-\DefMic.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):28784
                        Entropy (8bit):6.08346118574361
                        Encrypted:false
                        SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
                        MD5:F03298C90AB58E72A04E1AA310608B4C
                        SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
                        SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
                        SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
                        Malicious:true
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

                        C:\Windows\Installer\MSIF962.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):184240
                        Entropy (8bit):5.876033362692288
                        Encrypted:false
                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\MSIF962.tmp-\Newtonsoft.Json.dll

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):701992
                        Entropy (8bit):5.940787194132384
                        Encrypted:false
                        SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
                        MD5:081D9558BBB7ADCE142DA153B2D5577A
                        SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
                        SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
                        SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                        C:\Windows\Installer\MSIF962.tmp-\sbdrvmgr.exe

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):34984
                        Entropy (8bit):6.000650459314047
                        Encrypted:false
                        SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
                        MD5:C7EEAC397EC6B4EC895E89D0E43C652D
                        SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
                        SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
                        SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
                        Malicious:false
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

                        C:\Windows\Installer\SourceHash{C600486B-812F-49ED-B0CB-A3F08D96350E}

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Composite Document File V2 Document, Cannot read section info
                        Category:dropped
                        Size (bytes):49152
                        Entropy (8bit):0.7736233975209355
                        Encrypted:false
                        SSDEEP:12:JSbX72FjO/iAGiLIlHVRpUh/7777777777777777777777777vDHFK/Rs8bSLxpb:JHQI5EEl2T6F
                        MD5:917CD5B8AE2DBD87CF67E3C1A2AEF9C4
                        SHA1:1344AB55116FB990E2CADE40748C65D3A99A3F5D
                        SHA-256:5C9BFBFDA533948ED265A42D7C22F7758BE891AE8196C7532ADBE4E2A294AEA8
                        SHA-512:4DDA35660DFC56E5E76E586A2E28DDBA135D776150680D59536164260FBD541242F7DDCEA415AC15A92703A0DC86124319A701BE9BD16669894A9E9AD7B07D68
                        Malicious:false
                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\inprogressinstallinfo.ipi

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Composite Document File V2 Document, Cannot read section info
                        Category:dropped
                        Size (bytes):32768
                        Entropy (8bit):1.450046481993002
                        Encrypted:false
                        SSDEEP:48:dSRuGO+CFXJDT55UhFIeInjrdSwAEkrCyuGpeSkdSyHHltCMoaojQZCQZBt8xzMY:ERsbT3JcRC7zn3SaCaQZa5b6vRCUWa
                        MD5:A3798EDD94CCFE101A8BFD8C77C59C81
                        SHA1:D614C5DDBB366E343F38FE5FD25F145FBEBD9AF8
                        SHA-256:73DA89506ED90AC05558644CE9A7F9CA1099B25775E5385A8328E3E52F002330
                        SHA-512:A9AE59C461F26BEF458B2CE6FCE43DEC0E0D9C138201E9D4E29343A9FF57C032619C376B2D4C831B2C6D173EF89EFF54E6FCFDF9D84D2B64CF1F307C24251419
                        Malicious:false
                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Installer\{C600486B-812F-49ED-B0CB-A3F08D96350E}\ScreenBeam.exe

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:MS Windows icon resource - 1 icon, 64x64, 32 bits/pixel
                        Category:dropped
                        Size (bytes):16958
                        Entropy (8bit):2.3402736777188395
                        Encrypted:false
                        SSDEEP:96:a+Ngz9wjTeE7144BQ2DFFnEbHIcXExGErQa2Nvv4wG:acgz9qaE7144BQ2DPEzEMErQaAX4L
                        MD5:D75CA2815FA84BC36C36D18B6AD9048F
                        SHA1:5353AE1430AC909C25484047713712520C3A2AE2
                        SHA-256:3B156EDE48A466BDEC4FF5F230B2841899DF2B0A4ED7A645CFF72F7DC3CBC318
                        SHA-512:008A5D9B83143AC59ECF5CC2654C2597199052B0876225CF32102188F192DC7CAA87F3D7DC76E03C76AB682884198DD6A5CC3DC3AF6993DD9A7C47AB85832496
                        Malicious:false
                        Preview:......@@.... .(B......(...@......... ......@........................................._...................................................................................................................................................................................................................j...................................8...................................................................................................................................................................................................................................J.......................T................................................................................................................|bT.......................................................................................................................e...............5................................................................................................................pSD.L(..W5#.......................................

                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):432221
                        Entropy (8bit):5.375160271886289
                        Encrypted:false
                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauY:zTtbmkExhMJCIpEr5
                        MD5:EECA14730B46F5D737BB064602E74907
                        SHA1:904EE4DAF1D40260002B9CA0A2F8B55D4A9BFC95
                        SHA-256:3F110D25824D064C0C96F3233B5E6859F98E98E47CAE80DB5B02AAD0E61B14D1
                        SHA-512:DE913BA430560257C6F44B1FD83CA7D9CA439F83DAAC23CC062D7FE50DA55CD087946C23920F5AD50EA7263F2292603ED2BD4A932FD9353B99F86E93A441C196
                        Malicious:false
                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                        C:\Windows\Temp\~DF9B2D9FD238F70FCC.TMP

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):32768
                        Entropy (8bit):0.07876463348899587
                        Encrypted:false
                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOK/u8xs8bSLaCLDh1SVky6l/X:2F0i8n0itFzDHFK/Rs8bSLxp/X
                        MD5:CE4DA0125BD28286568B241DDC468584
                        SHA1:BE46DBA9DE585370C6041ABCE0284917FF72D992
                        SHA-256:1DC63F5B5B95BAFE85A90F48CCA27C7F540214F8707C6C56634ADB8DBD7297BE
                        SHA-512:BE7094F4ECCB1338AAFDDA4F4D3C7DDC7A40E672E2DFDDD4AD90E3DB391EABED88AA1B7D1981385C9C61BA3B677719BCAE6D6862B0D2886E960E310207710150
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Temp\~DFADA34786918E35F9.TMP

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):81920
                        Entropy (8bit):0.21770028994101412
                        Encrypted:false
                        SSDEEP:48:iDQu2mzrdSwAEkrCyuCSkdSzdSwAEkrCyuGpeSkdSyHHltCMoaojQZCQZBt8xzMR:2KRRCU7RC7zn3SaCaQZa5b6E
                        MD5:F5A516E2C732F22AB65B517B77D3C374
                        SHA1:5792B5361C2639A2CD69E0BEF7E830675325E975
                        SHA-256:CC6947AA92F21D219681A9CB68BB1885C83186ADF14B4376B34511E8CFCA5AD1
                        SHA-512:AA7DE58672883BD2460A9FDADB486142DFCB594F8604A5C5524E6DD8525394AFC6F13F99496E18B31EE04A4B29C95A5BAF4C81750EC9979E5D148F994E00B59B
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Temp\~DFC85D1F7AB74A0442.TMP

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:Composite Document File V2 Document, Cannot read section info
                        Category:dropped
                        Size (bytes):32768
                        Entropy (8bit):1.450046481993002
                        Encrypted:false
                        SSDEEP:48:dSRuGO+CFXJDT55UhFIeInjrdSwAEkrCyuGpeSkdSyHHltCMoaojQZCQZBt8xzMY:ERsbT3JcRC7zn3SaCaQZa5b6vRCUWa
                        MD5:A3798EDD94CCFE101A8BFD8C77C59C81
                        SHA1:D614C5DDBB366E343F38FE5FD25F145FBEBD9AF8
                        SHA-256:73DA89506ED90AC05558644CE9A7F9CA1099B25775E5385A8328E3E52F002330
                        SHA-512:A9AE59C461F26BEF458B2CE6FCE43DEC0E0D9C138201E9D4E29343A9FF57C032619C376B2D4C831B2C6D173EF89EFF54E6FCFDF9D84D2B64CF1F307C24251419
                        Malicious:false
                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\Temp\~DFD758FB4CCC75D02C.TMP

                        Download File
                        Process:C:\Windows\System32\msiexec.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):512
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3::
                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                        Malicious:false
                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {A2531866-B2EC-411C-9FA0-D7A27AEA7C46}, Number of Words: 2, Subject: ScreenBeam Conference, Author: ScreenBeam Inc., Name of Creating Application: ScreenBeam Conference, Template: x64;1033, Comments: ScreenBeam Conference Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 3 00:13:59 2023, Number of Pages: 200
                        Entropy (8bit):7.970382678486891
                        TrID:
                        • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                        File name:ScreenBeam_Conference_Windows.msi
                        File size:102'195'712 bytes
                        MD5:622db211df1391e36131e016dcf4b456
                        SHA1:0c710b9daeee0b989ab3daa033325e7423f540f1
                        SHA256:6857ba1332bb238db99876920d901449091d1c6031a16a0e5b0e759ac1fab8eb
                        SHA512:f1db0e1fe0d71e2ba9629a35125637fa41283441b41cad92ef676747973ced70723139830a9d7a5eaed7bf505dfff34c704bd806b4465624ff653e35337a7bad
                        SSDEEP:3145728:1De0/dkW7EDe0/yjQjM3DTLVANzw0k/5L5zgagQ1iN+A:1De0OWgDe0razCzw0Ml1zgQst
                        TLSH:F4283321B589C036F67F10725939FAAA567E7E610B3244DBA3E87A7E0E715C14332E13
                        File Content Preview:........................>............................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A..

                        File Icon

                        Icon Hash:2d2e3797b32b2b99

                        Network Behavior

                        No network behavior found

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:23:28:58
                        Start date:13/11/2023
                        Path:C:\Windows\System32\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ScreenBeam_Conference_Windows.msi"
                        Imagebase:0x7ff6aaec0000
                        File size:69'632 bytes
                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:false

                        General

                        Target ID:1
                        Start time:23:28:59
                        Start date:13/11/2023
                        Path:C:\Windows\System32\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\msiexec.exe /V
                        Imagebase:0x7ff7699e0000
                        File size:69'632 bytes
                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:false

                        General

                        Target ID:2
                        Start time:23:28:59
                        Start date:13/11/2023
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding F648D474375A48DA022532DC9F731B8A C
                        Imagebase:0x900000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:false

                        General

                        Target ID:6
                        Start time:23:30:05
                        Start date:13/11/2023
                        Path:C:\Windows\System32\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\MsiExec.exe -Embedding 5E45740EEBE07AEAE92F6AE88589C9E1 C
                        Imagebase:0x7ff6aaec0000
                        File size:69'632 bytes
                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:false

                        General

                        Target ID:7
                        Start time:23:30:05
                        Start date:13/11/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4287265 90 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
                        Imagebase:0x7ff6e4b50000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:23:30:06
                        Start date:13/11/2023
                        Path:C:\Users\user\AppData\Local\Temp\MSI6AAE.tmp-\DefMic.exe
                        Wow64 process (32bit):true
                        Commandline:"DefMic.exe" --def
                        Imagebase:0xa0000
                        File size:28'784 bytes
                        MD5 hash:F03298C90AB58E72A04E1AA310608B4C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:9
                        Start time:23:30:06
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:10
                        Start time:23:30:07
                        Start date:13/11/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI72CD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4289250 100 ByomCustomAction!ByomCustomAction.CustomActions.VerifyDriverBusy
                        Imagebase:0x7ff6e4b50000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:11
                        Start time:23:30:08
                        Start date:13/11/2023
                        Path:C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe
                        Wow64 process (32bit):true
                        Commandline:"DefMic.exe" --list
                        Imagebase:0xe20000
                        File size:28'784 bytes
                        MD5 hash:F03298C90AB58E72A04E1AA310608B4C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:12
                        Start time:23:30:08
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:13
                        Start time:23:30:08
                        Start date:13/11/2023
                        Path:C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe
                        Wow64 process (32bit):false
                        Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
                        Imagebase:0x23469ff0000
                        File size:34'984 bytes
                        MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:14
                        Start time:23:30:09
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:15
                        Start time:23:30:09
                        Start date:13/11/2023
                        Path:C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\DefMic.exe
                        Wow64 process (32bit):true
                        Commandline:"DefMic.exe" --list
                        Imagebase:0xf00000
                        File size:28'784 bytes
                        MD5 hash:F03298C90AB58E72A04E1AA310608B4C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:16
                        Start time:23:30:09
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:17
                        Start time:23:30:10
                        Start date:13/11/2023
                        Path:C:\Users\user\AppData\Local\Temp\MSI72CD.tmp-\sbdrvmgr.exe
                        Wow64 process (32bit):false
                        Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
                        Imagebase:0x1a742b20000
                        File size:34'984 bytes
                        MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:18
                        Start time:23:30:10
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:19
                        Start time:23:30:17
                        Start date:13/11/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI978D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4298671 128 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
                        Imagebase:0x7ff6e4b50000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:20
                        Start time:23:30:18
                        Start date:13/11/2023
                        Path:C:\Users\user\AppData\Local\Temp\MSI978D.tmp-\DefMic.exe
                        Wow64 process (32bit):true
                        Commandline:"DefMic.exe" --def
                        Imagebase:0x1e0000
                        File size:28'784 bytes
                        MD5 hash:F03298C90AB58E72A04E1AA310608B4C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:21
                        Start time:23:30:19
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:22
                        Start time:23:30:21
                        Start date:13/11/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4302796 138 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses
                        Imagebase:0x7ff6e4b50000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:23
                        Start time:23:30:21
                        Start date:13/11/2023
                        Path:C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\DefMic.exe
                        Wow64 process (32bit):true
                        Commandline:"DefMic.exe" --list
                        Imagebase:0x6f0000
                        File size:28'784 bytes
                        MD5 hash:F03298C90AB58E72A04E1AA310608B4C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:24
                        Start time:23:30:21
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:26
                        Start time:23:30:22
                        Start date:13/11/2023
                        Path:C:\Users\user\AppData\Local\Temp\MSIA7CA.tmp-\sbdrvmgr.exe
                        Wow64 process (32bit):false
                        Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
                        Imagebase:0x26fe6030000
                        File size:34'984 bytes
                        MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:27
                        Start time:23:30:22
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:28
                        Start time:23:30:23
                        Start date:13/11/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4304703 164 ByomCustomAction!ByomCustomAction.CustomActions.RemoveDriver
                        Imagebase:0x7ff6e4b50000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:29
                        Start time:23:30:23
                        Start date:13/11/2023
                        Path:C:\Users\user\AppData\Local\Temp\MSIAF3D.tmp-\sbdrvmgr.exe
                        Wow64 process (32bit):false
                        Commandline:sbdrvmgr.exe" --remove "ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
                        Imagebase:0x24a4ee30000
                        File size:34'984 bytes
                        MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:30
                        Start time:23:30:23
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:31
                        Start time:23:30:27
                        Start date:13/11/2023
                        Path:C:\Windows\SysWOW64\msiexec.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 24E524746DDC70772B4CA7E228956C7E
                        Imagebase:0x900000
                        File size:59'904 bytes
                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:false

                        General

                        Target ID:32
                        Start time:23:30:27
                        Start date:13/11/2023
                        Path:C:\Windows\System32\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\MsiExec.exe -Embedding BCEC60AB9177671AE7619B486BDB0526
                        Imagebase:0x7ff6aaec0000
                        File size:69'632 bytes
                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:false

                        General

                        Target ID:33
                        Start time:23:30:27
                        Start date:13/11/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Windows\Installer\MSIC1B2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4309484 133 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses
                        Imagebase:0x7ff6e4b50000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:34
                        Start time:23:30:28
                        Start date:13/11/2023
                        Path:C:\Windows\Installer\MSIC1B2.tmp-\DefMic.exe
                        Wow64 process (32bit):true
                        Commandline:"DefMic.exe" --list
                        Imagebase:0x5d0000
                        File size:28'784 bytes
                        MD5 hash:F03298C90AB58E72A04E1AA310608B4C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:35
                        Start time:23:30:28
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:36
                        Start time:23:30:29
                        Start date:13/11/2023
                        Path:C:\Windows\Installer\MSIC1B2.tmp-\sbdrvmgr.exe
                        Wow64 process (32bit):false
                        Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
                        Imagebase:0x1edcdf90000
                        File size:34'984 bytes
                        MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:37
                        Start time:23:30:29
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:38
                        Start time:23:30:30
                        Start date:13/11/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Windows\Installer\MSICB1B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4311843 160 ByomCustomAction!ByomCustomAction.CustomActions.WaitForUnpairDeviceApp
                        Imagebase:0x7ff6e4b50000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:39
                        Start time:23:30:38
                        Start date:13/11/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Windows\Installer\MSIEAFA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4319984 168 ByomCustomAction!ByomCustomAction.CustomActions.StopSBUCProcesses
                        Imagebase:0x7ff6e4b50000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:40
                        Start time:23:30:39
                        Start date:13/11/2023
                        Path:C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe
                        Wow64 process (32bit):true
                        Commandline:"DefMic.exe" --list
                        Imagebase:0x2f0000
                        File size:28'784 bytes
                        MD5 hash:F03298C90AB58E72A04E1AA310608B4C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:41
                        Start time:23:30:39
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:42
                        Start time:23:30:39
                        Start date:13/11/2023
                        Path:C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe
                        Wow64 process (32bit):false
                        Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
                        Imagebase:0x23fdb4f0000
                        File size:34'984 bytes
                        MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:43
                        Start time:23:30:39
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:44
                        Start time:23:30:40
                        Start date:13/11/2023
                        Path:C:\Windows\Installer\MSIEAFA.tmp-\DefMic.exe
                        Wow64 process (32bit):true
                        Commandline:"DefMic.exe" --list
                        Imagebase:0xfd0000
                        File size:28'784 bytes
                        MD5 hash:F03298C90AB58E72A04E1AA310608B4C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:45
                        Start time:23:30:40
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:46
                        Start time:23:30:41
                        Start date:13/11/2023
                        Path:C:\Windows\Installer\MSIEAFA.tmp-\sbdrvmgr.exe
                        Wow64 process (32bit):false
                        Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
                        Imagebase:0x1be77510000
                        File size:34'984 bytes
                        MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:47
                        Start time:23:30:41
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:48
                        Start time:23:30:42
                        Start date:13/11/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Windows\Installer\MSIF962.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4323687 220 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
                        Imagebase:0x7ff6e4b50000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:49
                        Start time:23:30:42
                        Start date:13/11/2023
                        Path:C:\Windows\Installer\MSIF962.tmp-\DefMic.exe
                        Wow64 process (32bit):true
                        Commandline:"DefMic.exe" --def
                        Imagebase:0xb20000
                        File size:28'784 bytes
                        MD5 hash:F03298C90AB58E72A04E1AA310608B4C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:50
                        Start time:23:30:42
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:51
                        Start time:23:30:44
                        Start date:13/11/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Windows\Installer\MSI114.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4325656 230 ByomCustomAction!ByomCustomAction.CustomActions.SetIsInstallingTrue
                        Imagebase:0x7ff6e4b50000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:52
                        Start time:23:30:45
                        Start date:13/11/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Windows\Installer\MSI80C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4327421 437 ByomCustomAction!ByomCustomAction.CustomActions.IsDriverBusy
                        Imagebase:0x7ff6e4b50000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:53
                        Start time:23:30:46
                        Start date:13/11/2023
                        Path:C:\Windows\Installer\MSI80C.tmp-\DefMic.exe
                        Wow64 process (32bit):true
                        Commandline:"DefMic.exe" --list
                        Imagebase:0xc90000
                        File size:28'784 bytes
                        MD5 hash:F03298C90AB58E72A04E1AA310608B4C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:54
                        Start time:23:30:46
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:55
                        Start time:23:30:47
                        Start date:13/11/2023
                        Path:C:\Windows\Installer\MSI80C.tmp-\sbdrvmgr.exe
                        Wow64 process (32bit):false
                        Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
                        Imagebase:0x254f2360000
                        File size:34'984 bytes
                        MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:56
                        Start time:23:30:47
                        Start date:13/11/2023
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        General

                        Target ID:57
                        Start time:23:30:48
                        Start date:13/11/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Windows\Installer\MSI10E7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4329687 452 ByomCustomAction!ByomCustomAction.CustomActions.DisableCampfilters
                        Imagebase:0x7ff6e4b50000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Has exited:true

                        General

                        Target ID:58
                        Start time:23:30:48
                        Start date:13/11/2023
                        Path:C:\Windows\System32\regsvr32.exe
                        Wow64 process (32bit):false
                        Commandline:regsvr32" /u /s "C:\Program Files\ScreenBeam\Conference\\app\Filters\x86\SBCamFilter32.dll
                        Imagebase:0x7ff6263e0000
                        File size:25'088 bytes
                        MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Disassembly

                        Reset < >

                          Executed Functions

                          Function 00007FFD9B6E12C0 Relevance: 2.2, Strings: 1, Instructions: 911COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 2A_I
                          • API String ID: 0-941469806
                          • Opcode ID: 89b6b9c10f87bd57768f4ff4c68488001ffd67f89f9420d73f989582d5e4e951
                          • Instruction ID: 822b6a526301a873b63edc1465b8d07b8ade3818edef832e7bc9e65d5c727950
                          • Opcode Fuzzy Hash: 89b6b9c10f87bd57768f4ff4c68488001ffd67f89f9420d73f989582d5e4e951
                          • Instruction Fuzzy Hash: D4521BA3B0F6C50FEB694EAC54251296BD2EF96350B1900FFE0998F1FBE815BD129341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E1518 Relevance: .5, Instructions: 493COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f666e1adee391c6d83a04eef1426dcdcad6836a8a585441d24816a2376069d72
                          • Instruction ID: 307f2f2e7bea43dd590cd3077e9f90f3366cd3e5da103dfc88179105c82aa8a9
                          • Opcode Fuzzy Hash: f666e1adee391c6d83a04eef1426dcdcad6836a8a585441d24816a2376069d72
                          • Instruction Fuzzy Hash: 6BE129A2B0E7C90FEB694E7C54251696BD1EF56340B1901FFE0A9CB1EBEC15BD128341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E3751 Relevance: .3, Instructions: 307COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 73e84e99c186f1b7773765bc6988c7453da46a91b50d23666cd1b75253a7530b
                          • Instruction ID: 13cf68497b515d0bf8ea3ed16b5598b18f128c87577df67271a6c3c42770df86
                          • Opcode Fuzzy Hash: 73e84e99c186f1b7773765bc6988c7453da46a91b50d23666cd1b75253a7530b
                          • Instruction Fuzzy Hash: 8991F62160E6CA5FE7679B7C98746717FE0EF53214B0A01FED0A9CB0A7E9086C56C342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E20FA Relevance: .3, Instructions: 347COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c6f9199538e052e4faae3951677e1a2af7d6f0114140be044ce0e64d4ffc2bcc
                          • Instruction ID: 09a107d7f4fa9193e57c7314f2c0e4b8d8b9997c8135cdbba5dffef3cc94a3e3
                          • Opcode Fuzzy Hash: c6f9199538e052e4faae3951677e1a2af7d6f0114140be044ce0e64d4ffc2bcc
                          • Instruction Fuzzy Hash: 1FA11623B0D2990BE719B7BCA4665E93B90DF4223970841F7D1DDCE0E7DD09744B8295
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E449D Relevance: .2, Instructions: 232COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2ab8ca5025dfe129dd7aa95beec0a4a986eaa0006f36cc0fcf43716cab638233
                          • Instruction ID: 04e298655640077381081bcf623e47559d8a759a3738c46d6f89033ef0ee507c
                          • Opcode Fuzzy Hash: 2ab8ca5025dfe129dd7aa95beec0a4a986eaa0006f36cc0fcf43716cab638233
                          • Instruction Fuzzy Hash: 4561F312B0EA8A0FE7B956B804762B927D1EF85310F1601BED46DCB1E7DD08BD964341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E410E Relevance: .2, Instructions: 217COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d49ba34c2b6a698f26dcaf3acd9be0659fa7ab88a79808b0822d783775f2bd80
                          • Instruction ID: 43b9bdd8f9e02816b4e6440c2a74304c033df2d455c30e1146ba8f6621de2b11
                          • Opcode Fuzzy Hash: d49ba34c2b6a698f26dcaf3acd9be0659fa7ab88a79808b0822d783775f2bd80
                          • Instruction Fuzzy Hash: C661A430B08A498FDB59EF68C4619A8B7E1FF59304B1045BED01DCB297DE74F9868741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E34E1 Relevance: .2, Instructions: 194COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b1f315a21c9b56350763fd1b1e4adbef5672a708368018ea2a20024fa5adb19a
                          • Instruction ID: fcbdee8e0f512691fbb0a116d2c2c254473de98d12591aea4289f4995dd546ca
                          • Opcode Fuzzy Hash: b1f315a21c9b56350763fd1b1e4adbef5672a708368018ea2a20024fa5adb19a
                          • Instruction Fuzzy Hash: CE51A130708A0D8FDB95EF6CD895AE977E1FF59304B0501BAE409D72A2DA34EC91CB41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E1D90 Relevance: .2, Instructions: 160COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cf545af94ab919f70bcbac7fd346bd502268000bcd333dc324e8ce1b2451fc48
                          • Instruction ID: 7d42e482def8a1b9584dbafa342227c9dddc90d995d9271b75f684712d200d72
                          • Opcode Fuzzy Hash: cf545af94ab919f70bcbac7fd346bd502268000bcd333dc324e8ce1b2451fc48
                          • Instruction Fuzzy Hash: EC41E511A0FB8B0FE7AA967848766A43BE1EF56350B0501FBD468CB0E7DD4C6D568342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E1C51 Relevance: .2, Instructions: 154COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac8f8cacc9e3f3a75eb621d4d013efa2b5e66726d27ec07ab0d5ab440261e01c
                          • Instruction ID: f770d65b3fc132d7c47176cb2db6a7557f178385a29d4c5d93fca2f5ed32171f
                          • Opcode Fuzzy Hash: ac8f8cacc9e3f3a75eb621d4d013efa2b5e66726d27ec07ab0d5ab440261e01c
                          • Instruction Fuzzy Hash: CE41E43091E7CD4FDB2A9BB958646F97FA4EF13325F0801BFD099C61A3CA182416C746
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E2C25 Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a03782f2241463ffefb2012b9679a4b1fd09cca1ac4eb7903fcdab381d81df1e
                          • Instruction ID: 63f676dd9ea14d632f32f38fc72e939c12c407db28b521b747a7d8e017d5d82d
                          • Opcode Fuzzy Hash: a03782f2241463ffefb2012b9679a4b1fd09cca1ac4eb7903fcdab381d81df1e
                          • Instruction Fuzzy Hash: 4B210812F0FA9A0FEBFA52BC94751A92B929F45A10B0511FAC0B8CE1E7DD086D534381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E39B9 Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1d9be689c6da6eeb48cc48cc6c131e90992924df247fa3eeab7b6b17225c1221
                          • Instruction ID: d8aa54bd0279fb95b44c68719c754316a68025409a4705220121ff7711fa6339
                          • Opcode Fuzzy Hash: 1d9be689c6da6eeb48cc48cc6c131e90992924df247fa3eeab7b6b17225c1221
                          • Instruction Fuzzy Hash: BA21073060E68E8FEB62DF68C4616A57BA1FF4A300F1645E6D468CF1A2CA74F991C701
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E48A1 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dbf91615d8d1329c646b54ce57dcdf9eaad3dfa4c37b54478163877c53e315e3
                          • Instruction ID: 6ae596d1c91847d9b97152aec31e7bfb00bec79295641501f0c5540f77ea3923
                          • Opcode Fuzzy Hash: dbf91615d8d1329c646b54ce57dcdf9eaad3dfa4c37b54478163877c53e315e3
                          • Instruction Fuzzy Hash: D201F72250E1C94EEB62977818705A67FE0DF43224B1900EFD0E8CA0A3D449A965C342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E3168 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 541a70610279a7b9a06eb046ac182c21db6f5000a706209918b7925d6e6872e6
                          • Instruction ID: 2fdb90c30b19c22d481648b3917b56ff6799a8cd656c407d362154fa7dfd4a84
                          • Opcode Fuzzy Hash: 541a70610279a7b9a06eb046ac182c21db6f5000a706209918b7925d6e6872e6
                          • Instruction Fuzzy Hash: B3F06211B1A85F05F27711E816A52F52181AB45221FA7063DE83DCE1F2DC08BA620352
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E27D7 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 02185a8a521255f19c15d1a29eb667a2252fc7f3576ab7d4f5eff4db8687210f
                          • Instruction ID: 2fdbab4a9b396166a47651eb9e5c7144daea53c627074bad306ed07a4fc38e9b
                          • Opcode Fuzzy Hash: 02185a8a521255f19c15d1a29eb667a2252fc7f3576ab7d4f5eff4db8687210f
                          • Instruction Fuzzy Hash: 47E07D7260F94C5BCF00EAAB6C604CA3FA9FB8D318B01012AF45CC3251E212A521C351
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E0271 Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000007.00000003.2343455155.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_7_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
                          • Instruction ID: 06401d89036e6c46b20f7c1a37fce2788aa04f350aaf19392997c2e569a891a5
                          • Opcode Fuzzy Hash: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
                          • Instruction Fuzzy Hash:
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00A31538 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q$$^q
                          • API String ID: 0-355816377
                          • Opcode ID: 95207152bc4c1ec5e8d1cf08a44f732d2bce0fad451eaba9fc0c534fdf841827
                          • Instruction ID: 6710cfbc44adf01648a952efc057434a9b8bc1970b4dd19f236c7b473c6f89dd
                          • Opcode Fuzzy Hash: 95207152bc4c1ec5e8d1cf08a44f732d2bce0fad451eaba9fc0c534fdf841827
                          • Instruction Fuzzy Hash: 24219431A00709CFCF15AF78D844899F7B4FF85314B09866AE4496B225EB31D994CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A310BC Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: 3
                          • API String ID: 0-1842515611
                          • Opcode ID: 52072e8e362a80389f69eeae0ec744a584c4d0b2704d747a2c170679e4591384
                          • Instruction ID: 3966a9cb2be35ec31f8fe6ea14af9904382dbe3577f90c2063e3df8ab53f30f3
                          • Opcode Fuzzy Hash: 52072e8e362a80389f69eeae0ec744a584c4d0b2704d747a2c170679e4591384
                          • Instruction Fuzzy Hash: 65513571E002089FDB14DFE9C955BEEBBF6AF48304F14806AE505EB2A0DB359A45CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A31529 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q
                          • API String ID: 0-388095546
                          • Opcode ID: f12c14189f3abdd11249ea087e1c0458ea6750d29b8d253850ce9cb00bc8e0f9
                          • Instruction ID: 3763a6823d114fa86232b2995ead46b1019dabe4439d6f1d849c6d1b3bbcaea5
                          • Opcode Fuzzy Hash: f12c14189f3abdd11249ea087e1c0458ea6750d29b8d253850ce9cb00bc8e0f9
                          • Instruction Fuzzy Hash: D7218131904709CFCF11AF78C8548A5FB74FF45304F098AAAE4496B222EB71E994CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A30848 Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4b7a6b64e74af7b559f1227d8a0180e829f22141a056dad6617c62173cbe1cc1
                          • Instruction ID: 3177be8ed6dbe7c1c178cbcf0cbf9353fb1b75c9e2d9422a33d2a246c294bfb4
                          • Opcode Fuzzy Hash: 4b7a6b64e74af7b559f1227d8a0180e829f22141a056dad6617c62173cbe1cc1
                          • Instruction Fuzzy Hash: 0561B030A00305CFDF15EFB4D968AAE7BB2BF85704F148569E405AB395DB719C46CB41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A312EB Relevance: .1, Instructions: 142COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 18eaf82cd330dffdd727fa77d64894e66ff6ece30ab553fc2017511c505368bc
                          • Instruction ID: 52b88895714d6a957fd019af4d9d6ea30befd32248a6c79c240ab8bf296d882c
                          • Opcode Fuzzy Hash: 18eaf82cd330dffdd727fa77d64894e66ff6ece30ab553fc2017511c505368bc
                          • Instruction Fuzzy Hash: 51513032E50B06A6E710EFA5CC45699F372FF9A700F61CB16F6483B191EBB0A5D4C681
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A312F0 Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8bd88ec73cb2b8bb9c3407f022129c333e648818dd4a9dfb861e7fc59da3ee6
                          • Instruction ID: ddf2345086c2cd73eea695c8c204e9062c27b873adc31e46955a17dbf9c0c389
                          • Opcode Fuzzy Hash: d8bd88ec73cb2b8bb9c3407f022129c333e648818dd4a9dfb861e7fc59da3ee6
                          • Instruction Fuzzy Hash: 3B513032E50B0AA6E710EFA5CC45699F372FF99700F61CB16F6483B191EBB0A1D4C681
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A31B08 Relevance: .1, Instructions: 119COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6dbcfd5b61b70006232d0092729ec16a7b9cab9e6942ee7fa118027753f4f8a
                          • Instruction ID: 9f5e791e14d7835e0ee3b9c78e0538202485ba1143d1f5fbfb6aba6b03acd245
                          • Opcode Fuzzy Hash: d6dbcfd5b61b70006232d0092729ec16a7b9cab9e6942ee7fa118027753f4f8a
                          • Instruction Fuzzy Hash: 38414232E00B4A9ACB01EFB9C8504DEF7B5FF95300B11C66AE555BB214FB30A595CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A30ED8 Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 48a7caf6ca6e3a62a44982e664c3f8113cee16510e1fb92287d9ccf40beea6ef
                          • Instruction ID: 97d351277a33988464c73a72f46d575b34bdd7efc86d6dd111f0f70287d76c03
                          • Opcode Fuzzy Hash: 48a7caf6ca6e3a62a44982e664c3f8113cee16510e1fb92287d9ccf40beea6ef
                          • Instruction Fuzzy Hash: 0C11392114E7D04FD713AB78A86019A7FB1DE83214B0A04EBD0C1CF1B3D6684C89C762
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A31C74 Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2482ea00aa801c860ba91ca9b646c85206a2d9d2dae4b6c2a11728257e8d1b3d
                          • Instruction ID: 8080b968faf1c1385c85d4de039f8908d17715000005c50af55d24f06a9b87e8
                          • Opcode Fuzzy Hash: 2482ea00aa801c860ba91ca9b646c85206a2d9d2dae4b6c2a11728257e8d1b3d
                          • Instruction Fuzzy Hash: 4841F2B1D103199ECB10CFAAC944ADEFBB5FF49300F20852AE419BB250EB746A45CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A3118C Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac2138098cef3f3c6d95df30e2040ecaf17ca5ebe0b286552f568b33799af71d
                          • Instruction ID: d7f3afe4dd38bb38b461996503670aee65048993c6146dab35c3a2e3667199f6
                          • Opcode Fuzzy Hash: ac2138098cef3f3c6d95df30e2040ecaf17ca5ebe0b286552f568b33799af71d
                          • Instruction Fuzzy Hash: BB41F2B1D002489FDB15DFEAC995BDEBFF5AF48304F24842AE404AB250DB745945CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A317C9 Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 80a44416e63c5da4b40b94044c5b29cdf2f2a7465500282b222a3846407c2ef2
                          • Instruction ID: b254025790c39132371b62738df34f31258439fe04de6a95dbf1a01c2c66a4e5
                          • Opcode Fuzzy Hash: 80a44416e63c5da4b40b94044c5b29cdf2f2a7465500282b222a3846407c2ef2
                          • Instruction Fuzzy Hash: FD319032E00709ABDB00DFB9D8945DEF7B2FF99300F11C66AE544A7220EB30A595CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A31C80 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6fa3a469b88d88670b7c6fd81029b967d4b0e585553dfd9a2924e54b2d06872d
                          • Instruction ID: d1593180927ad57f122191a90833b0f1f882e0078a3cf26f3186b49e4ecd5bf3
                          • Opcode Fuzzy Hash: 6fa3a469b88d88670b7c6fd81029b967d4b0e585553dfd9a2924e54b2d06872d
                          • Instruction Fuzzy Hash: 5741F5B1D0035D9ACB10DFEAC954ADEFBB5BF49300F20852AE419BB244DB756A45CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A31674 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b6e8f1f99a603bfac3e7dbbd4c5b24e19dd24218518a3e86bcdc96f3a07a44b
                          • Instruction ID: a6a2014514338112a34b3ef93f480b8f4b87e8d5f72427b20334c4b1597ff05b
                          • Opcode Fuzzy Hash: 3b6e8f1f99a603bfac3e7dbbd4c5b24e19dd24218518a3e86bcdc96f3a07a44b
                          • Instruction Fuzzy Hash: E64141B1D012489FCB14DFAAC995BDEBBB5AF48304F28802AE408AB250DB305945CF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A31198 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9c2dd5b4d77d95d3c7067bdae63e0f783bdefbe19b85ee56432e1eb7daf21e30
                          • Instruction ID: ba546100d0b095fce9fa69f8b0e95ed5aa08a06e1e62965de28e8e4a3fc43815
                          • Opcode Fuzzy Hash: 9c2dd5b4d77d95d3c7067bdae63e0f783bdefbe19b85ee56432e1eb7daf21e30
                          • Instruction Fuzzy Hash: C031F2B1D012489FDB14DFEAC995BDEBBF6AF48304F24802AE418AB254DB746945CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A31680 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 91bcba2ca625127353ca433e11272bd3c643edd7547a5e64db619e93106dc1cf
                          • Instruction ID: 33a7653753faaed782b684d426e570a5205ef033db3d50848a6890f480e452a4
                          • Opcode Fuzzy Hash: 91bcba2ca625127353ca433e11272bd3c643edd7547a5e64db619e93106dc1cf
                          • Instruction Fuzzy Hash: 613111B1D01258DFCB14DFAAC985BDEBBF5AF48304F28802AE409BB250DB745945CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A319F5 Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 42289f7893d8f5148dc33df47c5c03e4e648b4bf0ea9ee52936b85fd37a5678e
                          • Instruction ID: 3859e7265003f1af2ceac655cb29ae0d8128b172667bb3e464db1983a6e759bb
                          • Opcode Fuzzy Hash: 42289f7893d8f5148dc33df47c5c03e4e648b4bf0ea9ee52936b85fd37a5678e
                          • Instruction Fuzzy Hash: E031E3B1C01248DFDB10DFEAD894ADEBFF4AF48350F24812AE418AB250C774A845CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A30830 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c24649b56cac152800d3f88c99bef9b813ebf00c37957b6d11f339929b0b514e
                          • Instruction ID: 0f9d4f08c8d7c99b180fe7563d28ff58d89c668ae82e0e75103e8344896acdad
                          • Opcode Fuzzy Hash: c24649b56cac152800d3f88c99bef9b813ebf00c37957b6d11f339929b0b514e
                          • Instruction Fuzzy Hash: 73210831B003018FCF16AB74D4246BE7BF2AFC6708F0544AAD8499B395EB359C06C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A318E4 Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 23d9b8698585752ccdae32fb169b7266219226481b4633a89e69c0162c40b6b8
                          • Instruction ID: 0d1759b6cbaf3324c56642c71f13cd32d31082475226276e045ba930c1762d57
                          • Opcode Fuzzy Hash: 23d9b8698585752ccdae32fb169b7266219226481b4633a89e69c0162c40b6b8
                          • Instruction Fuzzy Hash: D431E0B1C002589FDB10DFAAD894B9EBFF8AF08310F24842AE449BB250CB745945CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A31A00 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0ad0430985d48a724b073decfce1e1104a75259540fbe680848b37551f8c7546
                          • Instruction ID: 6394bc70672e6bcbb36138191ab7cff869406fae1541829431d412209066e2cb
                          • Opcode Fuzzy Hash: 0ad0430985d48a724b073decfce1e1104a75259540fbe680848b37551f8c7546
                          • Instruction Fuzzy Hash: DB31F4B1D01258DFCB10CFAAC894BDEBFF4AF48350F24802AE418AB250C7745845CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A318F0 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3fc24201d835e1fea86819f5583490c4d3d24ecd4d8d50c66891cc5e197d950d
                          • Instruction ID: 2bcc4ca35a763933341c3b8b9e81185d31c1aae9789836586b49287365e99b78
                          • Opcode Fuzzy Hash: 3fc24201d835e1fea86819f5583490c4d3d24ecd4d8d50c66891cc5e197d950d
                          • Instruction Fuzzy Hash: 5921DFB1D002589FCB14DFAAD894BDEBFF8AF08310F24842AE459AB250CB745885CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A31028 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 454d651bb98a7a399d5d57088988f9282ea4d2168a5b963eea50164f47d84b29
                          • Instruction ID: 79433683d4b57d0799d143771012df00fd6a8539ee8329007de357629a8294a8
                          • Opcode Fuzzy Hash: 454d651bb98a7a399d5d57088988f9282ea4d2168a5b963eea50164f47d84b29
                          • Instruction Fuzzy Hash: AB11C0317046859FCB06DBB9E8145AEBBB2EFC2314B04C5BFE049CB261EA759846CB00
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A310C8 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b644bca5cd0d39da34586e954e1f8400f7022509250ebcd1c6d818a430c13922
                          • Instruction ID: f7a147a775e5ed28c4acd7813541a2f100082b3aa906306ed1fbc5ab941b10ef
                          • Opcode Fuzzy Hash: b644bca5cd0d39da34586e954e1f8400f7022509250ebcd1c6d818a430c13922
                          • Instruction Fuzzy Hash: D2F08231700108ABDF04EAA5D9159EEBBBAEB89300F008039E601A7290DA3299199BE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A3161F Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3152bc1e71398fb35372fce90633081645c7c674efb29eadc0bd41b3d600ab25
                          • Instruction ID: 34d79ceb56c01f63e77bbc35b7f657c5d3997124b187c93ef81f27bfad6467d9
                          • Opcode Fuzzy Hash: 3152bc1e71398fb35372fce90633081645c7c674efb29eadc0bd41b3d600ab25
                          • Instruction Fuzzy Hash: 65F0EC31B0524CAFC701DFB4CD5556BBBEBEB81308B09C4ADD408C7151ED319E069791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A30AD8 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0be9aa49146c451052603955df6b48e39eeeed404d4e451c9d40a97094af1ffe
                          • Instruction ID: 027b9ee0f69712767cb9a41bcb92f81d979bfe52a6ef0916ef5afcc382f42efa
                          • Opcode Fuzzy Hash: 0be9aa49146c451052603955df6b48e39eeeed404d4e451c9d40a97094af1ffe
                          • Instruction Fuzzy Hash: B7F09834A01608EFCF42FFF8EA4559CBBB1FB44304F5045A9D505E7265EA306B499B41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A30B40 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f6ede279e030e7c1738a922901a11d096d6eb1767d999851e3010a25c7c39e5
                          • Instruction ID: ab2fe1f407b5bed14aa7f7567b1711725d6cfc45040c28bff035df7f8a05b00a
                          • Opcode Fuzzy Hash: 1f6ede279e030e7c1738a922901a11d096d6eb1767d999851e3010a25c7c39e5
                          • Instruction Fuzzy Hash: 7BD05B312105105F8745BBACA55095B5ADAEEC97107094176B504DB319DF708D4587E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00A308FF Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.2342782632.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_a30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2afeebfbec36415367a2dda405e00dec43cdb683fcbae2f936d0238cfcba4633
                          • Instruction ID: 469c1de98ea827d7db91c1c4a765b5e74b1007d11729785d77ecd2ef18c8ced2
                          • Opcode Fuzzy Hash: 2afeebfbec36415367a2dda405e00dec43cdb683fcbae2f936d0238cfcba4633
                          • Instruction Fuzzy Hash: 7FD09E35B40219CFCF00EFA8D5545DC77B0EF88715F000069E109DB270D7759855CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B6C12C0 Relevance: 2.2, Strings: 1, Instructions: 904COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 2C_I
                          • API String ID: 0-999908352
                          • Opcode ID: 809b373cc6d4c8391709869186e6bb3270a7f1517801d6d9c3921d4c195cc233
                          • Instruction ID: 74bdede0b02c57416301ec7eaa0584e60d9b8b28fe54e226b39a482a098ffa4d
                          • Opcode Fuzzy Hash: 809b373cc6d4c8391709869186e6bb3270a7f1517801d6d9c3921d4c195cc233
                          • Instruction Fuzzy Hash: A1523CA3B0F6C50FE7656ABC58651386BD1EF96350B1901FBD1A98F1FBE814BE028341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C1518 Relevance: .5, Instructions: 487COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3baecc6050a6853bf8930f40bde82fcf1254d043f7cc1472c0d671f374b49302
                          • Instruction ID: 90fca1a831b51071014360d1c7b4f2b95143bd7e68d130c89309c19289561543
                          • Opcode Fuzzy Hash: 3baecc6050a6853bf8930f40bde82fcf1254d043f7cc1472c0d671f374b49302
                          • Instruction Fuzzy Hash: 58E12BA2B0F6C90FE7696ABC58651786BD1EF56310B1901FBD1A9CB1FBDC14BD028341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3751 Relevance: .3, Instructions: 299COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 18565973c1bc356c6cece1517d57ddb2d10a3c3f761bed7eaed5fee94590aec6
                          • Instruction ID: d127ac2d6c4906c8881e1f2cc6e0e0a2ee17b3f34efa6ee176d9e7646a4018db
                          • Opcode Fuzzy Hash: 18565973c1bc356c6cece1517d57ddb2d10a3c3f761bed7eaed5fee94590aec6
                          • Instruction Fuzzy Hash: CF91382060F68A4FD766BB7C98655717FE0EF53224B1901FED1A9CB0A3E918A846C352
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C39B9 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: 62facf363a68e3c76cd6b281a46e1bb6391a60920ecaa083fd96a90d048d514e
                          • Instruction ID: 5cb57801817ffe9dd919cf8ea5041476be3a9fa849efca9a399470f1e721c69b
                          • Opcode Fuzzy Hash: 62facf363a68e3c76cd6b281a46e1bb6391a60920ecaa083fd96a90d048d514e
                          • Instruction Fuzzy Hash: 3A31C2A0A0E6C51FD312B3F808661BABFE0DF4B214B1914EED5DACB173D928A502C702
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C486F Relevance: .4, Instructions: 418COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a3a69c6083676c7850ea78f7adef15574b9029f2fe1478d7876d9d5e957c7f50
                          • Instruction ID: 0bfda0a36bd624bc61d4098729bae2fb96cebb098d5a959b1c69f97680006c2e
                          • Opcode Fuzzy Hash: a3a69c6083676c7850ea78f7adef15574b9029f2fe1478d7876d9d5e957c7f50
                          • Instruction Fuzzy Hash: 0DD13821B1DA890FD71DFB7854765B8B7D1EF99304B1440BDE06ECB2E7CE28A9028745
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C21D7 Relevance: .4, Instructions: 369COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 80caf9757fc4faedd8759a623e68281b833723f1e97f3342a25d7ee00d6f04f6
                          • Instruction ID: 22afbf5bb3b88590e59e0831f02d53701d817c0ce0c78aab33b47d4ab12598fe
                          • Opcode Fuzzy Hash: 80caf9757fc4faedd8759a623e68281b833723f1e97f3342a25d7ee00d6f04f6
                          • Instruction Fuzzy Hash: 73B11522B0DA890BE719BB7854265F87BD1DF95314B1540FEE09ECB1E7CE18A9068345
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C22E5 Relevance: .3, Instructions: 326COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8ac55549f35c6119bca4c5151a9e3dc147e5dfb1290420be5184ef165b9845ca
                          • Instruction ID: ebbffd28fb6c2c3e120dde8d824320e60115a8ef604e3bb19484b64eeb82a374
                          • Opcode Fuzzy Hash: 8ac55549f35c6119bca4c5151a9e3dc147e5dfb1290420be5184ef165b9845ca
                          • Instruction Fuzzy Hash: 1FA10362B0EA890FE719FB7854255B87BD1EF99304B1540FEE05ECB1E7CE28A9068741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C4DED Relevance: .3, Instructions: 322COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2bef605ebbb88ab4e8b523c5d5d5c3bb355ccdeef23b10883c27de5d684b0951
                          • Instruction ID: a956d002fac09618e1e156b1e1558ec8bd371ddd695b37383e7efd83d5c205f9
                          • Opcode Fuzzy Hash: 2bef605ebbb88ab4e8b523c5d5d5c3bb355ccdeef23b10883c27de5d684b0951
                          • Instruction Fuzzy Hash: D6A11962B0EA890FE719FB7854355B87BD1EF95304F1540BEE05ECB1E7CE18A9068341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C2258 Relevance: .3, Instructions: 319COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 626ba5878efed1fad6dc31e31b711a0de32721be791694bda68e46223d634447
                          • Instruction ID: 6ec1114c33e956bce9403ee233b1cc6abdf3c9fbd7a7bb7472aa9452e9fad46d
                          • Opcode Fuzzy Hash: 626ba5878efed1fad6dc31e31b711a0de32721be791694bda68e46223d634447
                          • Instruction Fuzzy Hash: B3A11762B1DA890FE71DFB7854265B87BD1EF99304F1540BEE05ECB1E7CE28A9068341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C2A70 Relevance: .3, Instructions: 316COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 095d23064db193b88f9c863a9a70a23cbeab84727d91f34e84790d1460a0cca3
                          • Instruction ID: e019fcd80224e8f65b02e860d2ce5c2a5ea064386d5e655e6be5c2933107babe
                          • Opcode Fuzzy Hash: 095d23064db193b88f9c863a9a70a23cbeab84727d91f34e84790d1460a0cca3
                          • Instruction Fuzzy Hash: 8E911621B0FA8A0FE3A6B6F844752B52BA0DF46650B1A40FAD96CCF0F7DC0879468351
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C4E75 Relevance: .3, Instructions: 257COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ef1653043ab2726493486d9116c0e0548ba0924231a795adfdaee99ddf398bd
                          • Instruction ID: baedea220797b2a96aaffa24f798b5c6fb12d1ef073e294bbb24a75439b61125
                          • Opcode Fuzzy Hash: 4ef1653043ab2726493486d9116c0e0548ba0924231a795adfdaee99ddf398bd
                          • Instruction Fuzzy Hash: CF811322B1DA890BE71DBB7854325B87BD1EF99704B5540FDE05ECB1D7CE28A9068341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3D5A Relevance: .2, Instructions: 235COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 43edf45d23eda5f572798121b864a284f6abeefbdd98a770937beed7c34c90fc
                          • Instruction ID: 36c268765ecc0d1f2ed44605cc2c8d136b38e06c53b69621398adffc56e506bf
                          • Opcode Fuzzy Hash: 43edf45d23eda5f572798121b864a284f6abeefbdd98a770937beed7c34c90fc
                          • Instruction Fuzzy Hash: 16614811B0EB8A0FE7A5B7B844762B96BC1DF85210F5504FEE06DCB1E3CD1C69468342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C225D Relevance: .2, Instructions: 202COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9727804c2bcbf29f830f7dd417d249f63b02f3b8f9e54719c18382770806b6eb
                          • Instruction ID: c41889a7efbc1b9a1a17aadd7b09b25f60d0c7e428bab7e507015702c565f2fc
                          • Opcode Fuzzy Hash: 9727804c2bcbf29f830f7dd417d249f63b02f3b8f9e54719c18382770806b6eb
                          • Instruction Fuzzy Hash: FB518C23B0EA5A0FE759BA7CA8621F577D0EF8122470901FBD5ADCB0A7DD0878474380
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3B28 Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d498e36c51fdd7b43a3490f8d60e16235976ac793f32fe04ae21cdd16c0b1870
                          • Instruction ID: 6044f917d9b784738e2da7bf0099cb63c7b80d8aa8a73d1e1848783e26f9e742
                          • Opcode Fuzzy Hash: d498e36c51fdd7b43a3490f8d60e16235976ac793f32fe04ae21cdd16c0b1870
                          • Instruction Fuzzy Hash: 9D513671A0DA8D5FCB11FBA8D8A55B9BBE0EF5A30071505EED46ACB1A3C934A902C740
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C34E1 Relevance: .2, Instructions: 187COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 27d8302f9a3b7e83ae8de7d0433a4a82bc421ae7a4e52f3e805a4832c40a6db0
                          • Instruction ID: b28b6be00d2d5defae35de32f4db6d967119d6147eb659954a308fa1ee511c86
                          • Opcode Fuzzy Hash: 27d8302f9a3b7e83ae8de7d0433a4a82bc421ae7a4e52f3e805a4832c40a6db0
                          • Instruction Fuzzy Hash: 5751A131B18A0D8FDB54FF6CD899AE9B7E0FF58315F1500BAE45DC72A2DA35A8418B40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C1D90 Relevance: .2, Instructions: 152COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6a10e42190c81d143878254bf61f8cdcb4bff712a7dda02f596faafb7020e0f7
                          • Instruction ID: 95fd493e2fcec854f67821668b19f23d2eb45383705bcdbba299200dd5140395
                          • Opcode Fuzzy Hash: 6a10e42190c81d143878254bf61f8cdcb4bff712a7dda02f596faafb7020e0f7
                          • Instruction Fuzzy Hash: D841E811A1EB970FE76AB66848796B43BA0DF46350B0501FBC568CF0F7DD0C69468352
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C1C51 Relevance: .2, Instructions: 151COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 472f30630cae3e7b3b260c8f3ca7966805170a6424713312ba686882faee360a
                          • Instruction ID: 0050456d718b3afa3afa8b04b30689ab502b500b38ed9adee90a2d0e06334763
                          • Opcode Fuzzy Hash: 472f30630cae3e7b3b260c8f3ca7966805170a6424713312ba686882faee360a
                          • Instruction Fuzzy Hash: 4D41073090E7C94FDB1AABA998656F57FB4EF13325F0401BFE099C71A3CA182416C756
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3BE2 Relevance: .1, Instructions: 143COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fbe75c70488cfba623fe183958c7e3530aab4b9b426a51cb9582014e4f6ed458
                          • Instruction ID: cb5b3241019c1a079bb2ae9df3737f632b7626c873f40a33aea72908b5a259ae
                          • Opcode Fuzzy Hash: fbe75c70488cfba623fe183958c7e3530aab4b9b426a51cb9582014e4f6ed458
                          • Instruction Fuzzy Hash: C7414571F0DA8E4FCB65FBACC4A55A9BBE0EF1A300B1404ADD469DB1A3C925B902C701
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C51FD Relevance: .1, Instructions: 140COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e6fb8f7206113372ebdf12847bcef9f1dd8364f337c25286d78e5aa48e6a43c7
                          • Instruction ID: 837fb05e04108dfa2fa09f7ebe113896349e36406f704c3b5ec6c7a694709e98
                          • Opcode Fuzzy Hash: e6fb8f7206113372ebdf12847bcef9f1dd8364f337c25286d78e5aa48e6a43c7
                          • Instruction Fuzzy Hash: 8C411812B0EE8A0FE7A9B6BC08762B527C1EF95250F1500BAD16DCF1E3ED1CE9418381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C41AD Relevance: .1, Instructions: 125COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0f56aca3bf147ff07c15b4bb97fe35c26ce9098ef10ef3bcef219776af67825
                          • Instruction ID: d065206d4e076814cd33bc830ca60509e3e3b15395cba570edf6d5502bfd72c0
                          • Opcode Fuzzy Hash: a0f56aca3bf147ff07c15b4bb97fe35c26ce9098ef10ef3bcef219776af67825
                          • Instruction Fuzzy Hash: 78319431E1961C4FDB58FBA8C855AF977E1EF59310F0501BAE419D72A2CD24B941CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C02E0 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 31036fe58c750ea0a218ef5fedf15b864414a9df7ccda4586c07dd84af300314
                          • Instruction ID: b0c04f1b0458aa45a44fde9b39c4cf84fd00bd90185a05bbbc8700af78b0a02f
                          • Opcode Fuzzy Hash: 31036fe58c750ea0a218ef5fedf15b864414a9df7ccda4586c07dd84af300314
                          • Instruction Fuzzy Hash: 72316F31F09A1C4FDB58FBA8C855AF977A1EF59310F0501BAE40AD72A2CD24B9518B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3ECA Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 317570ea795a3b2559cefb83b6bb76ecbcb646a72de8addbfe60828d25a68833
                          • Instruction ID: f1f2c2c4586e1abf80de1686ed0a0f8754be011c8cbb4afa5e66e6230e860037
                          • Opcode Fuzzy Hash: 317570ea795a3b2559cefb83b6bb76ecbcb646a72de8addbfe60828d25a68833
                          • Instruction Fuzzy Hash: 4011B420B1D54A46E7947A6848A66B971C2EFC8354FA1193DE12FCA2E6CE3CF9414302
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C29F0 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f3a98e2bad8b2be64f7df80ec1546c8c97316a34bb3631bfba55b04fe3fc2d9e
                          • Instruction ID: 44547825cd81d96d7232b4c82ff34dac79f42d70a879c9ea489877fc2e6cffdd
                          • Opcode Fuzzy Hash: f3a98e2bad8b2be64f7df80ec1546c8c97316a34bb3631bfba55b04fe3fc2d9e
                          • Instruction Fuzzy Hash: 83012420B0F0591FD72CA7F49C218B53A169FC6360B0691BAD01DCB2BBDC2869018380
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3168 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 120ab04a2d12eba73e4c205ea386820b6a9c0120405cf5f0f7268954a74ea00c
                          • Instruction ID: 7744806611592d66439f743d2192049368658f19a976585a4797604dc3bba6c9
                          • Opcode Fuzzy Hash: 120ab04a2d12eba73e4c205ea386820b6a9c0120405cf5f0f7268954a74ea00c
                          • Instruction Fuzzy Hash: 1EF08111B1EC5F09F2B731EC16B62B96181EB49220FA61639DA3DCE1F2DC2CFA520151
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C5491 Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac6627a3393a66444530896c7a8e7db5a3e240ccf3128617796ac87cfdc9940e
                          • Instruction ID: baf119017310e0b049b65a9e738370da2fa1ea2cc8c8a86f5ad423bfb2393f08
                          • Opcode Fuzzy Hash: ac6627a3393a66444530896c7a8e7db5a3e240ccf3128617796ac87cfdc9940e
                          • Instruction Fuzzy Hash: 02F0FF2161E9C94FD763B3784C726717FE48F03316B0940EAE0E8CA0A3D8882885C302
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3060 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f3d9c43884170dee2f80f454105dc02f7a329d8b955c44a8ac628d8114e6297f
                          • Instruction ID: a33f604cb8c856d027b765d7eb8744dd83896f887f0143685d77c0f5ca71544f
                          • Opcode Fuzzy Hash: f3d9c43884170dee2f80f454105dc02f7a329d8b955c44a8ac628d8114e6297f
                          • Instruction Fuzzy Hash: F8F05C20A1D3971FC369D7B844969B27FE9DF46220B0501FAD41CCF0E7ED281401C311
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C27D7 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 330d7859790241ada4dfc5304c464a6f4094bc92697bae521d70e257b7bc61f0
                          • Instruction ID: 66eb0756cb89c2aafa114a1759561f35431d18d6c8f38c8eb1c9907b70e032a2
                          • Opcode Fuzzy Hash: 330d7859790241ada4dfc5304c464a6f4094bc92697bae521d70e257b7bc61f0
                          • Instruction Fuzzy Hash: 9AE07D7360F94C5BCB00FAAA6CA04CA3B98FB8D318B01012AF45CC3251E2126511C351
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C0271 Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000A.00000003.2373352104.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_10_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
                          • Instruction ID: 06401d89036e6c46b20f7c1a37fce2788aa04f350aaf19392997c2e569a891a5
                          • Opcode Fuzzy Hash: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
                          • Instruction Fuzzy Hash:
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 018E17F8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q$$^q
                          • API String ID: 0-355816377
                          • Opcode ID: 149042ee8cd009e1330c5e4fb57ab74654f4d8cbf597c040d4adde75eaa19f48
                          • Instruction ID: f67c55da0776a7397a9c07e689041e013919eef1382b55cd26bb2663b7dcecc9
                          • Opcode Fuzzy Hash: 149042ee8cd009e1330c5e4fb57ab74654f4d8cbf597c040d4adde75eaa19f48
                          • Instruction Fuzzy Hash: 8321A331E00719DFCF159F78D848899F7B4FF45314B0586AED4096B226EB31E988CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E17E9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q
                          • API String ID: 0-388095546
                          • Opcode ID: 64013cf49694ab05514f7cec4c827a3414ec4bff52f3a57dd52d3c65e72f2897
                          • Instruction ID: dd4d80989c12f3e315312a8d221c90a0daa2c23dc4831696697dd10f24a6eb73
                          • Opcode Fuzzy Hash: 64013cf49694ab05514f7cec4c827a3414ec4bff52f3a57dd52d3c65e72f2897
                          • Instruction Fuzzy Hash: 8921D631D00719DFCF11AF78D8584A9FBB1FF46300B058AADD4496B126EB35D985CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E0848 Relevance: .2, Instructions: 190COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 624a4aec473b9ed11ae2a98397be8e612c36bbcd35733e57835550d5638fb001
                          • Instruction ID: 7c1e548e90dc2556c8415456638e8091384ee31d759e000911e55a65847df13e
                          • Opcode Fuzzy Hash: 624a4aec473b9ed11ae2a98397be8e612c36bbcd35733e57835550d5638fb001
                          • Instruction Fuzzy Hash: 3D619B30A003098FDB15EF78D4186AE7BB2FF86704F04896DE405E7255DBB89D46CB82
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E15A2 Relevance: .1, Instructions: 145COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6fd28e3c7c5b51a107b8a8beefe5d56fe76a62383919020669f1ef3892bf3b3f
                          • Instruction ID: 3bacb04628383e8cefd6efe7ad1834f499076d4b052f5f14b9da1a7fba8e6701
                          • Opcode Fuzzy Hash: 6fd28e3c7c5b51a107b8a8beefe5d56fe76a62383919020669f1ef3892bf3b3f
                          • Instruction Fuzzy Hash: E4518D32E50B06AAE7109BB4CC45699F371FF9A700F61CB1AF6483B191EBB0A1D4C681
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E15B0 Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 38e879ce851d6dab12746b50b7757c9bfa195a25174d8000e05a142363058b34
                          • Instruction ID: 30d9dcfbfab1b314fd06bc57f77cf7bf58086f57df78c9572f870011925ef0d1
                          • Opcode Fuzzy Hash: 38e879ce851d6dab12746b50b7757c9bfa195a25174d8000e05a142363058b34
                          • Instruction Fuzzy Hash: F5513E32E50B06A6E710DFA5CC45A99F371FF99700F61CB16F6483B191EBB0A1D4C691
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1DC8 Relevance: .1, Instructions: 119COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 676dea93023fd79c1e3e82049a9d13fd4b98a9fff0c24480f42a8e96c6c026b7
                          • Instruction ID: aee2b3ae0acc836101003bdf4899ec816349aa396f4dc32fd000605ab0bff57b
                          • Opcode Fuzzy Hash: 676dea93023fd79c1e3e82049a9d13fd4b98a9fff0c24480f42a8e96c6c026b7
                          • Instruction Fuzzy Hash: 0741A432E1074A9ACF01DFB9C8544DDFBB1FF95300B11CA5AE545BB115EB30A685CB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1F34 Relevance: .1, Instructions: 113COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5cd1d645c890fc94861937767703f745183fe4b6cfe35e49fd1104c99126e763
                          • Instruction ID: e42757aaf95e7774a0361c5e84dc4c407280f670fe10b3837f5a58dc8cd1fd4d
                          • Opcode Fuzzy Hash: 5cd1d645c890fc94861937767703f745183fe4b6cfe35e49fd1104c99126e763
                          • Instruction Fuzzy Hash: 44413471C0424D8FCB10CFA9C898ADEFFB9EF4A304F24865AD459AB241D7756A49CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1029 Relevance: .1, Instructions: 111COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 214eb6d32b2880b9ede7ae65d4a25f38b98fc8b573eefef8ddfbf3c93b56efdc
                          • Instruction ID: 90062ff24a2f9178d5ec37764e2f1dd37b11e01c1a90bbb13c450bcacbc716b9
                          • Opcode Fuzzy Hash: 214eb6d32b2880b9ede7ae65d4a25f38b98fc8b573eefef8ddfbf3c93b56efdc
                          • Instruction Fuzzy Hash: FB416B30B0064A9FCB14DFB9D9589AEBBF3FFC5304B00C569D409A7265EB31AA06CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E0F20 Relevance: .1, Instructions: 100COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d44f0ebca97afa154a48cb4d2cc60f795fbb5aa83e361b3573b0f759b5ebda0f
                          • Instruction ID: e779351d769b8e47d9624fabdec716d87c93d0278edb62c064bce83dbe51ff04
                          • Opcode Fuzzy Hash: d44f0ebca97afa154a48cb4d2cc60f795fbb5aa83e361b3573b0f759b5ebda0f
                          • Instruction Fuzzy Hash: 0121D32125C3800FC707A73C94641AA7FA2DFC7314B0949EBD184CB6B7D9559D8AC366
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E11E4 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4a487041703d8d6777eff478fb73c5a3e761d632e8eaf202d9ead970fc93f11
                          • Instruction ID: 4374da3c463bcf4600a439c9e296aed2595fee0ebb553f56d21817a02733965c
                          • Opcode Fuzzy Hash: b4a487041703d8d6777eff478fb73c5a3e761d632e8eaf202d9ead970fc93f11
                          • Instruction Fuzzy Hash: 714124B1D002489FCB14CFA9C998BDEBFF5AF49304F14842AE414EB250CB755A45CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1A89 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7a74344b7b299d1d95fd9e1b8f259e1d143d49cfeb102acf2faf34270d09599b
                          • Instruction ID: 612cda6ac2c7e59837c2fcf25540aa98fe6f1f784b395a26546e6d2da8bc79e1
                          • Opcode Fuzzy Hash: 7a74344b7b299d1d95fd9e1b8f259e1d143d49cfeb102acf2faf34270d09599b
                          • Instruction Fuzzy Hash: DD319232E0060AABDB01DFB9D8944DEFBB2FF85300F11C66AE554A7211FB30A581C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1934 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9f55bbf6c434106ff226e6762c6e5e0029a7172ffc69782621e38029ed82a557
                          • Instruction ID: 24385c67f3170f2579322bd044e4d8d701e7da280485dce45d59703942dcde77
                          • Opcode Fuzzy Hash: 9f55bbf6c434106ff226e6762c6e5e0029a7172ffc69782621e38029ed82a557
                          • Instruction Fuzzy Hash: 414124B1D00248DFCB14DFAAC988BEEBFF5AF49304F14802AE415AB250DB745A45CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1F40 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 73d9a0c730709254471fb98338252de8408cdff656dc2364df9c2d5733a79dd4
                          • Instruction ID: dfcc89665c281db1f435fac3d4d4a94cdee99fbf798251288c82feac32bb1ba1
                          • Opcode Fuzzy Hash: 73d9a0c730709254471fb98338252de8408cdff656dc2364df9c2d5733a79dd4
                          • Instruction Fuzzy Hash: 9541E2B1D003598ACB10CFAAC984ADEFBB9AF49300F20852AD419BB240D7756A49CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E11F0 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4847d1521cbd2bffd0b0b667f5da5989f7c16982137b7986f0c34696fe84399
                          • Instruction ID: cdb090b3eb342718347df6940c23504c18da935fc2c76140d9eb90eeceb0e85b
                          • Opcode Fuzzy Hash: a4847d1521cbd2bffd0b0b667f5da5989f7c16982137b7986f0c34696fe84399
                          • Instruction Fuzzy Hash: 313103B1D002489FDB14DFAAC998BDEBFF5AF49300F14802AE419EB254CB755A45CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1940 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 96152c163180331eae8ea7d0a39c1a90a227601db68983ac7e0eb26ba9cf8d0c
                          • Instruction ID: df6f9c4c6b943a73e6dabbba4489db8d2bf00737b692fda362791114277ea05e
                          • Opcode Fuzzy Hash: 96152c163180331eae8ea7d0a39c1a90a227601db68983ac7e0eb26ba9cf8d0c
                          • Instruction Fuzzy Hash: 6D3115B1D01248DFDB14DFAAC988BEEBFF5AF49304F10802AE419AB250DB745A45CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1CB4 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 636f436710bd95e882502a8e5948b273a990a5c97d48c309947a4939f02c3d3a
                          • Instruction ID: 203f915be2878301f434daa9057497127e0261feb6b3442258d987b110a6b2d1
                          • Opcode Fuzzy Hash: 636f436710bd95e882502a8e5948b273a990a5c97d48c309947a4939f02c3d3a
                          • Instruction Fuzzy Hash: CA3102B1D00248DFDB24DFA9C488BDEBFF4AF49314F24812AE419EB250CB759985CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E0830 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0000864be9d3a851c28f197a0509f1a6bfbba853f7482d1dde1f6aed825251f8
                          • Instruction ID: 5ea14bb8dcfc7a0ff6e894752129970099b5281ad4bae6748650cf8dea6c8173
                          • Opcode Fuzzy Hash: 0000864be9d3a851c28f197a0509f1a6bfbba853f7482d1dde1f6aed825251f8
                          • Instruction Fuzzy Hash: 8A21D7317003454BDF169B7488182AE7BF2AF87B08F0449AED545D7355DB799D06C7C2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1BA4 Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 23a1aafed8c4c5f0473441f2aefadd496234140af22a099c01c636460e328339
                          • Instruction ID: 430c2ae696a04886333e71d3ea939ad72dbaf226d957bb0787c8f10b035903a6
                          • Opcode Fuzzy Hash: 23a1aafed8c4c5f0473441f2aefadd496234140af22a099c01c636460e328339
                          • Instruction Fuzzy Hash: 403104B1D00258DFCB14CFA9D498BDEBFF8AF09310F24846AE455EB240CB756985CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1CC0 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a76107a631527deead52f3a7b662d8c334912d252919163404e0e2084c3d9c3
                          • Instruction ID: e6a25a1173e41183a44f85edc52399d414eaa12e77a4f6745b827aea275adb15
                          • Opcode Fuzzy Hash: 3a76107a631527deead52f3a7b662d8c334912d252919163404e0e2084c3d9c3
                          • Instruction Fuzzy Hash: 0031D4B1D00258DFDB24DFA9C488BDEBFF5AF49310F24842AE419EB250CB759985CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1BB0 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f41a6c64653a7a5e8655225ecd50ce744dde7b8cfeac38a20e918272b5cacf2
                          • Instruction ID: 24714ded91bdad12503182b9b779ce4ff9c83b71a2517e644a863b9fb6858f5a
                          • Opcode Fuzzy Hash: 3f41a6c64653a7a5e8655225ecd50ce744dde7b8cfeac38a20e918272b5cacf2
                          • Instruction Fuzzy Hash: 0E21D4B1D00258DFDB14CFAAD488BDEBFF8AF49310F24842AE419EB240CB755945CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1188 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 57be91ee01c2a0669547867be67bdfd6132f474c3e6ffa57dce1756367efc811
                          • Instruction ID: e62fb7c313829a2ed03fa52add375b9cbde4208b077dd93fbfed4dfa3efea944
                          • Opcode Fuzzy Hash: 57be91ee01c2a0669547867be67bdfd6132f474c3e6ffa57dce1756367efc811
                          • Instruction Fuzzy Hash: C7F0A731605249BFCB02CFB49D6486A7FB6EF46204B45C4E9D444CB161D9319A06D791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E18E0 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a5edb0b10fa24b1c3d4a55c59c6fa43f405fdc5c0a8293c4bcf05f15988d059b
                          • Instruction ID: 1fb258317e94f83eef1d861ec04f1c55ccde9e15398ad2a3fc9371cbaccec8dc
                          • Opcode Fuzzy Hash: a5edb0b10fa24b1c3d4a55c59c6fa43f405fdc5c0a8293c4bcf05f15988d059b
                          • Instruction Fuzzy Hash: 6FF0A72170928A6FCB02DF7498654697FB6DF87304719C4EDD088CB152E9319E069351
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E0B3A Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f12c8527423701ded3e72aad1b4796680b0141f4c91ff139f29ff4da70fe027
                          • Instruction ID: d12f37fbf60484488bcfad606517623f795a0b07db8a7c92a76970b1fccc3cf7
                          • Opcode Fuzzy Hash: 1f12c8527423701ded3e72aad1b4796680b0141f4c91ff139f29ff4da70fe027
                          • Instruction Fuzzy Hash: 14E086212596D01FC706637C18344976FB6DECB704B1809EBE184DB26ACE519D41C3E5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E1198 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8f4cb60c45977d3c1ad06551131837667cec29109b20c7a989e23e2a75f201f1
                          • Instruction ID: 87d3ac0c02b60040816e9f562d0ee39d84c036bf22f35c29bdb41721dcfbeeab
                          • Opcode Fuzzy Hash: 8f4cb60c45977d3c1ad06551131837667cec29109b20c7a989e23e2a75f201f1
                          • Instruction Fuzzy Hash: 7DE01A71B01109AB8B04DFB4D955D6EBBEAEB85304741C5A8E509CB254EA31DA059B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 018E09B5 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.2358927853.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_18e0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 76a5188d5217b2044e3e462a9826588dc6bba9b54c7ef11f79ba8c60f74f88c8
                          • Instruction ID: aa18284f6079b06bf8f0b8c382beb505cf08685de99a96477101136bf9ba867d
                          • Opcode Fuzzy Hash: 76a5188d5217b2044e3e462a9826588dc6bba9b54c7ef11f79ba8c60f74f88c8
                          • Instruction Fuzzy Hash: A0D067357401198FCF00EFA8D5485DC77B0EB89715F000169E109DB260D77599558B51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B620FA8 Relevance: .3, Instructions: 262COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2362880423.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_7ffd9b620000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: faf9ac0084b4bcaa88c4fbf471d645bca471c10bef1a94e6e347b643cf4420a9
                          • Instruction ID: 09ee9a63df2e9dca32561a7f12d8a640745c6ab09d86c660e15f9bf016350b37
                          • Opcode Fuzzy Hash: faf9ac0084b4bcaa88c4fbf471d645bca471c10bef1a94e6e347b643cf4420a9
                          • Instruction Fuzzy Hash: A1718653B0FAC90BF7790B9C68251256FD1DB9276071A03FBD4A8CA1FBDC55EA068281
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B62135A Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000D.00000002.2362880423.00007FFD9B620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B620000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_13_2_7ffd9b620000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d2f74448325b9817f574f4737d47177a514502a219b20132e96c22a232484f2d
                          • Instruction ID: 2d91f49ec688cda996685cdd3fb008c2ce6bf4869e8e2a6b80f0f1aac3fa6e47
                          • Opcode Fuzzy Hash: d2f74448325b9817f574f4737d47177a514502a219b20132e96c22a232484f2d
                          • Instruction Fuzzy Hash: 3F21E63190CA4C8FEB18DFA8D845AE9BBE1FB55320F00422FD059D35A2DB756846CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 030C17F8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q$$^q
                          • API String ID: 0-355816377
                          • Opcode ID: 476b2eab65a28e036d4b09203c66a95f9f2c6755eed93a49963aad0422f7f300
                          • Instruction ID: 43b3347aa2ea777a8255088df7f9f14e46782f57a7fd1f54f1ca79825ed74f91
                          • Opcode Fuzzy Hash: 476b2eab65a28e036d4b09203c66a95f9f2c6755eed93a49963aad0422f7f300
                          • Instruction Fuzzy Hash: 83218031E10709CFCF159F68D854899F7B4FF45314B058AAED8096B222EB71E898CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C17E9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q
                          • API String ID: 0-388095546
                          • Opcode ID: 3e5df60ad257a96a541bab3a0589cb4efa617a3b23346f3a200ceaf3cce16ae1
                          • Instruction ID: 8323ef456600f844dd351f6eed9101e600de3af2284f419246236083e6608031
                          • Opcode Fuzzy Hash: 3e5df60ad257a96a541bab3a0589cb4efa617a3b23346f3a200ceaf3cce16ae1
                          • Instruction Fuzzy Hash: 5C21E031D04749CFCF159F78D8548A9FBB1FF46300B098AADD8496B222EB31E498CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C0848 Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 690c7aa3fba1d15de00f4e3b8523462d1fd8ad40fc5b40d062862a9182a3142b
                          • Instruction ID: fe166a7ac759a72b8061ecf80a94891c66baf9da75685ddbb1e1851b308d1242
                          • Opcode Fuzzy Hash: 690c7aa3fba1d15de00f4e3b8523462d1fd8ad40fc5b40d062862a9182a3142b
                          • Instruction Fuzzy Hash: 80619B30A1134ACFDF15DBA8D4586AEBBB2FF85604F0484ADD80597364DB35DC4ACB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C15A1 Relevance: .1, Instructions: 144COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fdd76bb0cb3af558509554b3cad8932ea070eaed9396d3a5b1adde5ecd0f7ce3
                          • Instruction ID: 98cb6f943e8c675b31a7bde01896106c092d80b70eae1d340a4555bec2e7451d
                          • Opcode Fuzzy Hash: fdd76bb0cb3af558509554b3cad8932ea070eaed9396d3a5b1adde5ecd0f7ce3
                          • Instruction Fuzzy Hash: 1E515032E50B46A6E710DBA9CC45A99F371FF9A700F21CB1AF6483B191EBB0A1D4C641
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C15B0 Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aa3aaab3f7586098eba3f3a10a298a94e19e4aead17d35121ffafe57b1cea4f4
                          • Instruction ID: 01ef14ddf45e5670061d5f16b211d00ad5e5c23955d7f1b6a759188118ff97af
                          • Opcode Fuzzy Hash: aa3aaab3f7586098eba3f3a10a298a94e19e4aead17d35121ffafe57b1cea4f4
                          • Instruction Fuzzy Hash: 27513E32E50B0AA6E710DBA9CC45A99F371FF99700F61CB16F6483B191EBB0A1D4C691
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1DC8 Relevance: .1, Instructions: 118COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9d57cee87c6dd30e2a1571e8fd58d2a7fda3623e00b2d80785aeb62e85f90db8
                          • Instruction ID: b7f3e299dc0a3e07dfd186d8329eb9a35370661a991b57392574d785d2e1ea10
                          • Opcode Fuzzy Hash: 9d57cee87c6dd30e2a1571e8fd58d2a7fda3623e00b2d80785aeb62e85f90db8
                          • Instruction Fuzzy Hash: 85418232E10B4A9ACB01DFF9C8504DDF7B5FF95300B11CA6AD555BB211EB30A596CB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1029 Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c743cedbf3d8e40f80508c864e7c9ad36ed9bff78a0636a0e236a03a51df6247
                          • Instruction ID: e9ddead6c0045512bb345b11f413b6620b8320cf26513d5ec1da72de686dab5b
                          • Opcode Fuzzy Hash: c743cedbf3d8e40f80508c864e7c9ad36ed9bff78a0636a0e236a03a51df6247
                          • Instruction Fuzzy Hash: 36417C70B0124A8FCB08DBB9D9555AEFBF3EFC4344B00C96DC40997265EB3499068B50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1F34 Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e2ecb15e084815b13c51069cb4393b8b70df1598a00ef2cb7cc2b5d8246d2644
                          • Instruction ID: baa1b0c86b31c439c1512b8ccd235f67eccf9b1b11335a5658819e686c5f9f13
                          • Opcode Fuzzy Hash: e2ecb15e084815b13c51069cb4393b8b70df1598a00ef2cb7cc2b5d8246d2644
                          • Instruction Fuzzy Hash: 574104B1C103498EDB10CFA9C985ADEFBB5AF48300F24852AD459BB211D7716A49CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C0F43 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 971563666009ede1d0382608aa32508d17c884549dedfaa5916949184a347811
                          • Instruction ID: 0d785f9dfeb29b0dc3f4536e28718d17156d14ceec82eeae5d3dd39b268f3795
                          • Opcode Fuzzy Hash: 971563666009ede1d0382608aa32508d17c884549dedfaa5916949184a347811
                          • Instruction Fuzzy Hash: 1D11C0222593C44FC713A37DA5B15FEBFA6DFC2250B0844AEC185CB2A6C950DD8BC361
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1A89 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c909e1c952a7b936ea23edc041de02e3a48972b17241699b31e2db4e4e4a75f
                          • Instruction ID: 0f56b55d6996ff23a2f7941214d3911cf844eebe8bf28588a243422bea741480
                          • Opcode Fuzzy Hash: 6c909e1c952a7b936ea23edc041de02e3a48972b17241699b31e2db4e4e4a75f
                          • Instruction Fuzzy Hash: C631A632E1164A9ADB04DFB9D8805EEF7B6FF94300F11C66AE544A7211FB309595CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1934 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1fdd8847bff8fa79b5334ff518889753d8db431f3de8097a135b4486f2ee46e2
                          • Instruction ID: cd807fc400308b93d3926781f30ec51999a20ed33a09cdcbd7ed7a39f64bf4c4
                          • Opcode Fuzzy Hash: 1fdd8847bff8fa79b5334ff518889753d8db431f3de8097a135b4486f2ee46e2
                          • Instruction Fuzzy Hash: 4A4101B1D012889FDB14CFAAC995BEEFFF5AF48304F14802AE419AB251CA745946CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C11E4 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 64c2500c652e79b8c227996b4c90d3f10ea9efba3c1114e1d39b940a00bd8517
                          • Instruction ID: 1187b146b5581cdef865c2558afa4ff6cee77dd8850330f8eee2d453849229ff
                          • Opcode Fuzzy Hash: 64c2500c652e79b8c227996b4c90d3f10ea9efba3c1114e1d39b940a00bd8517
                          • Instruction Fuzzy Hash: 294123B1D012889FDB14CFA9C595BDEBFF6AF48300F14802AE414AB251CB305946CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1F40 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ec35b982e21734136dad63459c52c9ce99f7932386f34d81462266bdb87e607e
                          • Instruction ID: a63da7c5418d7aea254cb7cc899d9e2ba649b53417caa541effae39a6d8e1dbb
                          • Opcode Fuzzy Hash: ec35b982e21734136dad63459c52c9ce99f7932386f34d81462266bdb87e607e
                          • Instruction Fuzzy Hash: D641F5B1C1135DCADB10CFEAC944ADEFBB9AF48300F20852AD419BB251D7716A49CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C11F0 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fb175b4635fde73203c898ed33baeb2b6c01ce4468b1e06d8761af2167289494
                          • Instruction ID: b92d8090f50cc85080e9b9116902d073e7ecbc1b4467e7bd22e9e0d786d9bcd1
                          • Opcode Fuzzy Hash: fb175b4635fde73203c898ed33baeb2b6c01ce4468b1e06d8761af2167289494
                          • Instruction Fuzzy Hash: C23102B1D01248DFDB24DFAAC994BDEFBF6AF48304F24802AE419AB250CB755945CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1940 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eacb70d95612972be530c82ce7db1bc50344a2d52ec6c855597a215d5e9ec3c8
                          • Instruction ID: cdf8a065f9bd9007f5ec1268c31955bc27c248a876ccafc3687dd36e5ffccdc7
                          • Opcode Fuzzy Hash: eacb70d95612972be530c82ce7db1bc50344a2d52ec6c855597a215d5e9ec3c8
                          • Instruction Fuzzy Hash: 5F3114B1D01248DFDB14DFAAC984BDEFBF5AF48304F14802AE419AB251DB745945CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C0830 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ccd9346b7de5793933e353c569b88356c1a7002620a85b5068a4096988ba2a67
                          • Instruction ID: 7453b60228c32b7519cd3fd3a3eb6bb60d83b85e2019923a2197a312465a2089
                          • Opcode Fuzzy Hash: ccd9346b7de5793933e353c569b88356c1a7002620a85b5068a4096988ba2a67
                          • Instruction Fuzzy Hash: AC218131A11381CFDB56C77498142BEBBB6AFC6604F0841AECC4997355DA39CC0AC792
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1BA4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4fc266912558effb0ba80da37ceef2797cd95e3fe885d4d1d4b1ffac7abb2d6a
                          • Instruction ID: b6d84e78b0c54970d05aa61c3c80060bbfbe89682fd8095684f9ca046cba1460
                          • Opcode Fuzzy Hash: 4fc266912558effb0ba80da37ceef2797cd95e3fe885d4d1d4b1ffac7abb2d6a
                          • Instruction Fuzzy Hash: 9931E2B1C11298DFDB14CFA9D485BDEFFB9AB48310F24802EE419AB251CB755846CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1CB4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d05cb61024597c1f932aa132f156bcd557c4a155c1e74a55406aed1a6dd181ea
                          • Instruction ID: e8b87bd7cdc83c803705dea147ced9e7beba027955970f915daca637a37246e4
                          • Opcode Fuzzy Hash: d05cb61024597c1f932aa132f156bcd557c4a155c1e74a55406aed1a6dd181ea
                          • Instruction Fuzzy Hash: AB31E2B1C11298DFDB24CFA9C594ADEFFF5AF48310F24802AE419AB251CB759945CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1CC0 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7b37ad057f39412f9745b41991c015553df1163fa95bc4d7932b54536549b6f3
                          • Instruction ID: 81dc925e8190a9a8117d36f2f575b3219bef0c6474d0a3e3f3167ca03f0e75a9
                          • Opcode Fuzzy Hash: 7b37ad057f39412f9745b41991c015553df1163fa95bc4d7932b54536549b6f3
                          • Instruction Fuzzy Hash: 1A31E3B1C11298DFDB24CFA9C494ADEFFF4AF48310F24802AE419AB251CB755945CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1BB0 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 497783818f212458cde1949a596bc40ec09b50278fd55eda75f6118479da8617
                          • Instruction ID: 900bd216bda55bc603b77a57190b323f2a320dbe4b1046b0b0a863dcc6ee228d
                          • Opcode Fuzzy Hash: 497783818f212458cde1949a596bc40ec09b50278fd55eda75f6118479da8617
                          • Instruction Fuzzy Hash: 9921E0B1C11298DFDB14CFAAD485BDEFFF8AB48310F24802AE419AB251CB755845CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1188 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3ff80119a03a39d59983398bb6eb9f4ac3abc2966feb587c05ed4b9c5dbf7680
                          • Instruction ID: cb299872c1439c10581f1caeb80e065c097b09b20d000e1828c42d2b2cb14cd2
                          • Opcode Fuzzy Hash: 3ff80119a03a39d59983398bb6eb9f4ac3abc2966feb587c05ed4b9c5dbf7680
                          • Instruction Fuzzy Hash: 71F0A771A05149AFCB06CFB489A29FEBFF6DF85200745C5F9D544CB211D9318917DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C18E0 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f16cbb82b894761118f97d2b4ed7d8a54b618a84001e9bd30cade8598fa85286
                          • Instruction ID: b6c2cb71471432c448bb143086dc7beae6883c734d877109d5965ada9c9b6e96
                          • Opcode Fuzzy Hash: f16cbb82b894761118f97d2b4ed7d8a54b618a84001e9bd30cade8598fa85286
                          • Instruction Fuzzy Hash: 34F0A731A05189AFCB45CF7499929BEBFB6DF86204705C4EDC049DB156D93199079740
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C0AD8 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61295fd4aff28026b27c4896efafef3f6a39bd8264764f04daf14b410a11837c
                          • Instruction ID: a9f15df74333e56526aa727457ced24992b5a0c99379de43c0fa2cb3a2bc84dc
                          • Opcode Fuzzy Hash: 61295fd4aff28026b27c4896efafef3f6a39bd8264764f04daf14b410a11837c
                          • Instruction Fuzzy Hash: 31F0F870E0120DEFCF41EFB8E94859DBBB1EB48241F9049A9C905A7214EA316F599F41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C1198 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef696b92965d1b6ca324ab4cdf17a61e0803a1b755afc38068c427e62800c855
                          • Instruction ID: 6d06418cc2ba9c6f7592e745795d411166482902fba94c167e5bb0ff6e90d795
                          • Opcode Fuzzy Hash: ef696b92965d1b6ca324ab4cdf17a61e0803a1b755afc38068c427e62800c855
                          • Instruction Fuzzy Hash: 9CE0DF71B0210DBBCB04DFB5C900D6EBBEEEB84344740C4ACDA08CB210EE31DA059B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C0B39 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1a5070331be729d364bf7dd30290633021be008b800cbfdc9174fc8ea3876c47
                          • Instruction ID: 855552a037013489e705b6006aa2be2518a7c026ffe03b236d460c0b077c9819
                          • Opcode Fuzzy Hash: 1a5070331be729d364bf7dd30290633021be008b800cbfdc9174fc8ea3876c47
                          • Instruction Fuzzy Hash: 58E0C262344A800FCB07676CA5702AEABE28DC524074D06AAC2858B32ACD10AC478381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030C09B5 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.2369789018.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_30c0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f05432be9e2562c811f2b763f5911c3214a76e529ddb0ffa0119e7f61f78a3d0
                          • Instruction ID: 00b5b210c13188a37efe2c848a6253623a9f4795ff38028aa43823a08100a387
                          • Opcode Fuzzy Hash: f05432be9e2562c811f2b763f5911c3214a76e529ddb0ffa0119e7f61f78a3d0
                          • Instruction Fuzzy Hash: 0CD09235B40269CFCF00EFA8D9486DC77B0EF88725F0000A9E20AEB270DB759855CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B610840 Relevance: 4.3, Strings: 3, Instructions: 517COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2373122302.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7ffd9b610000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID: 87qT$6qT$6qT
                          • API String ID: 0-680720421
                          • Opcode ID: 5fd70c20544f7d7f885bd8c220a287f65812736d16d648da75a3934cc25a30d6
                          • Instruction ID: d59085e64a1e332d71f5e455115376b8524cc89ffae1f24f2fb1d4169289b902
                          • Opcode Fuzzy Hash: 5fd70c20544f7d7f885bd8c220a287f65812736d16d648da75a3934cc25a30d6
                          • Instruction Fuzzy Hash: 19E12A62B0FBCA0FF77546A858222757BD1EF42760B1901FBD49CCB1EBDC59A9068381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B610DDA Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2373122302.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7ffd9b610000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID: 7qT$(7qT$07qT
                          • API String ID: 0-2208734836
                          • Opcode ID: 0a7a7e131620d92e9d341c950bbe3c5322d68616da8b587d7f9e05d694ab5613
                          • Instruction ID: 2ea7205841a7568b8217ac6262d24efc78974abb8033628c220758e992e60804
                          • Opcode Fuzzy Hash: 0a7a7e131620d92e9d341c950bbe3c5322d68616da8b587d7f9e05d694ab5613
                          • Instruction Fuzzy Hash: 7101D670E0F78A5FE7AAD7B4805A6697AE1EF01620F0650FDC04BDBAB0CA5D1C468705
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B610960 Relevance: 1.8, Strings: 1, Instructions: 531COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.2373122302.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7ffd9b610000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID: 6qT
                          • API String ID: 0-1369130254
                          • Opcode ID: b18f471dd81dfe09102e6471111eb73f57df85af51b4efa022ff498d92d31d1e
                          • Instruction ID: 1747bf1ac18092f70955e895a59320b136fc0a5d8ac292e92fa89472443b1c1d
                          • Opcode Fuzzy Hash: b18f471dd81dfe09102e6471111eb73f57df85af51b4efa022ff498d92d31d1e
                          • Instruction Fuzzy Hash: E5F11A62B0FBCA0FF7654AA858222757BD1EF46750B1500FFD49CCB1EBDC19A9468382
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B610FA8 Relevance: .3, Instructions: 260COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2373122302.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7ffd9b610000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7079bf553832172f7b477d4282ba62b75a5071ed48e1dd801bd912b2ce66c466
                          • Instruction ID: 7e38ff8e6673800f88e4a5f7cc35f7154a7b407a2a010586202f7765879096e3
                          • Opcode Fuzzy Hash: 7079bf553832172f7b477d4282ba62b75a5071ed48e1dd801bd912b2ce66c466
                          • Instruction Fuzzy Hash: 6771A753B0FAC60FF775069C2822234AFD6DB923A171911FBD49C8B1FBEC55AA058381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B61135A Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2373122302.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7ffd9b610000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 986efb637a86289a7a0b064b7cf7a4c6543986fdb998c2303b031aa4dd778523
                          • Instruction ID: 681d18c94ac9cd8c53629dc19a794ca02300774399a49e2b53de500bc61e35f1
                          • Opcode Fuzzy Hash: 986efb637a86289a7a0b064b7cf7a4c6543986fdb998c2303b031aa4dd778523
                          • Instruction Fuzzy Hash: 6021A631A08A5C8FDB18EBA8D489BE9BBE0FF55311F00422BD01DD36A6DB756446CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B610E47 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.2373122302.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_7ffd9b610000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5909f839c2c2bcd3bd80e2b9ae8c769850d2aba6f1bfc0d0ef03217e8370b76b
                          • Instruction ID: 003e8d2d898b735b1d73adea7174b90174eb576ffb66570047aa57c14def96cd
                          • Opcode Fuzzy Hash: 5909f839c2c2bcd3bd80e2b9ae8c769850d2aba6f1bfc0d0ef03217e8370b76b
                          • Instruction Fuzzy Hash: 10F0BB30A0D74C4FD715AF64A4534E577D0EF45364B1405FFD41EC7196C939D5838682
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B6C12C0 Relevance: 2.2, Strings: 1, Instructions: 913COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 2C_I
                          • API String ID: 0-999908352
                          • Opcode ID: ebc9d5ddb390b24a2506d4be154a69fc2fd1f110c13b219e564740e4ba8f2181
                          • Instruction ID: 71f4e811dca13c2343d09349907a45602b7e427b682ea0eb6eb71c2e52c88ebe
                          • Opcode Fuzzy Hash: ebc9d5ddb390b24a2506d4be154a69fc2fd1f110c13b219e564740e4ba8f2181
                          • Instruction Fuzzy Hash: 15522DA3B0F6C50FE7657ABC58651386B92EF96350B1901FBD1A98F1FBE814BE018341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3751 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 6rf
                          • API String ID: 0-2992719693
                          • Opcode ID: 7890ccb15f22983e6339d451eec3499232933b73a6c33473b4920fb94f23d6a4
                          • Instruction ID: d9ae6e7e03520ca8039f0668f9f8861d7b6688f1145058f9561646e59ab1aabc
                          • Opcode Fuzzy Hash: 7890ccb15f22983e6339d451eec3499232933b73a6c33473b4920fb94f23d6a4
                          • Instruction Fuzzy Hash: 2391492160F6CA4FD766BB7C9865A717FE4EF43314B0901FEE1A9CB0A3E9186845C352
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C1518 Relevance: .5, Instructions: 486COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 41991798e8e4baa6568c583ba66b3ac4f85de3d3f9e5bc64f2fa798aa9fbbbfc
                          • Instruction ID: eacf60a10a1f59304f5701a89d9685dd796d17e812758f848118c551b1805049
                          • Opcode Fuzzy Hash: 41991798e8e4baa6568c583ba66b3ac4f85de3d3f9e5bc64f2fa798aa9fbbbfc
                          • Instruction Fuzzy Hash: A8E11AA2B0F6C90FE7697ABC58691786BD1EF56310B1901FBD1A98B1FBDC14BD028341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C4107 Relevance: 6.5, Strings: 5, Instructions: 271COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 07rf$87rf$@7rf$H7rf$x6rf
                          • API String ID: 0-1687523094
                          • Opcode ID: ce27d93a8e17c5347fe7c7ecee6847e29998e9551c05f9423d3babed7991dadb
                          • Instruction ID: a1c215c3605d19935ab481ad2de2a896448a1590ae4096c5ef4c302c3a08fbd3
                          • Opcode Fuzzy Hash: ce27d93a8e17c5347fe7c7ecee6847e29998e9551c05f9423d3babed7991dadb
                          • Instruction Fuzzy Hash: EA910631B1D6894FDB59FF6884669B9BBE0EF55308B1400BED05DCF2A3DE28B9058741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C20FA Relevance: 1.6, Strings: 1, Instructions: 347COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: P7rf
                          • API String ID: 0-1924529330
                          • Opcode ID: 953af52e9fc564ddc2d61cfd9ba8c298203642863aff2ab8d86dcd992da02db7
                          • Instruction ID: 286694b9b3d0995a6340a249d7070a45f7ea30f59dfc710a60ea815d13ee3d5d
                          • Opcode Fuzzy Hash: 953af52e9fc564ddc2d61cfd9ba8c298203642863aff2ab8d86dcd992da02db7
                          • Instruction Fuzzy Hash: 45A12617B0D2E90BE719B6BCA8A65F47B50DF4223970842F7D5ED8E0EBDD08644B8291
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C34E1 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 6rf
                          • API String ID: 0-2992719693
                          • Opcode ID: 46dd95b4e419667fe72940e987fef8ed6f974af737e924d023f2be7a3a471010
                          • Instruction ID: 4a581eaa76d236049d6f71709f8f3a7754b9a1c5f5483d23852b39f8d01c025e
                          • Opcode Fuzzy Hash: 46dd95b4e419667fe72940e987fef8ed6f974af737e924d023f2be7a3a471010
                          • Instruction Fuzzy Hash: DC71C031A09A4C8FDB54FFA8D8599E97BE0FF59314F0101BEE44DCB2A2DA35A9018741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C449D Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: x6rf
                          • API String ID: 0-384897364
                          • Opcode ID: f736a012b8d32639f03a66de5a576ff50384509ffbc708ff84e0a88a4f14cb0c
                          • Instruction ID: 688dcc7646e30144cc318c3d4f94e846ab40187cbf1ebe3c7bba61205105d23e
                          • Opcode Fuzzy Hash: f736a012b8d32639f03a66de5a576ff50384509ffbc708ff84e0a88a4f14cb0c
                          • Instruction Fuzzy Hash: 61610312F0EA8A0FE7B9B6A804753B52AD1EF85310F5600BEC569CF1E7ED08BD464341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C310E Relevance: .2, Instructions: 214COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 84dbfb1510e734abc1f4aefc9c8c66111b046d8c34d2fb84d6aefe468ca547f9
                          • Instruction ID: 4f9887a620f5f356512b38b1501d3c4587ec75180ff8154a3562f2f1458c7b34
                          • Opcode Fuzzy Hash: 84dbfb1510e734abc1f4aefc9c8c66111b046d8c34d2fb84d6aefe468ca547f9
                          • Instruction Fuzzy Hash: 07511522F1EA5A0FE76676B804271B937D1EF8A250F5601BAD52DCB1E2DC2CB9024391
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C2C25 Relevance: .2, Instructions: 186COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b5cf2ac4862710c27fadbf3eb7b1734fa4065f41e6e3bc2f201d2ad5ae1f486f
                          • Instruction ID: aceb781bb297159b11beb8792cbffa76e41f3170bb7018f882b6da988f79315d
                          • Opcode Fuzzy Hash: b5cf2ac4862710c27fadbf3eb7b1734fa4065f41e6e3bc2f201d2ad5ae1f486f
                          • Instruction Fuzzy Hash: D5510711B0FA8A0FE7BA76B844752B92B90EF55250F1600FAC968CF1E7DD08B9868341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C1D90 Relevance: .2, Instructions: 155COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bc073155f9f0f853bf95c1733559be3ae9ad0b4693bb491b52364d7c6f60e566
                          • Instruction ID: f4a8e2365db930528b91838d7f11eafeb035018511a844eb0b771673f2849e4f
                          • Opcode Fuzzy Hash: bc073155f9f0f853bf95c1733559be3ae9ad0b4693bb491b52364d7c6f60e566
                          • Instruction Fuzzy Hash: CF41F821A1EB9B0FE76AB66848796B43BE1DF46350B0501FBC568CF0F7ED0C69468352
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C1C51 Relevance: .2, Instructions: 151COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 472f30630cae3e7b3b260c8f3ca7966805170a6424713312ba686882faee360a
                          • Instruction ID: 0050456d718b3afa3afa8b04b30689ab502b500b38ed9adee90a2d0e06334763
                          • Opcode Fuzzy Hash: 472f30630cae3e7b3b260c8f3ca7966805170a6424713312ba686882faee360a
                          • Instruction Fuzzy Hash: 4D41073090E7C94FDB1AABA998656F57FB4EF13325F0401BFE099C71A3CA182416C756
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C39FC Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b042ad660581653157dbeaf61fd3b6e379bc1ab820cd4129ae387d8004fc3e7
                          • Instruction ID: 022d7f7c9aeb1fc09ba3e14a42d6d5b6a43398c23d76945c33f9ddcceba744bb
                          • Opcode Fuzzy Hash: 5b042ad660581653157dbeaf61fd3b6e379bc1ab820cd4129ae387d8004fc3e7
                          • Instruction Fuzzy Hash: 0221D56060E58E9FDBA5FAE488BA6B67BA1EF46300F1505B8C51DCF1B6C938F950C301
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C48A1 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6cc2d01d9da4be23c89cb4b14b6a4728fd2a303da458de0ffa45569c8a6f809a
                          • Instruction ID: 4da237614356e3b59c544f3f7aacc2b9d166812f3779c93e32c72aafe26ed4e4
                          • Opcode Fuzzy Hash: 6cc2d01d9da4be23c89cb4b14b6a4728fd2a303da458de0ffa45569c8a6f809a
                          • Instruction Fuzzy Hash: BE01D422A0F1C94EDB62B7A858605B17FE0DF43224B1900FBE1E8CA0A3D449A955C346
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3168 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 120ab04a2d12eba73e4c205ea386820b6a9c0120405cf5f0f7268954a74ea00c
                          • Instruction ID: 7744806611592d66439f743d2192049368658f19a976585a4797604dc3bba6c9
                          • Opcode Fuzzy Hash: 120ab04a2d12eba73e4c205ea386820b6a9c0120405cf5f0f7268954a74ea00c
                          • Instruction Fuzzy Hash: 1EF08111B1EC5F09F2B731EC16B62B96181EB49220FA61639DA3DCE1F2DC2CFA520151
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C27D7 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000013.00000003.2478915408.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_19_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 330d7859790241ada4dfc5304c464a6f4094bc92697bae521d70e257b7bc61f0
                          • Instruction ID: 66eb0756cb89c2aafa114a1759561f35431d18d6c8f38c8eb1c9907b70e032a2
                          • Opcode Fuzzy Hash: 330d7859790241ada4dfc5304c464a6f4094bc92697bae521d70e257b7bc61f0
                          • Instruction Fuzzy Hash: 9AE07D7360F94C5BCB00FAAA6CA04CA3B98FB8D318B01012AF45CC3251E2126511C351
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00B11538 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q$$^q
                          • API String ID: 0-355816377
                          • Opcode ID: 495b165e482324daec727ec982d7da15b2c0f1baddbac07bb2d6f791b2b3d5c3
                          • Instruction ID: ff20e0e786daf21a8aa7698c94ed84c3e2fe016a2489b53f821ca5dceba96bbf
                          • Opcode Fuzzy Hash: 495b165e482324daec727ec982d7da15b2c0f1baddbac07bb2d6f791b2b3d5c3
                          • Instruction Fuzzy Hash: EC21B132A10709CFCF10AF68D844899F7B5FF84300B058AAED5096B222EB31E8D4CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B11529 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q
                          • API String ID: 0-388095546
                          • Opcode ID: 50671e775c17793232953bd934336105e58276cfc0118faed187bf57499b1336
                          • Instruction ID: 80d4e53411dd3d7e381900004611dda7506bcaae029de209ad91ebafd8830ac7
                          • Opcode Fuzzy Hash: 50671e775c17793232953bd934336105e58276cfc0118faed187bf57499b1336
                          • Instruction Fuzzy Hash: 2E21B531904749CFCF119F78C8548A9BBB1FF85300B098AAED5496B162EB31D8C4CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B10848 Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad29e6503bf0539c2109513237e6d8248f95cbfeacf43d023d4f5da4fcc735b9
                          • Instruction ID: b6d39d2817be34c50dc928557fbdc02adec179d781e4194cfba14033cfc052ec
                          • Opcode Fuzzy Hash: ad29e6503bf0539c2109513237e6d8248f95cbfeacf43d023d4f5da4fcc735b9
                          • Instruction Fuzzy Hash: 49619C30A10306CFDB15EBB8D8546AE7BF2BF85704F5085A9D409AB365DBB19CC6CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B10ED8 Relevance: .2, Instructions: 167COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: babf765eac61371157d3f792ec2a25b7ce0c6d1d6cac9c0f8551f0ea01002ab5
                          • Instruction ID: 76e7be8a6bfaa52c0a9ac241a31d320148c70951e456dc3357004c72e1bfc176
                          • Opcode Fuzzy Hash: babf765eac61371157d3f792ec2a25b7ce0c6d1d6cac9c0f8551f0ea01002ab5
                          • Instruction Fuzzy Hash: BA21512275D7D40FC353677C68606AD7FE68EC2314B4A45EBC1C9CB6E7C994888A8362
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B112E2 Relevance: .1, Instructions: 144COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 664e80ca4d0b370b869a5ed6f368cbbd4952eeaf832b3b6f5d3ffd472a4de450
                          • Instruction ID: 2d6302a8a04126e15ed96741e99609cd5b577113da7207042b618a82d827556f
                          • Opcode Fuzzy Hash: 664e80ca4d0b370b869a5ed6f368cbbd4952eeaf832b3b6f5d3ffd472a4de450
                          • Instruction Fuzzy Hash: 57517F32E54B46AAE710DBA4CC45A99F372FFDA700F61CB16F6483B191EBB0A1D4C641
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B112F0 Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b0f420874ec472e3474f6cb420e9a2a2c0e53b2a494c95a5b23d93b0e37249d
                          • Instruction ID: 0956c2629b98871476617981777c82e7d93db62c8f6fd253d2b565a8aefd9457
                          • Opcode Fuzzy Hash: 3b0f420874ec472e3474f6cb420e9a2a2c0e53b2a494c95a5b23d93b0e37249d
                          • Instruction Fuzzy Hash: EF513032E50B0AA6E710DFA5CC45699F372FF99700F61CB16F6483B191EBB0A1D4C681
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B11B08 Relevance: .1, Instructions: 119COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4782fc9ffa2bb9064f604adc22f8721a342cbbb230c2d4b4810f67e91f9462ab
                          • Instruction ID: 34ebfb1c7ceaa89f27dac8e746eefbc0c863db4ffee2cd861ed26d11dedaec3a
                          • Opcode Fuzzy Hash: 4782fc9ffa2bb9064f604adc22f8721a342cbbb230c2d4b4810f67e91f9462ab
                          • Instruction Fuzzy Hash: 76417432E14B4A9ACB01DFF9C8504DDF7B1FF95300B11C65AD559BB151EB30A586C790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B11C74 Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f9b750c89749836c46e3918ab1bb68b0e488c197b40fae9045eae644c2961169
                          • Instruction ID: 749a4f50d504497dace425b7d1deeaea4a3ac071489a7c1d1226060019f0e620
                          • Opcode Fuzzy Hash: f9b750c89749836c46e3918ab1bb68b0e488c197b40fae9045eae644c2961169
                          • Instruction Fuzzy Hash: E54134B1D0035D9ECB10CFA9C954ADEFBF5AF88304F20856AD459BB250DB746A85CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B117C9 Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5aad955dd8ec02b28045ade3028187e06caa56fc855c1f555795fdfb326fbf72
                          • Instruction ID: bcae47b037f82946bd10ddbe34b4ab3151b88d9a14af7f39aa3440423b787ac1
                          • Opcode Fuzzy Hash: 5aad955dd8ec02b28045ade3028187e06caa56fc855c1f555795fdfb326fbf72
                          • Instruction Fuzzy Hash: 44319432E0170AABCB01DFB9D8905DEFBB2FF94300F11CA6AE545A7251EB30A585C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1118C Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d7f73a104a79669673d330bc7cc474b1a73f3fcaae83ab5f45510a7dca104e69
                          • Instruction ID: dc06919d191628fb5b8799cd652090792cdccbd464f61d7111af71b1b9aad548
                          • Opcode Fuzzy Hash: d7f73a104a79669673d330bc7cc474b1a73f3fcaae83ab5f45510a7dca104e69
                          • Instruction Fuzzy Hash: 294127B1E012589FCB14DFA9C994BDEBFF6AF48304F14846AE404AB290CB745985CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B11C80 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 894830637164b68d89bc1579129da5c7a0ed922de670c813b60922bf4d8fd71b
                          • Instruction ID: c779432b7b723ec4424f23dbecc5b47b757fa5c02563c4e335ad347a4bfd210e
                          • Opcode Fuzzy Hash: 894830637164b68d89bc1579129da5c7a0ed922de670c813b60922bf4d8fd71b
                          • Instruction Fuzzy Hash: 2C41F5B1D0035D9ACB10DFAAC544ADEFBF5BF48304F20852AD419BB244D7746A85CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B11674 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1e2b242a45233d9eb3bab225cbb763e4934a22ab630b49bcbf088b52f32e5639
                          • Instruction ID: cee6337734730cc7769b82716feb96a6dd65f72f95ac76115c52a57e059e3894
                          • Opcode Fuzzy Hash: 1e2b242a45233d9eb3bab225cbb763e4934a22ab630b49bcbf088b52f32e5639
                          • Instruction Fuzzy Hash: E44142B1D012489FDB14DFA9C894BDEBFF5AF48304F24846AE409AB290DB745985CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B11198 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9d86458692a59462703fa0f119bc26d712b7090efa231ef35ef74e19a692aa57
                          • Instruction ID: f0eaaddd0f2829c0ae502de625aa29651840b9bf1ffa289464d5c616381933b6
                          • Opcode Fuzzy Hash: 9d86458692a59462703fa0f119bc26d712b7090efa231ef35ef74e19a692aa57
                          • Instruction Fuzzy Hash: 6F3115B1D012189FCB14DFAAC995BDEBBF5AF48304F20846AE508BB254DB746985CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B11680 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 800f472e42ed20f24a1b55816807926dc05b2307a4ae19d09d5b2cf751c81a31
                          • Instruction ID: 7437731b3100344f1d923bbe1ea991bbbf572611744be87553c29eba550f33fd
                          • Opcode Fuzzy Hash: 800f472e42ed20f24a1b55816807926dc05b2307a4ae19d09d5b2cf751c81a31
                          • Instruction Fuzzy Hash: 923112B1D01258DFCB14DFAAC985BDEBBF5AF48304F24846AE409AB290DB745985CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B10830 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b8f9919f21af6b297203978c767fab10135c425ece3bc249b891206774cf33e6
                          • Instruction ID: f617632c441f5f9cc441107e5078caa7e19c2c56af263e516afcff00a7dc551a
                          • Opcode Fuzzy Hash: b8f9919f21af6b297203978c767fab10135c425ece3bc249b891206774cf33e6
                          • Instruction Fuzzy Hash: 5F2104307243424FCB16A67488202EE77F3AFC1704F44019AC8499B799DBB58C87C781
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B119F5 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 738a43101730b8fe1d0e3acbf3ecf3fed33112c7b813d4dce6a23377c05e0177
                          • Instruction ID: 3efa503250de327813353a7edb0b2497e89ef4be647aaab818ef2be91c8bb89e
                          • Opcode Fuzzy Hash: 738a43101730b8fe1d0e3acbf3ecf3fed33112c7b813d4dce6a23377c05e0177
                          • Instruction Fuzzy Hash: A53102B1D152589FCB20DFA9D894BDEBFF5AF48310F24846AE419AB250C7749885CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B118E4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 15d5818dc6e0f5fd1efd7a8591267d383fb8c86f86ec15df2e7bb883adf37d5a
                          • Instruction ID: 1a999a7c1415dc18f84827faeb94d9c56ef91f98a56a36b7c5e70a1b259b804f
                          • Opcode Fuzzy Hash: 15d5818dc6e0f5fd1efd7a8591267d383fb8c86f86ec15df2e7bb883adf37d5a
                          • Instruction Fuzzy Hash: 1C3103B1D002589FCB10DFAAD494BDEBFF4AF08350F24846AE459BB250CB745886CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B11A00 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a7e8210c922ba26e90a37d7337d3d176ad3c0a8f557e8fe104e845e4f4dee35
                          • Instruction ID: bb6c8ca955885f7e6e788e2c5194c44556c5108612cef8da7e94861464d4adcf
                          • Opcode Fuzzy Hash: 3a7e8210c922ba26e90a37d7337d3d176ad3c0a8f557e8fe104e845e4f4dee35
                          • Instruction Fuzzy Hash: 4F31F4B1D012589FCB10DFAAC484BDEBFF8EF48310F24846AE418AB250C7746885CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B118F0 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1e03c6242bff35a21285d7326f3158614d7c7b1166661b334ff2d9d1fb910c53
                          • Instruction ID: 11589240fa4143b7980689afe13f93e6d7fa0e796ba314438c59220e35bd244f
                          • Opcode Fuzzy Hash: 1e03c6242bff35a21285d7326f3158614d7c7b1166661b334ff2d9d1fb910c53
                          • Instruction Fuzzy Hash: 4621D2B1D002589FCB14DFAAD494BDEBFF8AF08350F64846AE559AB250CB745885CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B11028 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f3310315bcc73e0e939b7011a73ec676fd63ffa71f7a09ed243b66a9f110e950
                          • Instruction ID: 662790972c64069eb6462814347aef2e6023955906adb029ec4d666fa8cc41ed
                          • Opcode Fuzzy Hash: f3310315bcc73e0e939b7011a73ec676fd63ffa71f7a09ed243b66a9f110e950
                          • Instruction Fuzzy Hash: 88112631B092459FC706CB79EC20AAEBBA2DFC5304B05C5BBD009CB2A1DB319846CB40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B110B9 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f0a9616e4a7ba54d6ea437f8d7809341a3c8992cff62ba443b16c22ec078292
                          • Instruction ID: 0b12249c3160279bfe6e63606e3ffa00216e2e8de12800e57ead060979c23368
                          • Opcode Fuzzy Hash: 7f0a9616e4a7ba54d6ea437f8d7809341a3c8992cff62ba443b16c22ec078292
                          • Instruction Fuzzy Hash: BEF0C232B041496BCB15DAB8D8249EEBBE7AFC4300B04846ED246A72A1DA319916CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B110C8 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: db0856f9eefeff3ad12042988d65a3602cb0878c175156f4a5cd814ca2f4bf19
                          • Instruction ID: 7ae9f462d60732da620e989f10debf211be5d45a266090176a4bcc48274b7678
                          • Opcode Fuzzy Hash: db0856f9eefeff3ad12042988d65a3602cb0878c175156f4a5cd814ca2f4bf19
                          • Instruction Fuzzy Hash: 5EF0893170010867CF14DAA5D855DEEB7EAEBC8300F40C479D705A7250DA31995587E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B1161F Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6ce6d8aa46b7e4ad3ce6c297620728729d8a7552b7611cbaf11720c2275ea26
                          • Instruction ID: 9ee0b01bcf7567cd66ceb024badfb90fa64b53d91c5a107926018cc84587e51c
                          • Opcode Fuzzy Hash: d6ce6d8aa46b7e4ad3ce6c297620728729d8a7552b7611cbaf11720c2275ea26
                          • Instruction Fuzzy Hash: B2F0A731B09249AFC701CB749D55AAEBFE6DFC1204B09C4ADD44DDB152E9318A069781
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B10AD2 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aae961fdf0a08ebec5fcf4a86e4fc2f61185fecd3e519ad25d643845ec5c03dd
                          • Instruction ID: 8362a5c3ef2c6b354fe47fe80b266e9e5b541b5378f187cb1124a76e306824c9
                          • Opcode Fuzzy Hash: aae961fdf0a08ebec5fcf4a86e4fc2f61185fecd3e519ad25d643845ec5c03dd
                          • Instruction Fuzzy Hash: 65F06730A05208EFCB81EFB8E96458CBFB1EF84300F6086ADD409E7265EB705A588B41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B10AD8 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e4dbc47d9478ed5e0837bd664c485e9d43052ca3b2680e7b68df3ac79333196
                          • Instruction ID: 1f2688f090b19460f00308c33cc23a50e504e12a8fb45bdc578420e6f5b51929
                          • Opcode Fuzzy Hash: 7e4dbc47d9478ed5e0837bd664c485e9d43052ca3b2680e7b68df3ac79333196
                          • Instruction Fuzzy Hash: 6BF0F870911208EFCB84EFB8E95559CBBF1EB84301F6085A9D409A7224EA706B489B41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B10B3A Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 637b83199dff0ddea989b6db9bde6cdb77a73c552c1b58e0c8f77d08f773b792
                          • Instruction ID: aa58160deda96d4c810427b334f251d296247daebb5debd2f1e5b7bc2a34d0a2
                          • Opcode Fuzzy Hash: 637b83199dff0ddea989b6db9bde6cdb77a73c552c1b58e0c8f77d08f773b792
                          • Instruction Fuzzy Hash: 21E0C22235CB914FC746A33C54600DCABE2EDC131074B82B7D108CB69BCF988C4687E2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00B108FF Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000014.00000002.2477467375.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_20_2_b10000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d50f0d2b5ad8712bc0ee0243ad8091b959af41a5799b75a607584c0d78511558
                          • Instruction ID: c8365d314093e5e24e943972aa7fb5b548ec6c24f269abf9401644ca8ad5e6be
                          • Opcode Fuzzy Hash: d50f0d2b5ad8712bc0ee0243ad8091b959af41a5799b75a607584c0d78511558
                          • Instruction Fuzzy Hash: C1D09E35740219CFCF00EFA8D5445DC77B0EF88715F0000A9E109DB270DB759895CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B6C4E6A Relevance: 10.5, Strings: 8, Instructions: 483COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 81e$(81e$081e$881e$@81e$H81e$x61e$x61e
                          • API String ID: 0-2456279330
                          • Opcode ID: 37abdb439a113e81548a22112a94a380bf1202a242a82e055cf2f65aaeb7bf26
                          • Instruction ID: bb40e9d740e75fb03b66cf3400042ffae13a521d8c03bc7a0eadef7098bb0cc0
                          • Opcode Fuzzy Hash: 37abdb439a113e81548a22112a94a380bf1202a242a82e055cf2f65aaeb7bf26
                          • Instruction Fuzzy Hash: F8E1F131B1DA4A4BE75DFB2894256B973E2EF95304F5540BDE42ECB2D7CE29E8028341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C4A48 Relevance: 2.9, Strings: 2, Instructions: 419COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 71e$71e
                          • API String ID: 0-1146660554
                          • Opcode ID: 40449ce3cb6771de6b0cb3869950e0360264750d11873e83904e955b9f2a95da
                          • Instruction ID: 742281d26d28e433d516b2aed436bdf89203989ded33aa6d081025f3049560ed
                          • Opcode Fuzzy Hash: 40449ce3cb6771de6b0cb3869950e0360264750d11873e83904e955b9f2a95da
                          • Instruction Fuzzy Hash: C5C11536B0C69A0BE718FA6DE4216F97791DF85325B0440B6DA9DCF197CE24A84B8380
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C12C0 Relevance: 2.2, Strings: 1, Instructions: 901COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 2C_I
                          • API String ID: 0-999908352
                          • Opcode ID: 86b96733a5b89f2936cb131214a8975639748ef72378a964b2a451a2d6e90718
                          • Instruction ID: 8c83c0cb88e8276b5798c7e6164fb0df5522fe812fb3683177bc62341a1e4110
                          • Opcode Fuzzy Hash: 86b96733a5b89f2936cb131214a8975639748ef72378a964b2a451a2d6e90718
                          • Instruction Fuzzy Hash: 16524DA3B0F6C40FE7656ABC58651386B92EF96350B1901FBD1A98F1FBE814BD028341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3751 Relevance: 1.5, Strings: 1, Instructions: 299COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 61e
                          • API String ID: 0-4030466609
                          • Opcode ID: 7628302f9863bc52797e7545e363e76d05401ff92e253d96a2cef7dbbae830a4
                          • Instruction ID: d4974e3d05c5488d9ab16f4edbcaae261edf992b6baa25f54e2f55ab992f20bd
                          • Opcode Fuzzy Hash: 7628302f9863bc52797e7545e363e76d05401ff92e253d96a2cef7dbbae830a4
                          • Instruction Fuzzy Hash: 3791392060F68A4FD766BB7C98756717FE4EF43314B1901FEE1A9CB0A3E9186846C352
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C1518 Relevance: .5, Instructions: 485COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b02b0581d3429373f66401d5b06c473ab59ab2883bc60b539c53db182bd2305d
                          • Instruction ID: 9281d5abcf6ac10ffc31cd586f0493e9737497d18979fcabb3b60819a1586135
                          • Opcode Fuzzy Hash: b02b0581d3429373f66401d5b06c473ab59ab2883bc60b539c53db182bd2305d
                          • Instruction Fuzzy Hash: C2E13BA2B0F6C90FE7696ABC58651796BD1EF96300B1901FBD1A9CB1FBDC14BD028341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C39B9 Relevance: 28.2, Strings: 22, Instructions: 650COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 71e$ 71e$(71e$(71e$071e$071e$071e$071e$871e$871e$@71e$@71e$H71e$H71e$P71e$P71e$X71e$`71e$h71e$p71e$x61e$x71e
                          • API String ID: 0-2106188555
                          • Opcode ID: 290382feffe16d90064c1f0b5546d8f018e59ceabd4331ad8f9a88e085ba0180
                          • Instruction ID: 2a2f371a5f099e1c7d1a718793b218606bca040ffc4cda23d63df0672595f9ae
                          • Opcode Fuzzy Hash: 290382feffe16d90064c1f0b5546d8f018e59ceabd4331ad8f9a88e085ba0180
                          • Instruction Fuzzy Hash: 9B229030B18A4E4FE768FB68C4556B9B3E2EF49308F214578D92ECB296DE35F8418741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C544D Relevance: 6.6, Strings: 5, Instructions: 324COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: (81e$081e$881e$x61e$x61e
                          • API String ID: 0-2633614123
                          • Opcode ID: 728546100bfe6a03b5f113c93d9e07499c47b310fc6d175c2aeaa7f8af0abd98
                          • Instruction ID: 1fab991b4de38ba338e58faa3377e65855a190c0c91d99bb17c8c3a69f83abfe
                          • Opcode Fuzzy Hash: 728546100bfe6a03b5f113c93d9e07499c47b310fc6d175c2aeaa7f8af0abd98
                          • Instruction Fuzzy Hash: 38A1E531B1DA894BE71CFB2894266B97791EF94304F5540BEE41ECB2D7CE29F9028385
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C2A70 Relevance: 1.6, Strings: 1, Instructions: 368COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: x61e
                          • API String ID: 0-1420581928
                          • Opcode ID: b3b444e5d0933e83bd7f01e89ef227a9bf7edeadf5bbae575a8609f406840ce9
                          • Instruction ID: 80ef619bfd1a185bcf90c7ac3e2b3e30346c9ab04df4eefb4a57764cdff63b0d
                          • Opcode Fuzzy Hash: b3b444e5d0933e83bd7f01e89ef227a9bf7edeadf5bbae575a8609f406840ce9
                          • Instruction Fuzzy Hash: 73A12621B0FA8A0FE7B9B6B848712B93B91DF85650B0641BBD96CCF1F7DC0879468341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C40E5 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: x61e
                          • API String ID: 0-1420581928
                          • Opcode ID: 860cc88af7ff59ce9b6bbd7bbc40a694ef541e111fea0c768101ed8459e6ea49
                          • Instruction ID: 9a4f7fb263cb88e55a623c3a722fc67acb7fd2e9f3e41fb4b1690a7baae5f19b
                          • Opcode Fuzzy Hash: 860cc88af7ff59ce9b6bbd7bbc40a694ef541e111fea0c768101ed8459e6ea49
                          • Instruction Fuzzy Hash: 2D713521B0EA4A0BE7A9FA7884667B83BC1EF95314F1541BED56DCB1E7CD1CB8418341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C34E1 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 61e
                          • API String ID: 0-4030466609
                          • Opcode ID: 42a13bd394b877e603e83b1752d0238d8c1d314dea857735ac18b659656f1dd8
                          • Instruction ID: 53fe7530583a8d54862e079b9b2612d58dbedd3bb81061a2a366cb5f697d587b
                          • Opcode Fuzzy Hash: 42a13bd394b877e603e83b1752d0238d8c1d314dea857735ac18b659656f1dd8
                          • Instruction Fuzzy Hash: 9F514C30718A098FEB94FF6CD855AE977E1FF58315F15007AE80DD72A2DA35E8418B41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C585D Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: x61e
                          • API String ID: 0-1420581928
                          • Opcode ID: 022c8097456f3ff90cc36319d6f5977c1906e9ca4cc267e9f2b000273243694d
                          • Instruction ID: 2185409efcfc9921ffd656c8d530898b677a0c46f3d8eee2e2bf0e6607b25892
                          • Opcode Fuzzy Hash: 022c8097456f3ff90cc36319d6f5977c1906e9ca4cc267e9f2b000273243694d
                          • Instruction Fuzzy Hash: 3C413612B0FA9B0FE7B5767C18662B526D1EF85360F1601BBD61DCF1E2ED18AD418381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C2258 Relevance: .2, Instructions: 185COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 11d9c1e9484bbf98dc74980cc288147b5070eba77f570c8812846a9e89d70bad
                          • Instruction ID: 300f67ff9959672ecf099815743e539fa597851be2fd82f35e8a62e5d27917c2
                          • Opcode Fuzzy Hash: 11d9c1e9484bbf98dc74980cc288147b5070eba77f570c8812846a9e89d70bad
                          • Instruction Fuzzy Hash: 2D417F23B0E68A0FE759BABCA8655F5BB90EF41224B0902F7D5ADCA0D7DD0C74874381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C0288 Relevance: .2, Instructions: 159COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8cae15246acbc405546cc8923395cc95d6878a9fc09af407fa57aafd1b4ad189
                          • Instruction ID: 4bf63c3adb45924a3c05b9c75a68079ae887e25064cbfe776ecd9a17f7b31529
                          • Opcode Fuzzy Hash: 8cae15246acbc405546cc8923395cc95d6878a9fc09af407fa57aafd1b4ad189
                          • Instruction Fuzzy Hash: B1415922B0FA890FE369F66858715353BE1EF8635072541BFD05DCB1E7DE18B9068391
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C1D90 Relevance: .2, Instructions: 151COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 13626cc8fe6216dce1e9748ec5e905ef4b2ac0032e1e8def316a3905f8a4ba2e
                          • Instruction ID: 2b3ec8797b97697dff8888e20b6e0af07412b5acf61838986d8a50c9b1677bb0
                          • Opcode Fuzzy Hash: 13626cc8fe6216dce1e9748ec5e905ef4b2ac0032e1e8def316a3905f8a4ba2e
                          • Instruction Fuzzy Hash: 7D41FA21A1EB9B0FE76AB66848756B43BA1DF46350B0501FBC568CF0F7DD0C69468352
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C1C51 Relevance: .2, Instructions: 151COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 472f30630cae3e7b3b260c8f3ca7966805170a6424713312ba686882faee360a
                          • Instruction ID: 0050456d718b3afa3afa8b04b30689ab502b500b38ed9adee90a2d0e06334763
                          • Opcode Fuzzy Hash: 472f30630cae3e7b3b260c8f3ca7966805170a6424713312ba686882faee360a
                          • Instruction Fuzzy Hash: 4D41073090E7C94FDB1AABA998656F57FB4EF13325F0401BFE099C71A3CA182416C756
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C454D Relevance: .1, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d947ba915d002cadbd2e7a029ae20798ea3ae80def94891d7a1ff1cdaa7e302f
                          • Instruction ID: eb23184b15a981cbdcf6f3dfacef149a62ea6011dede58c2495c2164ba9797f6
                          • Opcode Fuzzy Hash: d947ba915d002cadbd2e7a029ae20798ea3ae80def94891d7a1ff1cdaa7e302f
                          • Instruction Fuzzy Hash: BE31C531F0861C4FDB58FBA8C855AF977A1EF99310F45017AE419DB2A2CE28B941CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C02E0 Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ca17775d2522d010b0f598f1811774a02cb591d8cac6b8287b7dff084124ea31
                          • Instruction ID: 07dc1254367a2dcbc8ef91edcec18c2f724c597374cb26591e310de3ae7ad52b
                          • Opcode Fuzzy Hash: ca17775d2522d010b0f598f1811774a02cb591d8cac6b8287b7dff084124ea31
                          • Instruction Fuzzy Hash: 2A318F31F1861C4FEB68FBADC855AF977A1EF99310F050179E51AD72A2CE24B941CB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3168 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 120ab04a2d12eba73e4c205ea386820b6a9c0120405cf5f0f7268954a74ea00c
                          • Instruction ID: 7744806611592d66439f743d2192049368658f19a976585a4797604dc3bba6c9
                          • Opcode Fuzzy Hash: 120ab04a2d12eba73e4c205ea386820b6a9c0120405cf5f0f7268954a74ea00c
                          • Instruction Fuzzy Hash: 1EF08111B1EC5F09F2B731EC16B62B96181EB49220FA61639DA3DCE1F2DC2CFA520151
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C5AF1 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e5f5c0e7cb16213c114c07c70fae52e5319025b6d025c65f20f09069154fc2ef
                          • Instruction ID: ba12d6afcf3f0bc67490184a884b74c78d0d6cb7cff0b677f32de4c6f3694bf1
                          • Opcode Fuzzy Hash: e5f5c0e7cb16213c114c07c70fae52e5319025b6d025c65f20f09069154fc2ef
                          • Instruction Fuzzy Hash: D1F0C22065E5C94FD763A7B85870AB27FA49F07214B1900E7E0E8CA0A7D9495C55C352
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C27D7 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 330d7859790241ada4dfc5304c464a6f4094bc92697bae521d70e257b7bc61f0
                          • Instruction ID: 66eb0756cb89c2aafa114a1759561f35431d18d6c8f38c8eb1c9907b70e032a2
                          • Opcode Fuzzy Hash: 330d7859790241ada4dfc5304c464a6f4094bc92697bae521d70e257b7bc61f0
                          • Instruction Fuzzy Hash: 9AE07D7360F94C5BCB00FAAA6CA04CA3B98FB8D318B01012AF45CC3251E2126511C351
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C0271 Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000003.2496426074.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
                          • Instruction ID: 06401d89036e6c46b20f7c1a37fce2788aa04f350aaf19392997c2e569a891a5
                          • Opcode Fuzzy Hash: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
                          • Instruction Fuzzy Hash:
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00D317F8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q$$^q
                          • API String ID: 0-355816377
                          • Opcode ID: 9964a5443b87ab55ed79cf86f2e726d317523f0cbeebd2f44ba02545b5eec571
                          • Instruction ID: 892d1247001de1869ee7ddb3a181a789cfab59f120f0cec418baa0f36db19a70
                          • Opcode Fuzzy Hash: 9964a5443b87ab55ed79cf86f2e726d317523f0cbeebd2f44ba02545b5eec571
                          • Instruction Fuzzy Hash: E7219131D0070ADFCF15AF68D854999F7B4FF85314B0586AED4496F225EB71E884CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D317E9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q
                          • API String ID: 0-388095546
                          • Opcode ID: fda7710f4230e9d5c0de803f67c10803237b26310a8920eb6785ae69b7d33a93
                          • Instruction ID: 522f6c3d957793badca1d3acce8d8cf7da44878092ab3fb2a25e0a68d3dbbc23
                          • Opcode Fuzzy Hash: fda7710f4230e9d5c0de803f67c10803237b26310a8920eb6785ae69b7d33a93
                          • Instruction Fuzzy Hash: D221A13190474ADFCB119F78D8545A9FB71FF55300F098AAED4496F262EB31D884CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D30848 Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 49f73a09b94297fcbb6ef283178284c510367d913a77d67363ff098203fe1fde
                          • Instruction ID: f4b3650331acb05c95d0fa0a3cc234b267143129b1976040608a014076a8f065
                          • Opcode Fuzzy Hash: 49f73a09b94297fcbb6ef283178284c510367d913a77d67363ff098203fe1fde
                          • Instruction Fuzzy Hash: A761CC30A00345CFCF09EBB4D9646AE7BB2BF84704F18846AD445AB365DB709C4ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D315A1 Relevance: .1, Instructions: 144COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f563c4894b134f55af8cf29474754f2faf6e0affcf0512a647ac454c53c7ed7
                          • Instruction ID: bc32199635b30bd6eb6eb9c37563d7d65367e6e9fb2361338c4293daffb7de90
                          • Opcode Fuzzy Hash: 7f563c4894b134f55af8cf29474754f2faf6e0affcf0512a647ac454c53c7ed7
                          • Instruction Fuzzy Hash: 4E516132D50B46A6E710DBA5CC45799F371EFDA700F21CB1AF6483B191EBB0A1D8C641
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D315B0 Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fd88788ce5b1b34c5c74e5afec0cac23c519624e43c0565ce04e8536a9ace761
                          • Instruction ID: 03f8a825c822867e39f3bde13ce10f3e3f9d8cf68c751c61e89aa73e9786c01a
                          • Opcode Fuzzy Hash: fd88788ce5b1b34c5c74e5afec0cac23c519624e43c0565ce04e8536a9ace761
                          • Instruction Fuzzy Hash: D5512D32E50B06A6E710DBA5CC45B9AF371EFE9700F61CB16F6483B191EBB0A1D4C691
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31DC8 Relevance: .1, Instructions: 118COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a65fd12f1b00ac92b3f4269d1cb013ebac974946b0ee1169e8dfa36da9c6fdd7
                          • Instruction ID: d3e00c31082479295690d737747b4bb3d5e56855e10415a6b216a320153e0545
                          • Opcode Fuzzy Hash: a65fd12f1b00ac92b3f4269d1cb013ebac974946b0ee1169e8dfa36da9c6fdd7
                          • Instruction Fuzzy Hash: 9F417332E1074A9BCB01DFB9C8904DDF7B2FF95300B11C66AE955B7211EB30A586CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31029 Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 522404e85f7c8f89b61a49b5d01dafd45b27429c6d6d5dfa9c24d5d79132689b
                          • Instruction ID: e6f3c492a286af7711437b7525bcf55d9e6fea9e7485a5e0bc5e04ed24038fc8
                          • Opcode Fuzzy Hash: 522404e85f7c8f89b61a49b5d01dafd45b27429c6d6d5dfa9c24d5d79132689b
                          • Instruction Fuzzy Hash: 5C417F34B0064A9FCB04DB75C995AAEBBB3EFC4304F10C539D10A97365EB30A906CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31F34 Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 839a943e1afd00e8add675f61e2ca696910e05bf43db394049f6bf05a5553bdf
                          • Instruction ID: 6d8d275419cf865571d2ac0a4cf0aacd140c5ab11c37c8cfc8f4000714d940f8
                          • Opcode Fuzzy Hash: 839a943e1afd00e8add675f61e2ca696910e05bf43db394049f6bf05a5553bdf
                          • Instruction Fuzzy Hash: C64114B1D103498ECB10CFAAC985ADEFBB5AF48300F20812AE449BB250D7706A49CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31A89 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0c0f7401018b6a938e10d007eda76af9e7f00a4d49465d09391be914fefb4041
                          • Instruction ID: ae28abc3754267387429864d5d661d515a95d690d334e53057b23d60279919b8
                          • Opcode Fuzzy Hash: 0c0f7401018b6a938e10d007eda76af9e7f00a4d49465d09391be914fefb4041
                          • Instruction Fuzzy Hash: D531B536E0160AABDB00DFB9D8805EEF7B2FF95300F11C66AE445A7221FB30A585C790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D311E4 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 983bf116491347736a9c69c0b9f6b900ba8381ab7dfc421fd215a4a2ee8d73a7
                          • Instruction ID: 05dd5f25386a3b6c426d34c1c5f4c744cc17e6027442cd60079544707bd3ca53
                          • Opcode Fuzzy Hash: 983bf116491347736a9c69c0b9f6b900ba8381ab7dfc421fd215a4a2ee8d73a7
                          • Instruction Fuzzy Hash: 084126B5D01248DFCB15DFA9C595BDEBFF6AF48304F24802AE404AB260CB745945CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31934 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce40875d02a608d441ae7fab66a3604bd6b8cff5d62ad1d2e1ff61b307839593
                          • Instruction ID: a34bbcab3fededb5e2ab66875d2c0a4545704ffbcd7d66f7625039f737f13afe
                          • Opcode Fuzzy Hash: ce40875d02a608d441ae7fab66a3604bd6b8cff5d62ad1d2e1ff61b307839593
                          • Instruction Fuzzy Hash: 9F4114B1D01258DFCB14CFAAC995BDEBFF5AF48304F24802AE419AB291CB745946CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31F40 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 142c61a17500bfb3976a4302d7a33fe979a46aef46ce431a6060ee64730fd2d7
                          • Instruction ID: 2076b2afe9432e1a01ebb8d0621fcb608b16d824af7c76154933b226b9b32edc
                          • Opcode Fuzzy Hash: 142c61a17500bfb3976a4302d7a33fe979a46aef46ce431a6060ee64730fd2d7
                          • Instruction Fuzzy Hash: CE41F2B1C10359CACB14CFAAC944ADEFBB5BF48304F20812AE459BB240D7746A49CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D30F45 Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ec8b60b5f043b66f876bf9859945d023af73daa463c216a309f23ac5de8ae258
                          • Instruction ID: 993ba6d9155aa1985f0abdb8f04505670dcd4f97323daf28806058d109d57eba
                          • Opcode Fuzzy Hash: ec8b60b5f043b66f876bf9859945d023af73daa463c216a309f23ac5de8ae258
                          • Instruction Fuzzy Hash: A111C02224D3C44FC712A37DA4621ADBFA6CEC2354F1945BBC1458B6B7CA519C8AC772
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D311F0 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f7347d4319946a3bca3397abb316df468bed89f7d335868478d360c0e8987a7
                          • Instruction ID: ef41fff7c2415eefdd56bcc9533ecc2289ac98e2fd32ed9b344b4202841a0860
                          • Opcode Fuzzy Hash: 1f7347d4319946a3bca3397abb316df468bed89f7d335868478d360c0e8987a7
                          • Instruction Fuzzy Hash: EC3104B5D01248DFCB14DFAAC595BDEBBF5AF48304F24802AE405AB250CB745945CFA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31940 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9819a31360b0698237a8d4530cadf535b6ade443515b1598dfa588b7be99ddbb
                          • Instruction ID: 8ed8aa841b7f50bd7d1eb76d2922d76c0747ff12782e90e98c36d2fa59b4164d
                          • Opcode Fuzzy Hash: 9819a31360b0698237a8d4530cadf535b6ade443515b1598dfa588b7be99ddbb
                          • Instruction Fuzzy Hash: 573113B1D01258DFCB14DFAAC594BDEBBF5AF48304F24802AE419AB250DB745946CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D30830 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ecd7b9440ddc56a1b52d07a727ed25c782b4a711136eff858b9984339a382910
                          • Instruction ID: 7b4dc0ef93df7484d7cfe89138f3de096d0282ee36225e9d104d89eb15811d55
                          • Opcode Fuzzy Hash: ecd7b9440ddc56a1b52d07a727ed25c782b4a711136eff858b9984339a382910
                          • Instruction Fuzzy Hash: BA21D5316043418BDF169B70D8306AE7FB3AFC1B04F08456BC8899B769DB358C0AC7A2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31CB4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d7d9367e31d7cdd61f06ec219fe4145ea160c52ddd897e787b09aabbffe94fd1
                          • Instruction ID: fe1ba0bc7d8c5ad0a66b837d19fce307e49812f2810bb88384e00d2d11931937
                          • Opcode Fuzzy Hash: d7d9367e31d7cdd61f06ec219fe4145ea160c52ddd897e787b09aabbffe94fd1
                          • Instruction Fuzzy Hash: CC3102B1C002589FDB24CFA9D594BDEBFF9AF49310F24812AE418BB250CB745885CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31BA4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c4300e8619b83ddcdf909bee62aceb3ca2a24274871ccb091cf177ae440aa0b
                          • Instruction ID: f479504f575686b723594110f67fbe5107978eda9966afb5d89380619dfd95ac
                          • Opcode Fuzzy Hash: 7c4300e8619b83ddcdf909bee62aceb3ca2a24274871ccb091cf177ae440aa0b
                          • Instruction Fuzzy Hash: 1C31E2B1C00258DFCB14CFA9D495BDEFFB8AB48314F24802AE459BB250CB755886CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31CC0 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dcfa58cc8f00ff420c0163fa490a23025820c0b0ef5e3167f70a5a7a64f44a7e
                          • Instruction ID: fde345d9e1dede9d05d5cdc1537a57629ef80259f0887737e62c3776950bb931
                          • Opcode Fuzzy Hash: dcfa58cc8f00ff420c0163fa490a23025820c0b0ef5e3167f70a5a7a64f44a7e
                          • Instruction Fuzzy Hash: C131F4B1C00258DFCB24CFA9D484BDEBFF4AF49310F24802AE418AB250CB745845CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31BB0 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 65025f2177b292ba145ae7c508c0271a3ec34f9f17334aef0d5f026db93ff998
                          • Instruction ID: 8d78d52eccedbaa594ed970a34b6fc0357c9aa7d79b8ea5f1f80f6c84f24bb2e
                          • Opcode Fuzzy Hash: 65025f2177b292ba145ae7c508c0271a3ec34f9f17334aef0d5f026db93ff998
                          • Instruction Fuzzy Hash: D321DFB1D00258DFCB14CFAAD494BDEFFF8AF48314F24802AE459AB250CB755885CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31188 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c9a095ebd96a0c1d98d551458b50c1fe5dc7dcad43590636ac45ac75cc716e2b
                          • Instruction ID: 073b15fa84658d415cd12cfdf88c2166fa8075e81ad331e871075cc3c51f9a27
                          • Opcode Fuzzy Hash: c9a095ebd96a0c1d98d551458b50c1fe5dc7dcad43590636ac45ac75cc716e2b
                          • Instruction Fuzzy Hash: 87F08231A09289AFCB06CBB089529AD7FA69B81204B55C1AAD545CB262D9318A0AD761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D318E0 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d56eb87cafde21c46b8697fa40bd3c26d55ddc5398c6342e8b83398151830f82
                          • Instruction ID: 88d1860865e54a4b40fd7a48083d7e7cd172f4e8f66157899235e880628409f3
                          • Opcode Fuzzy Hash: d56eb87cafde21c46b8697fa40bd3c26d55ddc5398c6342e8b83398151830f82
                          • Instruction Fuzzy Hash: C2F0A73160A2856FCB05CF748D5296D7FB69F82304715C1EED049DB262D9318E0AD751
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D30AD1 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8809a9cfb0de164d7fde1833a898b590724c028d39b0ea3ddbe4256c759478ce
                          • Instruction ID: 765e1b1e09f92ee3c677684475cb3770be5f7c3a83b300edc56880fd9d1c59ca
                          • Opcode Fuzzy Hash: 8809a9cfb0de164d7fde1833a898b590724c028d39b0ea3ddbe4256c759478ce
                          • Instruction Fuzzy Hash: 79F06730915288EFCF01EBB8E99568CBFB1EB84305B6046ADD409A7325EA302A188B41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D30AD8 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 33e433ab51aeba7db30bf463b527d9921b45f2a944b5e3915d9d3441a7c46185
                          • Instruction ID: d54713e9ebcc3bd65e777ca45671ac3cbaf0d6f67221b9bbf0a9107b01597498
                          • Opcode Fuzzy Hash: 33e433ab51aeba7db30bf463b527d9921b45f2a944b5e3915d9d3441a7c46185
                          • Instruction Fuzzy Hash: 58F0F874911248EFCB40EFB8E98569CBBB5EB84304F5045A9D509AB314EA306B449B41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D31198 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a28e01060674796fff6eaa8bfbc8bb369ba13691b82d414dd20af208c8d8d5e1
                          • Instruction ID: 453f055b32fafd68d43e83d41a55fc80c5d8d435f52fe16e26bcc726498f918b
                          • Opcode Fuzzy Hash: a28e01060674796fff6eaa8bfbc8bb369ba13691b82d414dd20af208c8d8d5e1
                          • Instruction Fuzzy Hash: 7DE09271B01109AB8B04DFB0C90096EBBAADB80304740C068E50487210EA31DA019790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D30B39 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c9ba30ed79decded6e4bc768563decb37b7f3805f32178c199eb3755d5d34e6
                          • Instruction ID: a844b07cdd53562ac25c1bf25496b0a52a20956b4017e88423a4dbf49457db3a
                          • Opcode Fuzzy Hash: 7c9ba30ed79decded6e4bc768563decb37b7f3805f32178c199eb3755d5d34e6
                          • Instruction Fuzzy Hash: 15E0C232788AD00FC717676C68200999FE289C532074A02BFD5049B2AACD989C4687E2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00D309B5 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000017.00000002.2492276864.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_23_2_d30000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 79aa53ed04cadb90954d1449cd3ee1e9ecc41428810886474df169fbe9615f7e
                          • Instruction ID: 577803e2e762ae567cb38ad7a9c9a912d44fee926aa6d9ea1c78e8e11ee4b149
                          • Opcode Fuzzy Hash: 79aa53ed04cadb90954d1449cd3ee1e9ecc41428810886474df169fbe9615f7e
                          • Instruction Fuzzy Hash: 64D09E35740219CFCF00EFA8D5545DC77B0EF88715F000069E109DB270D7759855CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B600840 Relevance: .5, Instructions: 516COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2496113045.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_7ffd9b600000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d42004965ca1e0c959bab52fba44e2930e1b0e9ce6b3912d42970967b44824ee
                          • Instruction ID: 96effaefab949aa8f68731980db2b39f50261f9c30919a0b7419b8be4d6cae03
                          • Opcode Fuzzy Hash: d42004965ca1e0c959bab52fba44e2930e1b0e9ce6b3912d42970967b44824ee
                          • Instruction Fuzzy Hash: 09E11552B0FAC90FE77646AA68312756F91DF83660B0901FFD4D88F1EBD819AD069341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B600960 Relevance: .5, Instructions: 493COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2496113045.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_7ffd9b600000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8a8b6ea8732af3114f863c0bc245ba45a43dd9b4cbe3b973d8e832dffbb7ed5b
                          • Instruction ID: 7890bc712eeaa2e40df2006c62204d23332bb5d12e52e3fe4281baa22e5a1845
                          • Opcode Fuzzy Hash: 8a8b6ea8732af3114f863c0bc245ba45a43dd9b4cbe3b973d8e832dffbb7ed5b
                          • Instruction Fuzzy Hash: 8DE12752B0FAC90FE37546AA68312257B91DF87760B0905FFE4D88F1EBDC19AD068341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B600FA8 Relevance: .3, Instructions: 260COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2496113045.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_7ffd9b600000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 14af388bf66a1d06af8b440da7ba781a2c8c7943427a4d0cdf80be2a5bcbda1e
                          • Instruction ID: 2def58a45efabc27f62d89d6e649c4049710f4dbf77ab898740b67061ececd74
                          • Opcode Fuzzy Hash: 14af388bf66a1d06af8b440da7ba781a2c8c7943427a4d0cdf80be2a5bcbda1e
                          • Instruction Fuzzy Hash: C471C653B0FAC50BE775069E28212256F91DBC377070901FBE4E88F1FBA865AE49D391
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B60135A Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2496113045.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_7ffd9b600000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e8d118190aa56318d085bfc6c632c163287dcd2eb3aecd7cff50fc51fa90b15
                          • Instruction ID: dedc6b8a0a56a9efe56373d5c2e010157ec2cfbd1d9684e08c07805e8c513236
                          • Opcode Fuzzy Hash: 7e8d118190aa56318d085bfc6c632c163287dcd2eb3aecd7cff50fc51fa90b15
                          • Instruction Fuzzy Hash: 7021B431A0CA4C9FDB1CDBA8D849AE9BBE0FB55320F00422FD049D3652DB756846CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B600CAE Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2496113045.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_7ffd9b600000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 62c787e7b3fa50bd57b2c4a06f38bab66ade8cc3888461d37567e5197a9c4c69
                          • Instruction ID: 2ce938e6ad8ae2626684cf089b385b539dae3c8e88822417aff9774e47c8d6bb
                          • Opcode Fuzzy Hash: 62c787e7b3fa50bd57b2c4a06f38bab66ade8cc3888461d37567e5197a9c4c69
                          • Instruction Fuzzy Hash: 2901F721B1F99D5FD361AB7958326B8BBD0EF0B614B1404FED49ECB2D7CE1869064341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B600DDF Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2496113045.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_7ffd9b600000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e9e6eaf2dd1cf8bc239bccc0ac291b38fd91d7ba42a896e041603e626abd711d
                          • Instruction ID: 4ca4666c49ca1aacb153ebde7f6da005c2cfaec410f19dba2dc7750ed0822d1f
                          • Opcode Fuzzy Hash: e9e6eaf2dd1cf8bc239bccc0ac291b38fd91d7ba42a896e041603e626abd711d
                          • Instruction Fuzzy Hash: 4C01D1A0A0F9C96FD75A93B5817AB39BFE09F07600F0D44FDD0CB8B6B1CA1828069700
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B600E47 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001A.00000002.2496113045.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_26_2_7ffd9b600000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 214f75a02bc975d6f8e980edbb3f7f4d36837d11f03eb5e93176e6b58299b929
                          • Instruction ID: c4e12ef03b7b8a2dfb1a525e9043da93fd3bacfdf933165c7a2fde5858a99479
                          • Opcode Fuzzy Hash: 214f75a02bc975d6f8e980edbb3f7f4d36837d11f03eb5e93176e6b58299b929
                          • Instruction Fuzzy Hash: 09F0BB30A0DA484FD715AF68A8634E57BD0DF45264B1405FFD45EC7196C936D5438282
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B6D12C0 Relevance: 2.2, Strings: 1, Instructions: 907COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 2B_I
                          • API String ID: 0-979045943
                          • Opcode ID: ba2a01e3a2195ad5ed6244390c2454d26ee28d42bcc211001f4fd19ef5f62acf
                          • Instruction ID: d30bfd47fc7805a30d1422a86c58b632f0f92c4421b527051928dd90d9096720
                          • Opcode Fuzzy Hash: ba2a01e3a2195ad5ed6244390c2454d26ee28d42bcc211001f4fd19ef5f62acf
                          • Instruction Fuzzy Hash: 8652E6A2B0F6C50FE7658ABC6C251396B92EFD6350B1942FBD09C8B1FBD854BD068341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D1518 Relevance: .5, Instructions: 489COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: afd7c88dd6232b4d4ef7997679ea854f99620db5557386257e308c4475a7c7ee
                          • Instruction ID: ae74b0f48642f2c711b8b505076670c877dc846f20487d596488ab4eb68c4c02
                          • Opcode Fuzzy Hash: afd7c88dd6232b4d4ef7997679ea854f99620db5557386257e308c4475a7c7ee
                          • Instruction Fuzzy Hash: A7E138A2B0E6C90FE7698ABC68251786B91EFC5350B0942FBD09DCB1FBDC54BD068341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D3751 Relevance: .3, Instructions: 306COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a29563009df51769a819419e35a90f18900b65588487869cbec3fd85219b1005
                          • Instruction ID: 276e786b72ef13933be2b3d74be336014b3cbd93a1c4fd066b1bd78c085e56de
                          • Opcode Fuzzy Hash: a29563009df51769a819419e35a90f18900b65588487869cbec3fd85219b1005
                          • Instruction Fuzzy Hash: AA91F86170E6C95FE7669B7C9C656717FE0EF93214B0902FED0A9CB0A3E9086846C351
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D44FB Relevance: .5, Instructions: 494COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 723f23a0fde4140c72d5ea6599906a95ea60ff1e8d3a213823da580f79131982
                          • Instruction ID: 70009478038b6b52f4f71d3039aa84762437938dc3dbd6c0a75f8eec306d92d8
                          • Opcode Fuzzy Hash: 723f23a0fde4140c72d5ea6599906a95ea60ff1e8d3a213823da580f79131982
                          • Instruction Fuzzy Hash: AAC12822B1DA890FE71DAB7858265F97B90EF85314B0502BFE09ECF1D7CE1969078384
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D2A70 Relevance: .4, Instructions: 372COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a2f67b8cc9d06fdfa65c034ae2640d6866f85eec61923379e8a4838105add34f
                          • Instruction ID: 9049d8eb4528361734b6a74a45277857492030ed3a9f8e8b657364821ccc4a90
                          • Opcode Fuzzy Hash: a2f67b8cc9d06fdfa65c034ae2640d6866f85eec61923379e8a4838105add34f
                          • Instruction Fuzzy Hash: 37A10721B0F68A0FE7B996FC9C751A53B91DFC6650B4A42FAD068CB1E7DC087D468341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D46D5 Relevance: .3, Instructions: 252COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0c9103d8f0b93cec57269f033b2fc0c3d81c11a2fbe1e733b49efb7d38680c75
                          • Instruction ID: 18ca519682f5e1089fc8d74655b92e815b2d19e1f652809f5f42473592b64cd7
                          • Opcode Fuzzy Hash: 0c9103d8f0b93cec57269f033b2fc0c3d81c11a2fbe1e733b49efb7d38680c75
                          • Instruction Fuzzy Hash: 84810421B1EA890BD71DAB7848225BC7BD1FF85304B5506FDE06ECF1D7CE29A9068345
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D3B82 Relevance: .2, Instructions: 234COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 23ce7cf4419f59ce4575d30a0e75de0266cbc8efde3edafd2fb191677d96454a
                          • Instruction ID: 2b2d011bf453567169de81e29eb3319d8bb1b5a71a7f8490cd9f49d75b0069e4
                          • Opcode Fuzzy Hash: 23ce7cf4419f59ce4575d30a0e75de0266cbc8efde3edafd2fb191677d96454a
                          • Instruction Fuzzy Hash: 19610711B0FACA0FE7A567B848762B96BC1DF85210F5506FEE49ACB1E7CD0C69468341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D4729 Relevance: .2, Instructions: 221COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d3fa9f47c0808a7f01fe85d7d25500404b3632bcc8a543a298ce619728d067de
                          • Instruction ID: 9726ccec9f8cd2789f5480447cf99bed2ad60299bda27400546563f7774197b8
                          • Opcode Fuzzy Hash: d3fa9f47c0808a7f01fe85d7d25500404b3632bcc8a543a298ce619728d067de
                          • Instruction Fuzzy Hash: 29611321B1DA890BD71DAB7848225BC7BD1FF85300B5506FDE06ECF1E7CE29A9068345
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D2258 Relevance: .2, Instructions: 207COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a50816d8d182e1ffd1ff31cf0bf73bce1493f60e94730db68cd8505807590ee
                          • Instruction ID: 0cc40a516071a11dbfe1cd7663210cc79260e6a8dd0da05a59744cdb0290cece
                          • Opcode Fuzzy Hash: 3a50816d8d182e1ffd1ff31cf0bf73bce1493f60e94730db68cd8505807590ee
                          • Instruction Fuzzy Hash: 71514923B0EA4A0FE759BA7CA8625F57790EFC132070941FBD499CB0D7DD08684B8390
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D34E1 Relevance: .2, Instructions: 190COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ea4c20b31d65043b8748b8758484b3a748e7d22f0762e198f9d94e1643e72bc1
                          • Instruction ID: 04a38904b351899e141fc4beb12f2eec354231bd321f4bda286d0b12b44ea925
                          • Opcode Fuzzy Hash: ea4c20b31d65043b8748b8758484b3a748e7d22f0762e198f9d94e1643e72bc1
                          • Instruction Fuzzy Hash: 4B51A030B09A4D8FEB95EF6CD855AE97BE0FF58314F0501BAE449D72A2DA35E841CB40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D3168 Relevance: .2, Instructions: 182COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c21dd8405a6f23d9ac9295ac97f73b6cf9d6b0281d79a9bb4f9859e5ead2ac0d
                          • Instruction ID: 276655a7ec278c7acac797474dc45c5bb6b798891c7c30f731debcc901626eae
                          • Opcode Fuzzy Hash: c21dd8405a6f23d9ac9295ac97f73b6cf9d6b0281d79a9bb4f9859e5ead2ac0d
                          • Instruction Fuzzy Hash: 7041F922F1EA5E0BE7B566BC1C762B927C1EFC9250F56037AD46ECA1E3DC0879034281
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D1D90 Relevance: .2, Instructions: 160COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: db23a460b3850285abf63b618826ea0f2135608b22870d2e20a6ef404c66c006
                          • Instruction ID: c00b6117783a1674e6fbff8aacdb125b8253f9fc8f5c19d777ab8db238765c20
                          • Opcode Fuzzy Hash: db23a460b3850285abf63b618826ea0f2135608b22870d2e20a6ef404c66c006
                          • Instruction Fuzzy Hash: E541D511A0FB8A0FE76A96684C756A53FA1EF96250B0502FFC46CCB0E7D95C694A8342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D4A5D Relevance: .2, Instructions: 157COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6902bae93274105846aa36e9787336849b838e8df15ccaf9410fa15b530b4cae
                          • Instruction ID: 1a0c91a750259c034c8d38e9ee6f3ea7b8bb08f93a8beeacd13019bfb19ebd59
                          • Opcode Fuzzy Hash: 6902bae93274105846aa36e9787336849b838e8df15ccaf9410fa15b530b4cae
                          • Instruction Fuzzy Hash: 62411513B0EE8A0FE7A553BC08752B527C1EFD4260B1A42BED469CB1E6DC08AD068381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D1C51 Relevance: .2, Instructions: 154COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f5653fc83c292c2fa3bccbea4a222b909823c4bd19d3e197aaac296fe78739f0
                          • Instruction ID: a7320d0cc1a27839a0dff8d7b310960d80c36f471eda045aa1d653a260d6a5f4
                          • Opcode Fuzzy Hash: f5653fc83c292c2fa3bccbea4a222b909823c4bd19d3e197aaac296fe78739f0
                          • Instruction Fuzzy Hash: 0B41E43090E7CD4FDB2A9BA958646F57FA4EF53325F0402BFD099C61A3CA582416C786
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D3FCD Relevance: .1, Instructions: 130COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5773175033d40a9ed75e8fae2296b9260ae5e81f7893c03825536e53eb20cb0f
                          • Instruction ID: 46b4bb1c6c146a2c7678836ec048d28687c0ebd2940aef5bfa34b29457641836
                          • Opcode Fuzzy Hash: 5773175033d40a9ed75e8fae2296b9260ae5e81f7893c03825536e53eb20cb0f
                          • Instruction Fuzzy Hash: D8311831E0965C4FD768EBACC855AE97BE1EF99310F0502BEE009DB2A2CD287915C781
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D03E8 Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8ae965d76a46dab51ce59e32f00c29e53e9feff702e8550ba54e16a32a2d3e12
                          • Instruction ID: bbc6d830796a38e7bcaedd101170ecd364a8bd531056aa8f2d063ed9b768bc62
                          • Opcode Fuzzy Hash: 8ae965d76a46dab51ce59e32f00c29e53e9feff702e8550ba54e16a32a2d3e12
                          • Instruction Fuzzy Hash: 0D21D412B0F69E0FE76852BC1C252B577919F85650F0686FFD45CCB1F6D8087D4A4281
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D3A06 Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0bc8d9a227811789cf462b42929e2024db16081ff7500434328ee77caab3047
                          • Instruction ID: 641a19af49f0c95c48b274788df2d9444c5174300f214040fc9066b19b99de36
                          • Opcode Fuzzy Hash: a0bc8d9a227811789cf462b42929e2024db16081ff7500434328ee77caab3047
                          • Instruction Fuzzy Hash: B331F830609ACE5FC315EFA8886A1E9BFA1EF46300B1506FED449CF1A3C939A447C341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D3CEA Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4bafb5148234eba6f377f6e30327a64e66950ce03006348e320b7eccbff3979a
                          • Instruction ID: c18ce97483f4ba1338440aeb15482571243fa55165fd7c992c56e84b84add2a4
                          • Opcode Fuzzy Hash: 4bafb5148234eba6f377f6e30327a64e66950ce03006348e320b7eccbff3979a
                          • Instruction Fuzzy Hash: C611CB60B1E54E06E7946B684CB56BE72C2EFC4354FA15A3DE42FC62E6CD2CF9414201
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D4CF1 Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 35666df6dd3141e75454b0782acf469887825e326f236d12d314d5ffb2341795
                          • Instruction ID: ac67d21a383eecb7ce52d3f43789ff322d3bc695c94b66b77dc294931b829c40
                          • Opcode Fuzzy Hash: 35666df6dd3141e75454b0782acf469887825e326f236d12d314d5ffb2341795
                          • Instruction Fuzzy Hash: C2F0FF1151F5C94FE763A76C5C706617FE08F83214B1900EEE0E8CB0A3E8482D45C342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D27D7 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e77955747e8c2343da5b138c4581e42c785544f3e991429fddf370f959165108
                          • Instruction ID: 449f04a30f6472cb5b692615b137b54d0bcced3ca7325cfdd1bb7cda2e7a2e12
                          • Opcode Fuzzy Hash: e77955747e8c2343da5b138c4581e42c785544f3e991429fddf370f959165108
                          • Instruction Fuzzy Hash: 34E07D7260F94C5BCF10EEAAAC604CB3B98FBCD318B01026AF45CC3251E2126511C351
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6D3AE8 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000001C.00000003.2509561734.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_28_3_7ffd9b6d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: afaec2024bacebba342ac4ee79555322fc1e608da6bf383e3793d6c53ce32277
                          • Instruction ID: 25e637f8ba7d6dd68ba89a67db2cb79c6bf4adc3faf128dc009d8ece3be5a526
                          • Opcode Fuzzy Hash: afaec2024bacebba342ac4ee79555322fc1e608da6bf383e3793d6c53ce32277
                          • Instruction Fuzzy Hash: CED05B1071998D2FD354B77D4D7B5FA3BD2DF8951034846F9549DC7197DC2CA8068340
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Execution Graph

                          Execution Coverage:31.5%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:11
                          Total number of Limit Nodes:1

                          Callgraph

                          Executed Functions

                          Function 00007FFD9B5F12E9 Relevance: 2.0, APIs: 1, Instructions: 507COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 398 7ffd9b5f12e9-7ffd9b5f1311 400 7ffd9b5f135b-7ffd9b5f1370 call 7ffd9b5f1120 398->400 401 7ffd9b5f1313-7ffd9b5f1336 398->401 410 7ffd9b5f13c2-7ffd9b5f13cc 400->410 411 7ffd9b5f1372-7ffd9b5f137b 400->411 403 7ffd9b5f1338-7ffd9b5f133b 401->403 404 7ffd9b5f138f-7ffd9b5f13ba call 7ffd9b5f0548 401->404 405 7ffd9b5f13bc-7ffd9b5f13c1 403->405 406 7ffd9b5f133d-7ffd9b5f133f 403->406 408 7ffd9b5f13bb 404->408 406->408 409 7ffd9b5f1341 406->409 408->405 413 7ffd9b5f1386-7ffd9b5f138e call 7ffd9b5f0540 409->413 414 7ffd9b5f1343-7ffd9b5f1359 409->414 415 7ffd9b5f1425-7ffd9b5f1427 410->415 416 7ffd9b5f13ce-7ffd9b5f13d1 410->416 411->413 413->404 414->400 422 7ffd9b5f1429-7ffd9b5f142c 415->422 423 7ffd9b5f14a8-7ffd9b5f14d9 call 7ffd9b5f1130 415->423 420 7ffd9b5f13d3-7ffd9b5f13d5 416->420 421 7ffd9b5f1452 416->421 425 7ffd9b5f13d7 420->425 426 7ffd9b5f1451 420->426 429 7ffd9b5f1453-7ffd9b5f1455 421->429 422->415 427 7ffd9b5f142d-7ffd9b5f143d 422->427 437 7ffd9b5f14db-7ffd9b5f14fb 423->437 438 7ffd9b5f14fd-7ffd9b5f1513 call 7ffd9b5f1110 423->438 433 7ffd9b5f13d9-7ffd9b5f13db 425->433 434 7ffd9b5f141a 425->434 426->421 435 7ffd9b5f143e-7ffd9b5f144d call 7ffd9b5f1110 427->435 431 7ffd9b5f1457-7ffd9b5f145d 429->431 436 7ffd9b5f145e-7ffd9b5f145f 431->436 433->431 441 7ffd9b5f13dd-7ffd9b5f13e5 433->441 439 7ffd9b5f141b 434->439 440 7ffd9b5f1496-7ffd9b5f1499 434->440 435->426 456 7ffd9b5f1519-7ffd9b5f152a 435->456 443 7ffd9b5f1461-7ffd9b5f146e 436->443 437->438 471 7ffd9b5f152b-7ffd9b5f1534 437->471 438->429 438->456 444 7ffd9b5f149c-7ffd9b5f149e 439->444 445 7ffd9b5f141c 439->445 448 7ffd9b5f149b 440->448 441->443 447 7ffd9b5f13e7 441->447 450 7ffd9b5f1472-7ffd9b5f1484 443->450 460 7ffd9b5f14a4-7ffd9b5f14a7 444->460 452 7ffd9b5f141d 445->452 453 7ffd9b5f141e-7ffd9b5f141f 445->453 447->427 455 7ffd9b5f13e9-7ffd9b5f13ed 447->455 448->444 457 7ffd9b5f1485-7ffd9b5f1486 call 7ffd9b5f1140 450->457 452->453 453->448 458 7ffd9b5f1420 453->458 455->436 459 7ffd9b5f13ef-7ffd9b5f13f6 455->459 466 7ffd9b5f148b 457->466 463 7ffd9b5f1491-7ffd9b5f1493 458->463 464 7ffd9b5f1421-7ffd9b5f1423 458->464 459->450 465 7ffd9b5f13f8 459->465 460->423 463->438 467 7ffd9b5f1495 463->467 464->415 465->435 468 7ffd9b5f13fa-7ffd9b5f1414 465->468 466->463 467->440 468->457 472 7ffd9b5f1416-7ffd9b5f1419 468->472 473 7ffd9b5f1536-7ffd9b5f1539 471->473 474 7ffd9b5f158d 471->474 472->434 477 7ffd9b5f153b-7ffd9b5f153d 473->477 478 7ffd9b5f15ba-7ffd9b5f15c5 473->478 475 7ffd9b5f15fe 474->475 476 7ffd9b5f158e-7ffd9b5f1594 474->476 479 7ffd9b5f15ff-7ffd9b5f1604 475->479 480 7ffd9b5f1615-7ffd9b5f161c 476->480 481 7ffd9b5f1596 476->481 482 7ffd9b5f15b9 477->482 483 7ffd9b5f153f 477->483 486 7ffd9b5f1608-7ffd9b5f1613 479->486 487 7ffd9b5f161e-7ffd9b5f16a7 SetupDiGetClassDevsExW 480->487 488 7ffd9b5f1598 481->488 482->478 484 7ffd9b5f1583-7ffd9b5f158c 483->484 485 7ffd9b5f1541-7ffd9b5f1547 483->485 484->474 484->486 491 7ffd9b5f1549-7ffd9b5f1550 485->491 492 7ffd9b5f15b8 485->492 490 7ffd9b5f1614 486->490 508 7ffd9b5f16a9 487->508 509 7ffd9b5f16af-7ffd9b5f16d7 487->509 489 7ffd9b5f159a-7ffd9b5f15a2 488->489 488->490 489->487 493 7ffd9b5f15a4 489->493 490->480 494 7ffd9b5f15cc-7ffd9b5f15d6 491->494 495 7ffd9b5f1552 491->495 492->482 497 7ffd9b5f15e9-7ffd9b5f15ef 493->497 498 7ffd9b5f15a6 493->498 500 7ffd9b5f15da-7ffd9b5f15dc 494->500 495->488 499 7ffd9b5f1554-7ffd9b5f1558 495->499 511 7ffd9b5f15f1-7ffd9b5f15fd 497->511 501 7ffd9b5f15a9-7ffd9b5f15b7 498->501 502 7ffd9b5f15c9-7ffd9b5f15cb 499->502 503 7ffd9b5f155a-7ffd9b5f1561 499->503 505 7ffd9b5f15dd-7ffd9b5f15e7 500->505 501->492 502->494 503->505 507 7ffd9b5f1563 503->507 510 7ffd9b5f15e8 505->510 507->501 512 7ffd9b5f1565-7ffd9b5f1569 507->512 508->509 510->497 511->475 512->500 513 7ffd9b5f156b-7ffd9b5f1570 512->513 513->511 515 7ffd9b5f1572-7ffd9b5f1577 513->515 515->510 516 7ffd9b5f1579-7ffd9b5f157e 515->516 516->479 517 7ffd9b5f1580 516->517 517->484
                          Memory Dump Source
                          • Source File: 0000001D.00000002.2509193471.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_29_2_7ffd9b5f0000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 12f76da7701bfd356887494cb45765fe3df926fdc5ee91f2386031cf63f3f24e
                          • Instruction ID: 2f701b7d76ed750be47bc3665b7687c68a431045698978309b455f2e50c3ca5b
                          • Opcode Fuzzy Hash: 12f76da7701bfd356887494cb45765fe3df926fdc5ee91f2386031cf63f3f24e
                          • Instruction Fuzzy Hash: 4DF12931F0E7890FE7BA9B6848267B5BFD0EF56310F0501BED489C75E3DA19650A8782
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B5F1D11 Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 518 7ffd9b5f1d11-7ffd9b5f1d1d 519 7ffd9b5f1d28-7ffd9b5f1e03 SetupDiGetDeviceRegistryPropertyW 518->519 520 7ffd9b5f1d1f-7ffd9b5f1d27 518->520 524 7ffd9b5f1e0b-7ffd9b5f1e3a 519->524 525 7ffd9b5f1e05 519->525 520->519 525->524
                          APIs
                          Memory Dump Source
                          • Source File: 0000001D.00000002.2509193471.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_29_2_7ffd9b5f0000_sbdrvmgr.jbxd
                          Similarity
                          • API ID: DevicePropertyRegistrySetup
                          • String ID:
                          • API String ID: 3249385096-0
                          • Opcode ID: 84919f6fd03b6a040700f8cb3c3faaf9b887b6c4ae7dc6877a0937de2d6486d2
                          • Instruction ID: 59e56c628d957bda6c466ab59f1e1c86d3c997e9571312225f879dbc3f12648a
                          • Opcode Fuzzy Hash: 84919f6fd03b6a040700f8cb3c3faaf9b887b6c4ae7dc6877a0937de2d6486d2
                          • Instruction Fuzzy Hash: 0841A531A0CA5C8FDB58DF58D845AE9BBE1FF59321F04426FD049D3692CB74A8458B81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B5F17FA Relevance: 2.1, APIs: 1, Instructions: 646COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 388 7ffd9b5f17fa-7ffd9b5f1cd4 SetupDiGetDeviceRegistryPropertyW 395 7ffd9b5f1cdc-7ffd9b5f1d0d 388->395 396 7ffd9b5f1cd6 388->396 396->395
                          APIs
                          Memory Dump Source
                          • Source File: 0000001D.00000002.2509193471.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_29_2_7ffd9b5f0000_sbdrvmgr.jbxd
                          Similarity
                          • API ID: DevicePropertyRegistrySetup
                          • String ID:
                          • API String ID: 3249385096-0
                          • Opcode ID: 22adbdef571fbed40c86b83d68fe00a0aaae3ab7bd9961b44b4c2a012de61975
                          • Instruction ID: 9c408144ee69a91637c199cead87d1db645f8255fc9259461dcbb4a94e618941
                          • Opcode Fuzzy Hash: 22adbdef571fbed40c86b83d68fe00a0aaae3ab7bd9961b44b4c2a012de61975
                          • Instruction Fuzzy Hash: 3A41E231A0D7888FDB59DFA8D8556E97FF0EF9A311F0442AFD088D3252CA34A8468791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B5F1E3D Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 527 7ffd9b5f1e3d-7ffd9b5f1e49 528 7ffd9b5f1e4b-7ffd9b5f1e53 527->528 529 7ffd9b5f1e54-7ffd9b5f1ee2 SetupDiDestroyDeviceInfoList 527->529 528->529 533 7ffd9b5f1eea-7ffd9b5f1f18 529->533 534 7ffd9b5f1ee4 529->534 534->533
                          APIs
                          Memory Dump Source
                          • Source File: 0000001D.00000002.2509193471.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_29_2_7ffd9b5f0000_sbdrvmgr.jbxd
                          Similarity
                          • API ID: DestroyDeviceInfoListSetup
                          • String ID:
                          • API String ID: 271767589-0
                          • Opcode ID: 6e6b4da70e32f87ef4a315e1abd0c6d2b0c0fbe2ffb4cbf95e5d8a96b97473dc
                          • Instruction ID: d13df3df2dc7757f539588b3b347ff38ebd9a4e9dc0405dad6ef57823192ff12
                          • Opcode Fuzzy Hash: 6e6b4da70e32f87ef4a315e1abd0c6d2b0c0fbe2ffb4cbf95e5d8a96b97473dc
                          • Instruction Fuzzy Hash: 4231F331A0CA4C8FDB59DBA8C855BF9BBE1EF56320F00426ED049C3592CB65A856CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B6B12C0 Relevance: 2.1, Strings: 1, Instructions: 890COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 2D_I
                          • API String ID: 0-1054241413
                          • Opcode ID: e98654a8d721ccd21bb6d6fc1ffd9cf720322894c294d945e2e3bc9dc1a9136f
                          • Instruction ID: 2be79b7478d48fa6fe3f896d249582726b76477977cb656546914180f1dbff8f
                          • Opcode Fuzzy Hash: e98654a8d721ccd21bb6d6fc1ffd9cf720322894c294d945e2e3bc9dc1a9136f
                          • Instruction Fuzzy Hash: EA526BA3B1F7D41BE7255ABC58651787BE2EF86350B1901FBD0988B1FBE814BD028781
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B1518 Relevance: .5, Instructions: 485COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a254a6e468c681c8ed1e23a2bfae33045f62cb5503cb593ab9733c841992aed2
                          • Instruction ID: 9d9457c6937f52daa6fdf774636071ad68085367449c22afaba016f1acfbb107
                          • Opcode Fuzzy Hash: a254a6e468c681c8ed1e23a2bfae33045f62cb5503cb593ab9733c841992aed2
                          • Instruction Fuzzy Hash: E0E147A2B1FBC91FE7655ABC14691786BE2EF46340B1901FBD0998B1FBDC14BD028781
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B3751 Relevance: .3, Instructions: 304COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d20ee5b3d983443e7b43a9eaf42a89f3fc0da7b9c0b4409c8a05bbfe61d53fb
                          • Instruction ID: 8b4cb4e2ed33b57b64f858a3a0b6ff2ba9241da892d4c7afe81cfec7a25a6791
                          • Opcode Fuzzy Hash: 6d20ee5b3d983443e7b43a9eaf42a89f3fc0da7b9c0b4409c8a05bbfe61d53fb
                          • Instruction Fuzzy Hash: BF91072170E6D95FE7669B7C58645717FF0EF53224B1A01FFE0A9CB0A3E908A846C742
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B2A70 Relevance: .3, Instructions: 257COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7055271dcab070ac6c231e3766f9b0a7a901dc16a8adb23d53125b11911d7b79
                          • Instruction ID: aea9e9d9741fdf3c18ab6d9261b4b1c3ee24115609f5242011fe8905952f2ac7
                          • Opcode Fuzzy Hash: 7055271dcab070ac6c231e3766f9b0a7a901dc16a8adb23d53125b11911d7b79
                          • Instruction Fuzzy Hash: D9614721B0FAAA0FE7BA56F858751A52FE1EF46210B1601FAD07CCB1E7DD086D478741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B5066 Relevance: .3, Instructions: 255COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4423ea8ea919d62727bf172e835b5d08bb9b1cc95bdbc3ed91973bbe31f1857a
                          • Instruction ID: 79b228f909abc79115cf4783484a658b3e61c4b70ddf271fb1e3d0d0c1e4d1c0
                          • Opcode Fuzzy Hash: 4423ea8ea919d62727bf172e835b5d08bb9b1cc95bdbc3ed91973bbe31f1857a
                          • Instruction Fuzzy Hash: FC811721B1DB890FD71DAB7858364B8BBE1EF59304B1401FDE09DCB2D7CE28A5068786
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B40E5 Relevance: .3, Instructions: 252COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 07106f9a6de8fbb0b3b288ac708f92473cfb7667aa9fac21df58ae4ed6bfc989
                          • Instruction ID: 3ea06e353717c02e35abcb74908ce3dc1115779a7b11b868be65eeb89376e7f3
                          • Opcode Fuzzy Hash: 07106f9a6de8fbb0b3b288ac708f92473cfb7667aa9fac21df58ae4ed6bfc989
                          • Instruction Fuzzy Hash: 4F715912B0EA9A0FE76997B848762B87FE1EF41310F5501BDE0A9CB1E7DD1CB8468741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B4E6A Relevance: .2, Instructions: 236COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9394f74fef01443ec14cd1b8b67a6b08d8e8ce529eb8835490ce634ad7071623
                          • Instruction ID: d13c01f3528245fe036e0abeb8ad65016d7ce651e48bb6b9e6a2cbe1a1b592fa
                          • Opcode Fuzzy Hash: 9394f74fef01443ec14cd1b8b67a6b08d8e8ce529eb8835490ce634ad7071623
                          • Instruction Fuzzy Hash: 6D612721A1EAC51FE71A977844766F97FE1EF86310B0940FEE09A8F1A3CD1895078741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B34E1 Relevance: .2, Instructions: 197COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61a33fe939356e1a2a6baaa0e17acd370240bbbc28a286dad4715da4b723f0d6
                          • Instruction ID: c1b78d82ad6efe0234d643441875191b840d840abfe8ea86aca79163fd32912e
                          • Opcode Fuzzy Hash: 61a33fe939356e1a2a6baaa0e17acd370240bbbc28a286dad4715da4b723f0d6
                          • Instruction Fuzzy Hash: E851C231B0DA5C8FDB55EF6CD859AE97BE0FF59310B0400BEE449D72A2DA25A841CB41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B2258 Relevance: .2, Instructions: 187COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 40a82285a4491fb59fa66615c04efd6b5944ce0a4cdf8697d518ce6f8149a949
                          • Instruction ID: 09b2270cf16300d6626554ff7ae3b2598f318764906ecfcefa6ad54c84e6b67e
                          • Opcode Fuzzy Hash: 40a82285a4491fb59fa66615c04efd6b5944ce0a4cdf8697d518ce6f8149a949
                          • Instruction Fuzzy Hash: 3B41AD23F0E69A0BD359BABCB8661F57BE0EF4222570801B7D4A9CA0D7DD09384B43C1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B580D Relevance: .2, Instructions: 167COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 85967604850850d020be2c97877791553d752145a0b6fbf0bba58bd91138327c
                          • Instruction ID: e08227e06dfd1898eac52b426fb809ecccf706fbe4d45bc5b82c9ecbfcaadc2e
                          • Opcode Fuzzy Hash: 85967604850850d020be2c97877791553d752145a0b6fbf0bba58bd91138327c
                          • Instruction Fuzzy Hash: C8412652B1EAAA0FE7A5A77C04751B93BE1EF89220B1544FAD099CF1E2DC18BC064341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B4CCA Relevance: .2, Instructions: 163COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8ed259e6b72346eca3f2b1431a88a42f894782ab5bcdd4ea63a977717f367821
                          • Instruction ID: 88baad4db6a94fe42a7ee385a73c0b5ec88ef5e018fd06b9e3bceb9ad42f237d
                          • Opcode Fuzzy Hash: 8ed259e6b72346eca3f2b1431a88a42f894782ab5bcdd4ea63a977717f367821
                          • Instruction Fuzzy Hash: 8E51D661A0EAD91FD756A7BC48764E97FE0DF4B22070845EED4D98F1A3C828A8478742
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B1D90 Relevance: .2, Instructions: 158COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d2788c41a350e5e0d34ac6c8178ebdf46412eda332cbc71f94df78c1dadebfc1
                          • Instruction ID: d3c432cfac60807c7a386315acbb490c7a1f159ad51dff2f4ea4ce0e76ebff48
                          • Opcode Fuzzy Hash: d2788c41a350e5e0d34ac6c8178ebdf46412eda332cbc71f94df78c1dadebfc1
                          • Instruction Fuzzy Hash: 5C412711A2EB9A1FE76A977808756A43FF0DF46350B0501FBD068CF0F7E90C694A8342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B55EB Relevance: .2, Instructions: 156COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8e7e2affd954eedca0bca401eacf7b5e3ae5b474446d27b3c630e5f131e649dd
                          • Instruction ID: 58103a7a8a40d132f6dd4e01f2baa0a3672a8cbe34a49787c447cf43a512a448
                          • Opcode Fuzzy Hash: 8e7e2affd954eedca0bca401eacf7b5e3ae5b474446d27b3c630e5f131e649dd
                          • Instruction Fuzzy Hash: 53410532A1EA890FDB1AAB7858760EC7BE1EF49314B1504FED0598F1E7CD29A5078B41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B1C51 Relevance: .2, Instructions: 153COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 99b96fcb31d8b3717f4e8f1c6daf7b1688d3129f10569f569f32283e0aae43e8
                          • Instruction ID: 599f8a4c30dd6b9fd1b90f43ce3ebbacd98d0f97059440b4226439575a75f290
                          • Opcode Fuzzy Hash: 99b96fcb31d8b3717f4e8f1c6daf7b1688d3129f10569f569f32283e0aae43e8
                          • Instruction Fuzzy Hash: 5041E13091E7CC5FDB2A9BA958646FA7FB0EF13325F0801AFD099C60A3CB182416C746
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B3B30 Relevance: .2, Instructions: 151COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 14b0084ad4d0facc9f39c60111372f915beb06907f7715121ee4e6075d57cba6
                          • Instruction ID: cd46f15ce3ec33e1f9147fa2c3f30eb92567013441d663a9499af94aba5e52dc
                          • Opcode Fuzzy Hash: 14b0084ad4d0facc9f39c60111372f915beb06907f7715121ee4e6075d57cba6
                          • Instruction Fuzzy Hash: CF511870A1DB995FD751EBB488619A8BFF0EF4A314B1905FDC0998B1A7C928A803CB01
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B454D Relevance: .1, Instructions: 125COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 39e9ad806beaf6bfadfb5c185b3e8ed4f762ccd1aef571056b0d8a3a2ba60fbc
                          • Instruction ID: beeb82b38d4b8bb15ccba15ff8f4c91f7e371152d31233f2f43e8bbf7dfe6bb5
                          • Opcode Fuzzy Hash: 39e9ad806beaf6bfadfb5c185b3e8ed4f762ccd1aef571056b0d8a3a2ba60fbc
                          • Instruction Fuzzy Hash: C0315832E0E66C0FD724EBBC8C559E97BF0EF49320B0541BEE059DB2A2CD2479018B51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B3F5D Relevance: .1, Instructions: 118COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e84902000b42ae5c8abe7d407071fd088097bcb060cb519760775c05b1f4e515
                          • Instruction ID: d7db53b6d620b3c98b3bc54095223f24e4eb38361272ff9bfdcfd28995421514
                          • Opcode Fuzzy Hash: e84902000b42ae5c8abe7d407071fd088097bcb060cb519760775c05b1f4e515
                          • Instruction Fuzzy Hash: 59311870A0DBD82FE756A7B848675F97FE0DF4A11470845EEC4D9CF1A7C819A4078742
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B4F55 Relevance: .1, Instructions: 103COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dfa01389398cb5b697f5a373985790009d031ebea5f62611672f96ff4bc7fb5c
                          • Instruction ID: 6195cadfba00294ea67713320efca01d378cdd11cf34342650d32a7139b8a5a3
                          • Opcode Fuzzy Hash: dfa01389398cb5b697f5a373985790009d031ebea5f62611672f96ff4bc7fb5c
                          • Instruction Fuzzy Hash: BA31E411B2DAC50BE71E67385036ABD77D2EF95300F4A40BCE0AE8F1E3CE18A4069701
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B02E0 Relevance: .1, Instructions: 98COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4c2017d84636f178abccce2fa66a065ca975c34763d6f11eebe4cf28ed7e7f20
                          • Instruction ID: c4a062a6538965fed90a8c1298fdce8ac13f9df3372b145b40bda16026c93580
                          • Opcode Fuzzy Hash: 4c2017d84636f178abccce2fa66a065ca975c34763d6f11eebe4cf28ed7e7f20
                          • Instruction Fuzzy Hash: C4312731F0A66C4FD754EBFC88559EABBE0EF49310B0541BEE059EB262CE2469118B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B2715 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dfbdb8de0d31851a3abf1207596e51d27dde4cacae624e777de9677bdf2c2321
                          • Instruction ID: 8e43279fbaf8fae0704ad6aec336d2e44fca86ec92829b0fda465002050698ee
                          • Opcode Fuzzy Hash: dfbdb8de0d31851a3abf1207596e51d27dde4cacae624e777de9677bdf2c2321
                          • Instruction Fuzzy Hash: FF212662F1EE6D0FEBA4D69C64652AD77E1EF98350F01427BD01DC7296DE14AD014B80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B426A Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cf38c19a66a1c82b04a2021cb890a7c78a5935672647bfdad5427898924073c8
                          • Instruction ID: 8bde36f075f275794f02d409b3246cacc3d6c9d888d30555bda0c199b220930d
                          • Opcode Fuzzy Hash: cf38c19a66a1c82b04a2021cb890a7c78a5935672647bfdad5427898924073c8
                          • Instruction Fuzzy Hash: 7311DA21B1D51A06EB58A66848B577D71D2FFC4354F61593CE03FC62E6CD38F9404641
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B4FA9 Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7ca5cb9c95bf7bc2c84cb5703a12bf554ded2d188ba848142e30fc63babe7998
                          • Instruction ID: 054f55184d99899b19a537951c507b65ce21e3627c4ee79ef96a7a17eed7836a
                          • Opcode Fuzzy Hash: 7ca5cb9c95bf7bc2c84cb5703a12bf554ded2d188ba848142e30fc63babe7998
                          • Instruction Fuzzy Hash: CE118111B2DAC50AEB1E63685075BBD66E2EF95300F4A40BCE05E8B1E7CF5CE9069705
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B29F0 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6a493aeada7df20277eba0f783f3f2e344f807ae999a9bb42c4af09129fa8c85
                          • Instruction ID: d2648cb49457fdcddb3d2d29f605e1fefab1ac98e164aaecb827e90655bb1f0d
                          • Opcode Fuzzy Hash: 6a493aeada7df20277eba0f783f3f2e344f807ae999a9bb42c4af09129fa8c85
                          • Instruction Fuzzy Hash: EF01F121B0E0691FD72C57B0AC219A53EA68FC7360B0A41BAD02DCB2BBCC2C75028750
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B3168 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d37f6967be8fee43389fff3e0ea08ad017fde3988f816fa45ef6d0de883a4557
                          • Instruction ID: b6edaa8accfe2f4854a2c91c22d22425368f8232bd3953661c4c283eddbbf527
                          • Opcode Fuzzy Hash: d37f6967be8fee43389fff3e0ea08ad017fde3988f816fa45ef6d0de883a4557
                          • Instruction Fuzzy Hash: 2EF0D111B5EC7F05F27621EC06B52B920A5AB49220FA6063AD83DCE1F2CC08FA420951
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B3A55 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b5e5fca57c5a58c8c5eacb50c0f4d42c7b028b4097818e4902aa634511fafccf
                          • Instruction ID: 52a56ddb1b2fe6b1eb077f99427398245d9328609f9d384e505fcf7042afd38d
                          • Opcode Fuzzy Hash: b5e5fca57c5a58c8c5eacb50c0f4d42c7b028b4097818e4902aa634511fafccf
                          • Instruction Fuzzy Hash: 3CF0F95070DACA1FD749EB7804756A5BBD0DF5A21070802FDD499CF1D7CD1898468301
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B5AF1 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 288bd2a06921139cc94a37021cbc043c5d2617ae4fd8402419cb822c2c46ff4a
                          • Instruction ID: d38a8d4ff25afe769bf0c061ae26f6aab500366ca7fb82a75f5863ccc5ab7557
                          • Opcode Fuzzy Hash: 288bd2a06921139cc94a37021cbc043c5d2617ae4fd8402419cb822c2c46ff4a
                          • Instruction Fuzzy Hash: AFF0C22065E5D94FDB63A77858706A13FA49F07215B1900E7E0E8CA0A7D9485C55C752
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B3060 Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8d970e88139882773e340bc00e70269aa43bc24ea5df02ebb1181a687657445
                          • Instruction ID: 8943c6245520700ac9a9c9c8eaeab7d7906aa23223632f35db6f7495797d999d
                          • Opcode Fuzzy Hash: f8d970e88139882773e340bc00e70269aa43bc24ea5df02ebb1181a687657445
                          • Instruction Fuzzy Hash: 37F05021A1F6A70FD76547BC0C164917FF4DF4722071502FEE068CB1E7E91455058301
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B27D7 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2a4574fc04d48a4a8f1d16e78808ba88006b9b112f46dea89ddc61f77cc42761
                          • Instruction ID: 5770ade057d39bcb151ff351c2477ad7ad690ec060f206d8df642282cbd4f672
                          • Opcode Fuzzy Hash: 2a4574fc04d48a4a8f1d16e78808ba88006b9b112f46dea89ddc61f77cc42761
                          • Instruction Fuzzy Hash: 37E07D7260F94C5BCB00EAAA6C604CA3FA8FF8D318B01012AF45CC3251E2126511C755
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B4DBE Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3e8f2ccc63855d002e501e9a8e615fa40158a1cbd32dc0f5f4c3d6a7308699a1
                          • Instruction ID: 978fa4b470dd07e737509d305e2a06ed428ee8c7b579632f8efda2f2084592f8
                          • Opcode Fuzzy Hash: 3e8f2ccc63855d002e501e9a8e615fa40158a1cbd32dc0f5f4c3d6a7308699a1
                          • Instruction Fuzzy Hash: 4FC08C33F1E00E8ADF209AD8A4010FEF3B0EB44326F004133D62AD2500D62461224FC0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6B0271 Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000021.00000003.2566578301.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_33_3_7ffd9b6b0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
                          • Instruction ID: 06401d89036e6c46b20f7c1a37fce2788aa04f350aaf19392997c2e569a891a5
                          • Opcode Fuzzy Hash: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
                          • Instruction Fuzzy Hash:
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 026F17F8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q$$^q
                          • API String ID: 0-355816377
                          • Opcode ID: 0b0c8dbd639103d6e01f3d89aff1dcea8baa575b5eec5eb330893fc898196608
                          • Instruction ID: a62237980cafee69668941b4d665e973ce21907eefa787ddadfa25341005da12
                          • Opcode Fuzzy Hash: 0b0c8dbd639103d6e01f3d89aff1dcea8baa575b5eec5eb330893fc898196608
                          • Instruction Fuzzy Hash: BA21E231D00709CFCF15AF78D8448A9F7B4FF85304B0586AED5196B226EB31E488CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F17E9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q
                          • API String ID: 0-388095546
                          • Opcode ID: dfac6f400f0a55c9b4333acd429c622a3362f08d4ee113d761c68e8ef75a8545
                          • Instruction ID: 680728ac75a38488cc219648a4ea205c46fa01df996c44b7d75312903f0c0f53
                          • Opcode Fuzzy Hash: dfac6f400f0a55c9b4333acd429c622a3362f08d4ee113d761c68e8ef75a8545
                          • Instruction Fuzzy Hash: 5521B231D04749CFDF119F78D8544A9BBB1FF46300B0986AED4596B262EB31D484CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F0848 Relevance: .2, Instructions: 190COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f4dac56e36dcf479fff64137b35bc9d47c35ea2725866e85eac6f1d004bd1f59
                          • Instruction ID: 28f0452244924f3e49b3525861b77809f8e21c5f134e9c3097e7d159c213e784
                          • Opcode Fuzzy Hash: f4dac56e36dcf479fff64137b35bc9d47c35ea2725866e85eac6f1d004bd1f59
                          • Instruction Fuzzy Hash: 4A61D430A00306CFDF55EF74D8546AE7BB2BF89704F00856DD9059736AEB719846CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F15A1 Relevance: .1, Instructions: 144COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2eb3eaf4c50e25ab94ac881542a99372ef789427bddb973c21904eb364fb81bc
                          • Instruction ID: 377ddd63d40280df0ab910fa4b6df6e4b32793eb27f9e48da678bf2385adb945
                          • Opcode Fuzzy Hash: 2eb3eaf4c50e25ab94ac881542a99372ef789427bddb973c21904eb364fb81bc
                          • Instruction Fuzzy Hash: 0C515F32E50B06AAE710DBA5CC45A99F371FF9A700F61CB16F6483B191FBB0A1D4C691
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F15B0 Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 71c658d77c68e29b492a02347fdc3e3a0a7296e82aed638e5a99328c78e32061
                          • Instruction ID: b19b8e7fbca0e93410a6f78620af37bfe61b529471f2c787be71fa58cdcc2f97
                          • Opcode Fuzzy Hash: 71c658d77c68e29b492a02347fdc3e3a0a7296e82aed638e5a99328c78e32061
                          • Instruction Fuzzy Hash: B6513E32E50B06A6E710EBA5CC45A99F371FF99700F61CB16F6483B191FBB0A1D4C691
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1DC8 Relevance: .1, Instructions: 119COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4d180719534a1a7270e96d13e7a91a62612ed632896036c11f8cb306c4e72b2a
                          • Instruction ID: 1c646890cf867b82733125217cf557fc7a934fbac10a87a7cd6f042024b3f2c7
                          • Opcode Fuzzy Hash: 4d180719534a1a7270e96d13e7a91a62612ed632896036c11f8cb306c4e72b2a
                          • Instruction Fuzzy Hash: 85416D32E0074A9ACF01DFB9C8504DDFBB2FF95340B11C65AD959AB210EB70A595CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1F34 Relevance: .1, Instructions: 114COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 13ff3ea310ffdd74389dd75d79f5c65cf7fe889bad4030dcb20e9bfce881e1ea
                          • Instruction ID: 4531c6ad761e5eeabfca26e4bce3767fa58aa2c78d5509771a3757b7c0ddcdeb
                          • Opcode Fuzzy Hash: 13ff3ea310ffdd74389dd75d79f5c65cf7fe889bad4030dcb20e9bfce881e1ea
                          • Instruction Fuzzy Hash: 2D411171D0424DCFCB10CFAAC994ACEFBB5EF49304F20826AD459AB255D7356A49CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1030 Relevance: .1, Instructions: 108COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b912dcacda4fe920f76f8cf56e6cb8f4be54abb75f5c62da73b18c05817156cc
                          • Instruction ID: aaa91aff585f3a95904fd0baaa9b69dc2400c6e215a5bbfacfb0ea1a88b4ff18
                          • Opcode Fuzzy Hash: b912dcacda4fe920f76f8cf56e6cb8f4be54abb75f5c62da73b18c05817156cc
                          • Instruction Fuzzy Hash: C4413D30B0060ADBCB44DF75D955AAEBBF3EF85304B01C568D51AA7368EB31A9068B60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F0F20 Relevance: .1, Instructions: 102COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a2615e99e495e443d33f9865036df73225147fb4eed7d1168bd620c135727a1
                          • Instruction ID: 04e6f7ecf8963e0da5e082ebba035aa048f1eccb0a604361c4541b35b6e7a54b
                          • Opcode Fuzzy Hash: 4a2615e99e495e443d33f9865036df73225147fb4eed7d1168bd620c135727a1
                          • Instruction Fuzzy Hash: 6321A12124D7C44FC702A77CA5702E9BFA28FC6354B0A45EBC1858B2BFCA549C89C766
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1A89 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 362110d888212d3ea2ee3f0c1e92b1bad08ef297229ff934bc915575718eb5d5
                          • Instruction ID: 0854d7361a4f544d57903c4f2bf1a9cd8185823ba01cf7b6c4427a43fa5238e7
                          • Opcode Fuzzy Hash: 362110d888212d3ea2ee3f0c1e92b1bad08ef297229ff934bc915575718eb5d5
                          • Instruction Fuzzy Hash: F3316032E0170AEBDB00DFB9D8945DEF7B6EF95350F11C66AE508A7210EB30A585C790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F11E4 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 68fcd8b07586e385a01cab9aeb337f63b393940d9ea090bbddf6a7a0048cbc7b
                          • Instruction ID: 3f3f5cefe7076cc5413a816fb5ce2d5b3951601b49440fd6eaba008456ab3804
                          • Opcode Fuzzy Hash: 68fcd8b07586e385a01cab9aeb337f63b393940d9ea090bbddf6a7a0048cbc7b
                          • Instruction Fuzzy Hash: 394114B1E00248DFCF14DFE9C994BDEBBB6AF49304F14806AE519AB254CB745945CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1934 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25379d9197caa8f584833fc1530853ce8e0cc68ed4d0863b07e1eab9aff06940
                          • Instruction ID: b5cf251dba500c388c14b85047c525c29c2f3acc7097dad3ccfc784e0ddd60e0
                          • Opcode Fuzzy Hash: 25379d9197caa8f584833fc1530853ce8e0cc68ed4d0863b07e1eab9aff06940
                          • Instruction Fuzzy Hash: 484122B1D01248DFCF14CFAAC984BDEBBB5AF49304F10806AE419BB254CB349946CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1F40 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 91a8c3d7bf7c5a21d7c53dd125add33341d67e21946be70bb57d100286e98d5e
                          • Instruction ID: 0ccfe35161e2d948adc3d741420e545438c227eb362cea3e1603b27852f87002
                          • Opcode Fuzzy Hash: 91a8c3d7bf7c5a21d7c53dd125add33341d67e21946be70bb57d100286e98d5e
                          • Instruction Fuzzy Hash: 1841F2B1D00359CACB10CFAAC994ADEFBB5AF49304F20812AD419BB244D774AA49CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F11F0 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e6160fd5b6a7a8bde9563b98a886095280eb21ee67d856d8e4c8ad4fe0e46c03
                          • Instruction ID: 4236d4b48a7874093a3b855787c69add2358400398bcd2c1f13ce50c681ab15e
                          • Opcode Fuzzy Hash: e6160fd5b6a7a8bde9563b98a886095280eb21ee67d856d8e4c8ad4fe0e46c03
                          • Instruction Fuzzy Hash: 403102B1D00248DFCF14DFAAC994BDEBBB6AF49304F10806AE519BB254CB745945CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1940 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 969e5aaed022f6d68923f5fa56d226f75a4554ab6cd1dcb8722c97e764fed5ca
                          • Instruction ID: 985bad72348b404395fcf19470b6780c4eb36c41b6cd7a5a086b356ee76e2fb9
                          • Opcode Fuzzy Hash: 969e5aaed022f6d68923f5fa56d226f75a4554ab6cd1dcb8722c97e764fed5ca
                          • Instruction Fuzzy Hash: 2B3132B1D01248DFCF14CFAAC984BDEBBB6AF49304F20806AE409AB250CB345945CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F0830 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d418d3c0a35120684887076a28e0fee999138e66fbe9c4998f319fb3dc69f7d7
                          • Instruction ID: d1b5d57fc36fd90473004a7ae3f3a442628fb4fadbbad28b0597306d49c2bfa5
                          • Opcode Fuzzy Hash: d418d3c0a35120684887076a28e0fee999138e66fbe9c4998f319fb3dc69f7d7
                          • Instruction Fuzzy Hash: 5721F6356007428FCF569B74C4142AE7BB2AFC5704F0544AAC9159736EEB369806C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1CB4 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 41228049240a63f798a592431059973425169e24fe8a07aac47f7c78e24a2de4
                          • Instruction ID: c277f6c8167b72505a299130ef25c44ec904e1a46d1be7a7776a7f7092cd50fd
                          • Opcode Fuzzy Hash: 41228049240a63f798a592431059973425169e24fe8a07aac47f7c78e24a2de4
                          • Instruction Fuzzy Hash: 473120B1C00248DFCB24CFA9C494ADEBFF5AF49314F24816AE409BB294C7359885CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1BA4 Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b6a5b2db2974d57de110d70460f7175c1e6660c431d483b120d1a0e036903fc5
                          • Instruction ID: ae4ee5c3d1f5758d2c1500e3c65c248aabcee4dc0e386d5288780d73e06cf109
                          • Opcode Fuzzy Hash: b6a5b2db2974d57de110d70460f7175c1e6660c431d483b120d1a0e036903fc5
                          • Instruction Fuzzy Hash: 7B31F1B1D00258DFCB14CFAAD894B9EBFB8AB49350F24806AE409BB250CB355845CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1CC0 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 22d39aafcfbec66bb392211f65b229a5439d82a9ac4ee082bad5cd7e172a659a
                          • Instruction ID: 1c5559e0b49b7c3418bf48fa65f555cac5ec3832aba058ccbf91e46af3ee3e64
                          • Opcode Fuzzy Hash: 22d39aafcfbec66bb392211f65b229a5439d82a9ac4ee082bad5cd7e172a659a
                          • Instruction Fuzzy Hash: BB31F4B1D00258DFDB24CFA9C494BDEBFF9AF49350F24806AE419AB250C7745845CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1BB0 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fb96c6c76db8b375f7408a85862e043c79c381fb9febd6a8e46a1acb84a1e09e
                          • Instruction ID: bc4a88e4c6d466162ab3483e0aba12c94e710478cb3c03b76dce36f31220875a
                          • Opcode Fuzzy Hash: fb96c6c76db8b375f7408a85862e043c79c381fb9febd6a8e46a1acb84a1e09e
                          • Instruction Fuzzy Hash: E821F2B1D00258DFCB14CFAAD894BDEBFB8AF09354F24806AE409AB240CB755845CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F18E0 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8d628d3537cd6fd6336e8de63f670ee05063fc0ef870b788f7d39453706b8b7
                          • Instruction ID: 48c5ffc89dd56d2ea78f893d68334d3374d7f418940189328a46286c6664b188
                          • Opcode Fuzzy Hash: f8d628d3537cd6fd6336e8de63f670ee05063fc0ef870b788f7d39453706b8b7
                          • Instruction Fuzzy Hash: 11F0A730609249EFC741CF758C5195A7FBADF87304706C4EDD409DB265DA309A059761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1188 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b2d542ff11c6acc17a6c1091a798b044163677dddf9214190059adc92c8bfb73
                          • Instruction ID: 35df6775ccfe3362c0528490a789e4adac472e751c6cfc7c1a50cfc266b9b2ee
                          • Opcode Fuzzy Hash: b2d542ff11c6acc17a6c1091a798b044163677dddf9214190059adc92c8bfb73
                          • Instruction Fuzzy Hash: 32F08C31A05209EFCB01DFA0D960A5A7FAAEF4630074180A9E508CB265EA318A05DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F1198 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7a85d8c8748da7d7a32c6d9fff427e28bfe2663676f7a35da80c912de0ff4133
                          • Instruction ID: a9612b36162afba6b21d8196d969c753c8a7f75347b9e7933f52bf991c6a7cdb
                          • Opcode Fuzzy Hash: 7a85d8c8748da7d7a32c6d9fff427e28bfe2663676f7a35da80c912de0ff4133
                          • Instruction Fuzzy Hash: 7DE09A31B01209EBCB40DFB4C950E6EBBABDB81304740C1A8E509CB350EA31DA01ABA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F0B39 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 087ea00de361a076694a8cf5e3960e993d3aa6cfe7172534b6e1cdc1dd3e877c
                          • Instruction ID: 8e1a34795cdc825d167f84d15007e0ab518571ee7a5edf993b78105ee5034528
                          • Opcode Fuzzy Hash: 087ea00de361a076694a8cf5e3960e993d3aa6cfe7172534b6e1cdc1dd3e877c
                          • Instruction Fuzzy Hash: 7EE0CD153C8B504FC3435B6C75902995B92C9C131074901BFC5059736ECD585C4E47B1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 026F09B5 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000022.00000002.2561676205.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_34_2_26f0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b1670a1408636e95e919fea2238cd4225f30b4c2452f2a27361bccd187fe282
                          • Instruction ID: 13100fac17a5ab10c4a57fa3f6207da104871a8c4beebc7c5c44e0769159885a
                          • Opcode Fuzzy Hash: 3b1670a1408636e95e919fea2238cd4225f30b4c2452f2a27361bccd187fe282
                          • Instruction Fuzzy Hash: 01D09275B40229CFCF04EFA8D9486DC77B0EF88725F0000A9E20AEB275DB759855CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B610960 Relevance: .5, Instructions: 530COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000024.00000002.2566192522.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_36_2_7ffd9b610000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fe12108d02371b4e580b41e69b3a73ca089d00b077964e84c7f341d0ff08438c
                          • Instruction ID: 98b8f368fddc556e471a5917ba0fc9a96ea2cf0b1d776c866b74134b468fad11
                          • Opcode Fuzzy Hash: fe12108d02371b4e580b41e69b3a73ca089d00b077964e84c7f341d0ff08438c
                          • Instruction Fuzzy Hash: C3F11962B0F7C60FF7659AA858622657BD1DF46360B1901FFD09CCB1EBDC18AD068381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B610840 Relevance: .5, Instructions: 516COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000024.00000002.2566192522.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_36_2_7ffd9b610000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7d3431c77a62c82bdedbf6ec034bf663bf2aa408978c40d1ef40e31d21e89cc0
                          • Instruction ID: 83325f8a554dc605eabecaa605f5db6317fbc3cd52c491f5c7a0e6a0f32bf074
                          • Opcode Fuzzy Hash: 7d3431c77a62c82bdedbf6ec034bf663bf2aa408978c40d1ef40e31d21e89cc0
                          • Instruction Fuzzy Hash: 76E11862B0FBCA0FF76646A858222757BD1DF42360B1901FBD49CCB1EBDC5DA9068381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B610FA8 Relevance: .3, Instructions: 260COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000024.00000002.2566192522.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_36_2_7ffd9b610000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7079bf553832172f7b477d4282ba62b75a5071ed48e1dd801bd912b2ce66c466
                          • Instruction ID: 7e38ff8e6673800f88e4a5f7cc35f7154a7b407a2a010586202f7765879096e3
                          • Opcode Fuzzy Hash: 7079bf553832172f7b477d4282ba62b75a5071ed48e1dd801bd912b2ce66c466
                          • Instruction Fuzzy Hash: 6771A753B0FAC60FF775069C2822234AFD6DB923A171911FBD49C8B1FBEC55AA058381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B61135A Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000024.00000002.2566192522.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_36_2_7ffd9b610000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 986efb637a86289a7a0b064b7cf7a4c6543986fdb998c2303b031aa4dd778523
                          • Instruction ID: 681d18c94ac9cd8c53629dc19a794ca02300774399a49e2b53de500bc61e35f1
                          • Opcode Fuzzy Hash: 986efb637a86289a7a0b064b7cf7a4c6543986fdb998c2303b031aa4dd778523
                          • Instruction Fuzzy Hash: 6021A631A08A5C8FDB18EBA8D489BE9BBE0FF55311F00422BD01DD36A6DB756446CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B610DDF Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000024.00000002.2566192522.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_36_2_7ffd9b610000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc49277b988d4f45f817920ebcfbcfbc1495d66862cfa51156f1ca12a6941fd4
                          • Instruction ID: e3facb882f788bd9c7ce02e85fdb089cb8e1ee8d29a135c0f05dd3e997d4d120
                          • Opcode Fuzzy Hash: fc49277b988d4f45f817920ebcfbcfbc1495d66862cfa51156f1ca12a6941fd4
                          • Instruction Fuzzy Hash: 8A01F470A4F74B9FEB5AEAA48099A297AE09F01220F1A00BDD04BCB5B0CA5C5C45CB05
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B610E47 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000024.00000002.2566192522.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_36_2_7ffd9b610000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 60d1a8a97dd334fa4489e00453f5a5c2db83a8a6223bbc5e34710b229c9fc442
                          • Instruction ID: 4181096fee64f967690192ebb5a26bcc48acce8b0577267bfd463ed4a25b1b1b
                          • Opcode Fuzzy Hash: 60d1a8a97dd334fa4489e00453f5a5c2db83a8a6223bbc5e34710b229c9fc442
                          • Instruction Fuzzy Hash: 2EF02430A0D7084FDB15AF68A8534E877D0EF05364B2005BFE01ECA096C93ED5838282
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B6E12DE Relevance: 1.9, Strings: 1, Instructions: 696COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 2A_I
                          • API String ID: 0-941469806
                          • Opcode ID: 682a0c64fd086a48be510d8baa94e0d3f89dbc801f5795d51c35835da1c91129
                          • Instruction ID: 8ae66e10b78932730a91726d3b26016ced6b5867c61d24c805835c241c7a1f28
                          • Opcode Fuzzy Hash: 682a0c64fd086a48be510d8baa94e0d3f89dbc801f5795d51c35835da1c91129
                          • Instruction Fuzzy Hash: 7222D9E3B0F6C40FEB254DBC18251296F92EB9635071901FFD0A98E1FBE815BD269345
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E39B9 Relevance: 1.6, Strings: 1, Instructions: 379COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: (7>
                          • API String ID: 0-2569561971
                          • Opcode ID: 904cbf99bbeeb7f0687e05f150f0ca7858e3186df3f439e6ff6ae4cbafe0fab9
                          • Instruction ID: 5ab6cbd8f13f26c029000da854277931eaca9fc39ea43c391c31efc9aa3b2b0d
                          • Opcode Fuzzy Hash: 904cbf99bbeeb7f0687e05f150f0ca7858e3186df3f439e6ff6ae4cbafe0fab9
                          • Instruction Fuzzy Hash: B4C12530E09A4D4FDB5AEF6888256A977E1EF55304F1100BEC02ACF2E6DE35A906CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E3751 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 6>
                          • API String ID: 0-2983116669
                          • Opcode ID: 3a025e335d6d35d13dcad5842bcf8c2567a4013039d6476f32601275bc1bddc9
                          • Instruction ID: aa5d292c70296c89d1251eb37406c330ff30530a46ef73a75e8379dcffc3bc6e
                          • Opcode Fuzzy Hash: 3a025e335d6d35d13dcad5842bcf8c2567a4013039d6476f32601275bc1bddc9
                          • Instruction Fuzzy Hash: 2B91F62160E6C95FE7679B7C98746727FE0EF53214B0A01FED0A9CB0A7E9086D56C342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E1518 Relevance: .4, Instructions: 449COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f643aea6575d207f7698c6a77caca593bf96a908074d411427bbe596149a6c0
                          • Instruction ID: af3f6097ac77866361e8bf5748143adba3adb8fc39a782a54e5440335e2dc025
                          • Opcode Fuzzy Hash: 1f643aea6575d207f7698c6a77caca593bf96a908074d411427bbe596149a6c0
                          • Instruction Fuzzy Hash: 2ED10AA2B0F6C90FEB694EBC14291696BD1EF95350B1901FFD0A98B1FBEC15BD128341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E34E1 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 6>
                          • API String ID: 0-2983116669
                          • Opcode ID: 69840fc719b055c5a6e0b60dcc6191aaad23b2a2c7aea9d35c67d954d4269b2a
                          • Instruction ID: 2f38c6a9b0add9a60fd602193a0ed9fe6f1ae132ae69d2c30c89adca37d0e20e
                          • Opcode Fuzzy Hash: 69840fc719b055c5a6e0b60dcc6191aaad23b2a2c7aea9d35c67d954d4269b2a
                          • Instruction Fuzzy Hash: F2518F31B09A0C8FEB95EF6CD855AE977E1FF59304F0500AAE419DB2A2DA35EC51C740
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E3E1A Relevance: .5, Instructions: 470COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 576fda9162761fae8ff430f508e6c85febac862114a28987b0aa48ff232da4ff
                          • Instruction ID: 218df45e570ed4283f9184cd00b9f929caf48a607f677e363957be790ec1557b
                          • Opcode Fuzzy Hash: 576fda9162761fae8ff430f508e6c85febac862114a28987b0aa48ff232da4ff
                          • Instruction Fuzzy Hash: B651D522A0D2E21BE31A77BCF8669E53B90DF4123570845FBE2ED990D7DD08744B8399
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E3ED3 Relevance: .4, Instructions: 378COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1be94acd02e0ea211b6e5970e67eb80676ab7e73567be554a01234d1900e8502
                          • Instruction ID: 1dae8cf66d11357e7f0265702bf4610cad7f899344fd5c41f1cca69c4b70d30f
                          • Opcode Fuzzy Hash: 1be94acd02e0ea211b6e5970e67eb80676ab7e73567be554a01234d1900e8502
                          • Instruction Fuzzy Hash: 1031C32260D2950FE31AB7BCE8669E53BA0DF0222570841FBE2EDCE097D908684B8355
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E20FA Relevance: .3, Instructions: 326COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad226505668bdaa06d8a59cca6669b7583802e3c33ae3b3931b1e96f4e630d58
                          • Instruction ID: c9cd9f7dceb37071beffa01d69d249d1feb2a048fb4fb34f82bc7013aea000d6
                          • Opcode Fuzzy Hash: ad226505668bdaa06d8a59cca6669b7583802e3c33ae3b3931b1e96f4e630d58
                          • Instruction Fuzzy Hash: B691F313B0D2A60BE719B6BCB8A65E93B90DF4223970841F7D1E98E0E7DD09744B8295
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E1D90 Relevance: .2, Instructions: 160COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef3d798bf509619c24a07aaa908363da9849f9d338299b138015103a9eda6a68
                          • Instruction ID: 7fcbcea508f3e5a68d9d9594bfb585f65329425ddbe00fba8f3315c8e7b0735f
                          • Opcode Fuzzy Hash: ef3d798bf509619c24a07aaa908363da9849f9d338299b138015103a9eda6a68
                          • Instruction Fuzzy Hash: EF410711A0FB8A0FE76A967848766A43BE1EF56350B0501FBD468CB0F7EC0C6D568342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E1C51 Relevance: .2, Instructions: 154COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac8f8cacc9e3f3a75eb621d4d013efa2b5e66726d27ec07ab0d5ab440261e01c
                          • Instruction ID: f770d65b3fc132d7c47176cb2db6a7557f178385a29d4c5d93fca2f5ed32171f
                          • Opcode Fuzzy Hash: ac8f8cacc9e3f3a75eb621d4d013efa2b5e66726d27ec07ab0d5ab440261e01c
                          • Instruction Fuzzy Hash: CE41E43091E7CD4FDB2A9BB958646F97FA4EF13325F0801BFD099C61A3CA182416C746
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E2C25 Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a03782f2241463ffefb2012b9679a4b1fd09cca1ac4eb7903fcdab381d81df1e
                          • Instruction ID: 63f676dd9ea14d632f32f38fc72e939c12c407db28b521b747a7d8e017d5d82d
                          • Opcode Fuzzy Hash: a03782f2241463ffefb2012b9679a4b1fd09cca1ac4eb7903fcdab381d81df1e
                          • Instruction Fuzzy Hash: 4B210812F0FA9A0FEBFA52BC94751A92B929F45A10B0511FAC0B8CE1E7DD086D534381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E1AAE Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1eb349bcd642c9103aeb7f574fbb3e54bfad6dd9efc95e44eeb6726167a5c5f9
                          • Instruction ID: 0b0ca2d5ccf6fcff6fe7c0cd6ac12255cea1607067df1542bdad8d0547f95f6c
                          • Opcode Fuzzy Hash: 1eb349bcd642c9103aeb7f574fbb3e54bfad6dd9efc95e44eeb6726167a5c5f9
                          • Instruction Fuzzy Hash: 38019E71F0964C8FDB68CE9C94A55BDB7E2EF58300B16413AE06AD7271DE21A9218B40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E3168 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 541a70610279a7b9a06eb046ac182c21db6f5000a706209918b7925d6e6872e6
                          • Instruction ID: 2fdb90c30b19c22d481648b3917b56ff6799a8cd656c407d362154fa7dfd4a84
                          • Opcode Fuzzy Hash: 541a70610279a7b9a06eb046ac182c21db6f5000a706209918b7925d6e6872e6
                          • Instruction Fuzzy Hash: B3F06211B1A85F05F27711E816A52F52181AB45221FA7063DE83DCE1F2DC08BA620352
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E27D7 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 02185a8a521255f19c15d1a29eb667a2252fc7f3576ab7d4f5eff4db8687210f
                          • Instruction ID: 2fdbab4a9b396166a47651eb9e5c7144daea53c627074bad306ed07a4fc38e9b
                          • Opcode Fuzzy Hash: 02185a8a521255f19c15d1a29eb667a2252fc7f3576ab7d4f5eff4db8687210f
                          • Instruction Fuzzy Hash: 47E07D7260F94C5BCF00EAAB6C604CA3FA9FB8D318B01012AF45CC3251E212A521C351
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E0271 Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000026.00000003.2631657644.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_38_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
                          • Instruction ID: 06401d89036e6c46b20f7c1a37fce2788aa04f350aaf19392997c2e569a891a5
                          • Opcode Fuzzy Hash: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
                          • Instruction Fuzzy Hash:
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B6C12C0 Relevance: 3.4, Strings: 2, Instructions: 909COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 2C_I$;4C_^
                          • API String ID: 0-961891710
                          • Opcode ID: eeface33b000c5ccae40a1f54988ac773e5df7479a23fe728663e0277cca5d57
                          • Instruction ID: 9062547b46a310ccf824ca335615d6603d62c9f4123353e042e0566a2f7dca87
                          • Opcode Fuzzy Hash: eeface33b000c5ccae40a1f54988ac773e5df7479a23fe728663e0277cca5d57
                          • Instruction Fuzzy Hash: C8522CA3B0F6C50FE7656ABC58651386B91EF96350B1901FBD1A9CF1FBE814BE028341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C1518 Relevance: 1.7, Strings: 1, Instructions: 447COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: ;4C_^
                          • API String ID: 0-623853526
                          • Opcode ID: f6c3a70ca45913ddb6e01bcbcfdb56cd685dec1809700711554ff868273b7204
                          • Instruction ID: d8019466fc333d61f50fded0a88cd551f2c303fe01fbe77ff16261a3031be68d
                          • Opcode Fuzzy Hash: f6c3a70ca45913ddb6e01bcbcfdb56cd685dec1809700711554ff868273b7204
                          • Instruction Fuzzy Hash: 8ED11CA2B0F6C90FE7657ABC18691786B91EF96350B1901FBD1A9CB1FBDC14BD028341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3751 Relevance: .3, Instructions: 301COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b428a76772596a565cb30fe3d5ff01c290dd70845bc05f0730255869563dc2df
                          • Instruction ID: 2dbb98dc0a5b32a4da8c72f1007dd0dd410fd52786ae6b3a6166b6c2fc66b87e
                          • Opcode Fuzzy Hash: b428a76772596a565cb30fe3d5ff01c290dd70845bc05f0730255869563dc2df
                          • Instruction Fuzzy Hash: 4A91382060E6CA4FD766BB7C98656717FE0EF53314B1901FEE1A9CB0A3E9186846C352
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C5A71 Relevance: .7, Instructions: 715COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b63f80d68285e92a1a780dd601de6b38bb983fb2a760b726d6b68e8465b10d4
                          • Instruction ID: 9cb97a21db6cb00bddf1ab7b4866751e271c46d1af23678867d7452be0899418
                          • Opcode Fuzzy Hash: 9b63f80d68285e92a1a780dd601de6b38bb983fb2a760b726d6b68e8465b10d4
                          • Instruction Fuzzy Hash: 2A32F030B09A4D4FE769FB68C865AB5B7E1EF59304F1100B9D52DCB2E6DE34B9018741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C4C6D Relevance: .7, Instructions: 676COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f12a684edf25c2c64781a2604a043ccb8ff16c27769434159921d28a55c28bc5
                          • Instruction ID: 85b28bee8c2f1bcf304979f74bf394f06a9037da2c169c72ca04f37ca5caf2fc
                          • Opcode Fuzzy Hash: f12a684edf25c2c64781a2604a043ccb8ff16c27769434159921d28a55c28bc5
                          • Instruction Fuzzy Hash: CCE11921B1DA494FE75DFB6888255B977E2EF95304F0500BEE02DCB2E7DE28B9068345
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C4C88 Relevance: .7, Instructions: 661COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9071f97750f13dd60fde2b0def32b62c7243f9dd338d93efde3af73deedefb05
                          • Instruction ID: 1db9268bf71e1674bb2b0d6b2a0d1fe1aed948f33e5c0fc8f73da43244772703
                          • Opcode Fuzzy Hash: 9071f97750f13dd60fde2b0def32b62c7243f9dd338d93efde3af73deedefb05
                          • Instruction Fuzzy Hash: BAE11821B1DA494FE75DFB6884255B977E2EF95304F0500BEE02DCB2E7DE28B9068345
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C2290 Relevance: .5, Instructions: 471COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a96e38e824d7b93f265f2e6fd64821acbc0a76343fc32a1d2aa2ef386ffff2f
                          • Instruction ID: f21c0797fcf1e8bfde3e694033c17de44e1887faa0104fe89961c4c069d6798b
                          • Opcode Fuzzy Hash: 4a96e38e824d7b93f265f2e6fd64821acbc0a76343fc32a1d2aa2ef386ffff2f
                          • Instruction Fuzzy Hash: 04E1F621B1DA494FE75DFB6884255B973E2EF99304F1500BEE02ECB2E7DE24B9068345
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C39B9 Relevance: .4, Instructions: 403COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4c6575f4a3eb806df18acfff393f3a095453e7da97d2521b046fecf1c48e7811
                          • Instruction ID: 1646ceea8fbc70c28acb1495b9a00b1889a81239c91558d6e1a1f33d0af7d073
                          • Opcode Fuzzy Hash: 4c6575f4a3eb806df18acfff393f3a095453e7da97d2521b046fecf1c48e7811
                          • Instruction Fuzzy Hash: 43D19170A09A8D4FD799FF68C465AB9B7A1EF59304B1100B9D42DCF2E6CE34B941C741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C0271 Relevance: .3, Instructions: 345COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dbdc3d0ba140ddcab903559aee0b554d8c3d9875e6facf8ca3972dd0bc4872db
                          • Instruction ID: 6434bd509936b34238747f67199e0daab3b45140278797b95e5c4a54faafb705
                          • Opcode Fuzzy Hash: dbdc3d0ba140ddcab903559aee0b554d8c3d9875e6facf8ca3972dd0bc4872db
                          • Instruction Fuzzy Hash: 44912721F0E65E0FE769B6B858261B97791EF89320F4501BAD52ECB1E7DC2CB9024381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C2AF0 Relevance: .3, Instructions: 333COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2c90c00a859e8019de3bfdf002a805a741fd2f722a9d0cffaa7ac75afed4d51f
                          • Instruction ID: 518ec12d7123766a33f17815c54c2d83c6dcc80315aa17b29787a4875030773d
                          • Opcode Fuzzy Hash: 2c90c00a859e8019de3bfdf002a805a741fd2f722a9d0cffaa7ac75afed4d51f
                          • Instruction Fuzzy Hash: 54912621B0FA8A0FE7BAB6B844752B93A90DF55650F0640BAD968CF1F7DD08B9468341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C4731 Relevance: .3, Instructions: 265COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 31cdeab9d5cbaf3fa0d191089eef54a560bea38918fa6e875f58ebda41d18990
                          • Instruction ID: cce5bfdad5e163fc7f4b73cc36a2f47386790274ae78d8557df36bd043735e43
                          • Opcode Fuzzy Hash: 31cdeab9d5cbaf3fa0d191089eef54a560bea38918fa6e875f58ebda41d18990
                          • Instruction Fuzzy Hash: 0581B131B0AA8D4FE769FF58C8645B577A1EF56300B1600BAD52CCF2A2CD38FA018751
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C4760 Relevance: .2, Instructions: 219COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2967e46acd33a57411076b9149362372e7d799937f0b1e4768ae2c9842caa151
                          • Instruction ID: 1781e9b4bdc8d7579e4b6d0497e8afa4f8a61801a45806b886ec05bd9a7e9b7b
                          • Opcode Fuzzy Hash: 2967e46acd33a57411076b9149362372e7d799937f0b1e4768ae2c9842caa151
                          • Instruction Fuzzy Hash: 3F61A031B09A8D8FE769FE58C4646B577A1EF66304B1240BAD52CCB2A6DD34FD018741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C34E1 Relevance: .2, Instructions: 193COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 60f583f446352a5a786745258b868d4b9a1a680a8efb6b3526c36e60f7af7567
                          • Instruction ID: b490a9d776bb0f384146f2a530395db2bce6b059f4c5d37f72f4ae33830a2b70
                          • Opcode Fuzzy Hash: 60f583f446352a5a786745258b868d4b9a1a680a8efb6b3526c36e60f7af7567
                          • Instruction Fuzzy Hash: CC517E30B18A0D8FEB95FF6CD859AE977E1FF59304B0500BAE419DB2A2DA35E8418741
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C2278 Relevance: .2, Instructions: 192COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 85f5c2ef8d627a4bc64eaf1a0e4a1a011a0680874dea0a2c1eceeb77cfb2f4d8
                          • Instruction ID: 1e16bf8d82ead7cce8c7308ded07a3d5ba156f79bd6f1899bdeabbfa694340f9
                          • Opcode Fuzzy Hash: 85f5c2ef8d627a4bc64eaf1a0e4a1a011a0680874dea0a2c1eceeb77cfb2f4d8
                          • Instruction Fuzzy Hash: C1517B23B0EA490FE759BA7C98665F57790EF81224B0901F7C5ADCB0E7ED0979478381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3F6A Relevance: .2, Instructions: 181COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f4b1be1c3cd3f667727f84126173fe176a40c76c6a216ad508c22f0dc5703aca
                          • Instruction ID: 162c20b7c7dc955ba17f352b505800165dc4125da74c5dd72efc00535996d00f
                          • Opcode Fuzzy Hash: f4b1be1c3cd3f667727f84126173fe176a40c76c6a216ad508c22f0dc5703aca
                          • Instruction Fuzzy Hash: 61511411B0DA4A0BE7ACF76C44B56B962C2EF94350F1145BEE12ECB2EADD1CB9414241
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3EB9 Relevance: .2, Instructions: 165COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 58e0158239f0f83710f7b071532071b7513c1516f30e036fa6aad6cc3c8654f5
                          • Instruction ID: d7f378317da7c6b01edd7e182831ce70e126fe6e017be915742bbbdeabe98e55
                          • Opcode Fuzzy Hash: 58e0158239f0f83710f7b071532071b7513c1516f30e036fa6aad6cc3c8654f5
                          • Instruction Fuzzy Hash: 57412652B0EACA0FE7AAB77854352B12BD1DF56350B0500FBE1A8CF1E7DD0C69458351
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C1D90 Relevance: .2, Instructions: 153COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9f658178f78a46625aab7136ec7ed1df794a1c70b981ec6ff49e22af47511461
                          • Instruction ID: e58eb4d807357537113c4dbfe7b37649af18ff67452a0380d3ffde027bc22991
                          • Opcode Fuzzy Hash: 9f658178f78a46625aab7136ec7ed1df794a1c70b981ec6ff49e22af47511461
                          • Instruction Fuzzy Hash: 7C410911A1EB9B0FE76AB66848796B43BE0DF46350B0501FBC568CF0F7DD0C69468352
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C1C51 Relevance: .2, Instructions: 151COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 472f30630cae3e7b3b260c8f3ca7966805170a6424713312ba686882faee360a
                          • Instruction ID: 0050456d718b3afa3afa8b04b30689ab502b500b38ed9adee90a2d0e06334763
                          • Opcode Fuzzy Hash: 472f30630cae3e7b3b260c8f3ca7966805170a6424713312ba686882faee360a
                          • Instruction Fuzzy Hash: 4D41073090E7C94FDB1AABA998656F57FB4EF13325F0401BFE099C71A3CA182416C756
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C5583 Relevance: .1, Instructions: 149COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 74ffc424110abb76ea226ac3f69174d62632b33c5a0c76fd4ceb86f4ce311e30
                          • Instruction ID: a93f9d0208e19dd9850393ce559d7b87377df7d334c9c543872ee8b287634109
                          • Opcode Fuzzy Hash: 74ffc424110abb76ea226ac3f69174d62632b33c5a0c76fd4ceb86f4ce311e30
                          • Instruction Fuzzy Hash: 6D41C071B19A494BEB5DFB6884665B877A1EF98304B1100BED02DCF1E7DE35F9068740
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C431D Relevance: .1, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6cc21faa97261748efa16df35c0791b0842c1f2d0c8bcafe140fb85f3b56cdfa
                          • Instruction ID: 69c506ddc05e3513c2112a7b078ef795178bbe2258bfe7b750318cd64797b8af
                          • Opcode Fuzzy Hash: 6cc21faa97261748efa16df35c0791b0842c1f2d0c8bcafe140fb85f3b56cdfa
                          • Instruction Fuzzy Hash: 0E31E731F0950C4FDB54FBA8C865AF977E1EF99310B05017AE51DDB2A2CD24BD008751
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C02E0 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7afa1713c05ff59af085fe4603e9233c7a512f7adb23674f24c2d8ff82fd4763
                          • Instruction ID: a59def4664f5f0b751d20f8a419509b799dc0728f7ee90f8110fa22ed8797cbe
                          • Opcode Fuzzy Hash: 7afa1713c05ff59af085fe4603e9233c7a512f7adb23674f24c2d8ff82fd4763
                          • Instruction Fuzzy Hash: 5A319E31B0991C4FEB58FBA9C865AF977E1EF99310F01017AE51ED72A2CE24B9108790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C583C Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 21e52c80642ed0f2be428584bb63bfd691886baa5588001c3ffd6657041ecb88
                          • Instruction ID: dd34fde8e73ced33333447e599c40c57969c696235502f0a9378873179eef257
                          • Opcode Fuzzy Hash: 21e52c80642ed0f2be428584bb63bfd691886baa5588001c3ffd6657041ecb88
                          • Instruction Fuzzy Hash: FD110201B0F7CE0FE36672BC58211B63FA0DF8A260B1A00F7D598CF0B7E81869468342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3D6F Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: da48f3131e0ca465ef9bbfd24d9cc9dbbe8ff6e08f79958a9b51e5b87fc86761
                          • Instruction ID: 3c3cc7051ebc3f22b5a7aaa2ba82da357e01294170d65a6ad45307548d502c6f
                          • Opcode Fuzzy Hash: da48f3131e0ca465ef9bbfd24d9cc9dbbe8ff6e08f79958a9b51e5b87fc86761
                          • Instruction Fuzzy Hash: B601AD61B1A58E4FE796FF98C8619B6B791EF95300B0210B6D52CCF5F2C934F9108700
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C3168 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 120ab04a2d12eba73e4c205ea386820b6a9c0120405cf5f0f7268954a74ea00c
                          • Instruction ID: 7744806611592d66439f743d2192049368658f19a976585a4797604dc3bba6c9
                          • Opcode Fuzzy Hash: 120ab04a2d12eba73e4c205ea386820b6a9c0120405cf5f0f7268954a74ea00c
                          • Instruction Fuzzy Hash: 1EF08111B1EC5F09F2B731EC16B62B96181EB49220FA61639DA3DCE1F2DC2CFA520151
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6C27D7 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000027.00000003.2684330811.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_39_3_7ffd9b6c0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 330d7859790241ada4dfc5304c464a6f4094bc92697bae521d70e257b7bc61f0
                          • Instruction ID: 66eb0756cb89c2aafa114a1759561f35431d18d6c8f38c8eb1c9907b70e032a2
                          • Opcode Fuzzy Hash: 330d7859790241ada4dfc5304c464a6f4094bc92697bae521d70e257b7bc61f0
                          • Instruction Fuzzy Hash: 9AE07D7360F94C5BCB00FAAA6CA04CA3B98FB8D318B01012AF45CC3251E2126511C351
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 009B17F8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q$$^q
                          • API String ID: 0-355816377
                          • Opcode ID: 2a6b1063e42cc492b8c4c8eb336bf5aded1f405b18fbc38072ca5ce1dc389295
                          • Instruction ID: 6fbf584b12d5f0b88638eaf34417795d2bdfddf3be97111bf9366ab8e024ce20
                          • Opcode Fuzzy Hash: 2a6b1063e42cc492b8c4c8eb336bf5aded1f405b18fbc38072ca5ce1dc389295
                          • Instruction Fuzzy Hash: 2221BF31D10709CFCF10AF68D8548A9F7B4FF85310B1586AED4096B226EB31E889CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B17E9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q
                          • API String ID: 0-388095546
                          • Opcode ID: 9f173131fddab19fd79c93fb006e4467fe25756d6bc8016c7ad039b337b5f1a2
                          • Instruction ID: b046d6ec45a0c89d14a649ce9a67093c95e8d9eca18120a80590652c4e776d2c
                          • Opcode Fuzzy Hash: 9f173131fddab19fd79c93fb006e4467fe25756d6bc8016c7ad039b337b5f1a2
                          • Instruction Fuzzy Hash: 6F21E031904749CFCF11AF78D8244A9FB71FF45310B058AAED4496B222EB31D885CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B0848 Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9721fdc57fabe688f9eede4c72983cca634bcf3869135916577ad3314936485e
                          • Instruction ID: 27a9c1797c51fa1d105ea8c207def3b8f50615ac639c48370cf5ae32a095420a
                          • Opcode Fuzzy Hash: 9721fdc57fabe688f9eede4c72983cca634bcf3869135916577ad3314936485e
                          • Instruction Fuzzy Hash: 3D61BD30A003058FDF15EBB4DA186AEBBB6BFC9314F10896DD405AB365DB389C46CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B15A2 Relevance: .1, Instructions: 144COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a51800c03ef7a8c808582094bc8bb82dfd498b07d4adb78a767990c3d0341bd6
                          • Instruction ID: 13b07fee7b746a4518f5275bf3b1bc0d6249409c5e393aaad7970c3b5c03d7b1
                          • Opcode Fuzzy Hash: a51800c03ef7a8c808582094bc8bb82dfd498b07d4adb78a767990c3d0341bd6
                          • Instruction Fuzzy Hash: 63517F32E50B06AAE710DBA5CC45A99F371FFDA700F21CB1AF6483B591EBB0A1D4C641
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B15B0 Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ca09924c2e53516ea34296444e6711d104154eefb3fe0f6c2fd34cd6b7de4666
                          • Instruction ID: 57d3ce8a7b010cc03234bae56dadd0bde23bb96dc5ac6a5a06fcf2c8ebb688ed
                          • Opcode Fuzzy Hash: ca09924c2e53516ea34296444e6711d104154eefb3fe0f6c2fd34cd6b7de4666
                          • Instruction Fuzzy Hash: 50515E32E50B06A6E710DFA5CC45A99F371FF99700F61CB1AF6483B591EBB0A1D4C681
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1DC8 Relevance: .1, Instructions: 118COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aff0ec2b462199277cf0cc71c542bb22f9e1384004b3b40e41808f3051888ff9
                          • Instruction ID: cf3a2c88553c58555d713b04988f5fc05c1835ee4f21e71ad5be59a090447806
                          • Opcode Fuzzy Hash: aff0ec2b462199277cf0cc71c542bb22f9e1384004b3b40e41808f3051888ff9
                          • Instruction Fuzzy Hash: F4416032E0074A9ACB01DFB9C9504DDF7B2FF95310B11C66AE955BB215EB30E686CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1029 Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 441a3d68e049466676ddd416da58f2f90ecda33478dca64bca345bf7abd9c8bc
                          • Instruction ID: dcedcfaf5f2afeb9aa06aa8b184a18378a14d81174d35c483d162c59cee017c0
                          • Opcode Fuzzy Hash: 441a3d68e049466676ddd416da58f2f90ecda33478dca64bca345bf7abd9c8bc
                          • Instruction Fuzzy Hash: C8418E30B0460A9FCB08DB75D964AEEBBF3AFC4304B01C539D119A7265EB349906CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B0F20 Relevance: .1, Instructions: 105COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 14f2b34a3013321e26d4258fe240b37c2cb91b8931475aee9409afdab7b60225
                          • Instruction ID: 60869af2bda5915c3f200afa5bec92459c338b4d55589ce6ba3050771a7ab7d0
                          • Opcode Fuzzy Hash: 14f2b34a3013321e26d4258fe240b37c2cb91b8931475aee9409afdab7b60225
                          • Instruction Fuzzy Hash: DB21782124D7D40FC317977C59605ADBFA68EC2360B0E45EBD185CB6E7D9588C4AC392
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1F34 Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5c8f028cf7c1c0daab659907da75e58b3ae8f0da104b9d85af192223a284518b
                          • Instruction ID: 5139a5d5b53597a9fe288b63505474da47e70d3801aa8caafeb72ea6b23d5dcf
                          • Opcode Fuzzy Hash: 5c8f028cf7c1c0daab659907da75e58b3ae8f0da104b9d85af192223a284518b
                          • Instruction Fuzzy Hash: CA4104B1D0035D8ECB10DFA9C984ADEFBB5AF88314F20852AD419BB255D774AA49CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1A89 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb45bda6bdd0ab19765564fef4e44138d6db0251ee731a2b4550614107e455a7
                          • Instruction ID: 0fda687b265dd2f613ff4a46c73ae92b9fa0c636d1c69740d44caaa610893300
                          • Opcode Fuzzy Hash: bb45bda6bdd0ab19765564fef4e44138d6db0251ee731a2b4550614107e455a7
                          • Instruction Fuzzy Hash: 94319032E0160AAADB00DFB9D9905DEF7B2EFD4310F11C66AE445A7261FB30E585CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B11E4 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 00a5866645d409b5dd75e8f971056cfd2169fa347f54812300f5f00a1f273e14
                          • Instruction ID: 61dab1960124e79a5ef4f00e8a73911b93aa8cd82dd2c9165247cc2827fbbd9a
                          • Opcode Fuzzy Hash: 00a5866645d409b5dd75e8f971056cfd2169fa347f54812300f5f00a1f273e14
                          • Instruction Fuzzy Hash: B04146B1D04248DFCB14DFA9CA94BDEBFF6AF48310F14802AE414AB294DB749945CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1934 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 403df19b4e320e6a5f77c5cc3d4cec6604770632a8547e5baab21a8d385bdfad
                          • Instruction ID: 74cbc5e8d87506ee3384e2df2232037720d68deff02375b9f088ee0e55b3505d
                          • Opcode Fuzzy Hash: 403df19b4e320e6a5f77c5cc3d4cec6604770632a8547e5baab21a8d385bdfad
                          • Instruction Fuzzy Hash: 114142B1D052589FCB14CFA9CA94BDEBFB5AF48314F14802AE409AB291CB346906CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1F40 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9d2c28fc0226d29ba96f20abde90c0227f523b2bb10f218f1cff931cd4a3c160
                          • Instruction ID: d6881621dfb94329563fc8a7d3b4de4fbc213973e6e9a365d5700aebf430bf3d
                          • Opcode Fuzzy Hash: 9d2c28fc0226d29ba96f20abde90c0227f523b2bb10f218f1cff931cd4a3c160
                          • Instruction Fuzzy Hash: 2A41F3B1C0035DCACB10DFAAC984ADEFBB5EF88314F20852AD419BB244D7746A49CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B11F0 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c3078c591c7e163b538b1ebf6acc6bc3d1c3f141a5d7dbff75200e331cfa30ef
                          • Instruction ID: 4f794127b6ae75f314788c30d00a12936c04c170419d1eab18062e5162a783f9
                          • Opcode Fuzzy Hash: c3078c591c7e163b538b1ebf6acc6bc3d1c3f141a5d7dbff75200e331cfa30ef
                          • Instruction Fuzzy Hash: 303116B1D01248DFCB24DFA9CA95BDEBBFAAF48314F10802AE414BB254DB745945CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1940 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 04c282289b7a53d664ddabefa8427bb8ddc28664d239b30e213c3c3c74e41147
                          • Instruction ID: f8e72be9745bfea1fd5d115ae4962c8a79239f221cdba816ae7ff81de1ec73ed
                          • Opcode Fuzzy Hash: 04c282289b7a53d664ddabefa8427bb8ddc28664d239b30e213c3c3c74e41147
                          • Instruction Fuzzy Hash: 223125B1D01248DFCB14DFAADA94BDEBBF9AF48314F10802AE419BB254DB746945CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B0830 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61e9fbd4e027ccef48eefdd8c5fafffd1b5c81f9d6a08160145590c185929096
                          • Instruction ID: 76983d3e048eb32b34a8446e816a83774a1e874984544046409c920f7a47ee54
                          • Opcode Fuzzy Hash: 61e9fbd4e027ccef48eefdd8c5fafffd1b5c81f9d6a08160145590c185929096
                          • Instruction Fuzzy Hash: 0D21D131A043514FCF169A7489142EF7BB6AFC5714F05896EC8099B79ADB398C07C382
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1BA4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 200a9aab65506b9d73826cfe1877a51ac96d18d2c1718c433076ba6a51438d8f
                          • Instruction ID: e194b22c766e7ba3a7d0678a81266b35c350868c6a247d6be90363705f297721
                          • Opcode Fuzzy Hash: 200a9aab65506b9d73826cfe1877a51ac96d18d2c1718c433076ba6a51438d8f
                          • Instruction Fuzzy Hash: 513105B1D40258DFCB14CFA9D594BDEBFB9AF48320F24802AE445BB240CB755846CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1CB4 Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9fbe58675360efed5893997c96f3bf3836470a62ff0a33777be58f7369957e6b
                          • Instruction ID: 8962bd604124f8d14b9841dfc12ffaaf6e4b6c76f7a5c62f3fc60ce35daba3ef
                          • Opcode Fuzzy Hash: 9fbe58675360efed5893997c96f3bf3836470a62ff0a33777be58f7369957e6b
                          • Instruction Fuzzy Hash: BD31E0B1D002489FDB14CFA9C594BDEBFF9AF88320F24852AE408AB251C7759881CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1CC0 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c9b1af5a0bcb883d2b21781ca6553ac09ef8e5d520f67af51f51e6a3a6b9651d
                          • Instruction ID: fbe3c0e6ce1e2813020d99a0f9524111e7ec08714b5179bc5cb97d5e4603b73e
                          • Opcode Fuzzy Hash: c9b1af5a0bcb883d2b21781ca6553ac09ef8e5d520f67af51f51e6a3a6b9651d
                          • Instruction Fuzzy Hash: 8631F5B1C00258DFCB24DFA9C594BDEBFF9AF88320F24842AE418AB250C7746845CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1BB0 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c7f1ebf7e7c884392376bfa0dd675672838d4639051608da2b97a7f40666978b
                          • Instruction ID: 0867cbf7755dafa9d00ad89538ea9533ab06d0f47d4c9b9827b83692fc23d31f
                          • Opcode Fuzzy Hash: c7f1ebf7e7c884392376bfa0dd675672838d4639051608da2b97a7f40666978b
                          • Instruction Fuzzy Hash: E621F3B1C00258DFCB14CFAAD594BDEBFF8AF48320F24842AE449AB240CB755845CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1188 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 98dcb2ba404727c19d2d4dc70e50b7d194fb0301ca992eee55f631fb219b72ec
                          • Instruction ID: 2c44f39929d9440cbdcface6ab239a7c4646be2be5949056750b4110474ecb41
                          • Opcode Fuzzy Hash: 98dcb2ba404727c19d2d4dc70e50b7d194fb0301ca992eee55f631fb219b72ec
                          • Instruction Fuzzy Hash: B2F0823174D249AFCB06CBB88D609AE7FB69B85310706C1F9D405CB5A2DA39CA07DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B18E0 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 795ef7ce91c598f0563b230adfc379ecfab51338adbd1a08fb5864ac86a23391
                          • Instruction ID: 01afbbd4c1fd9c0134ab6347ba29ccadca2dfbff79b3a5d435093289e50c2a04
                          • Opcode Fuzzy Hash: 795ef7ce91c598f0563b230adfc379ecfab51338adbd1a08fb5864ac86a23391
                          • Instruction Fuzzy Hash: 23F027307492896FC705CB749D619AD7FB68FC231430AC1EDC009CB593DA34CA069751
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B0AD2 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f76497fbd3cc3b704c88a736dc888eb3419c1fa43a8631e96d720acffca5e354
                          • Instruction ID: 7a7da7ad252a5382bbdaa696a2e6baa418fcab20b46e66b4a810a7dc308c0638
                          • Opcode Fuzzy Hash: f76497fbd3cc3b704c88a736dc888eb3419c1fa43a8631e96d720acffca5e354
                          • Instruction Fuzzy Hash: 79F09A30A95208EFCB01EBB8F9445DCBFF1EB88310B5186BDD405E7266DB345B468B40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B0AD8 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0be8a5533259b31681981667ac87d07940c30d27af4ac45b3583d1adef97377c
                          • Instruction ID: 680e82718e401041027b310cbb90e777f64a64a40c27bad9bd7552fa80e1e0d3
                          • Opcode Fuzzy Hash: 0be8a5533259b31681981667ac87d07940c30d27af4ac45b3583d1adef97377c
                          • Instruction Fuzzy Hash: 1EF0F830A51208EFCB40FFB8F94569CBBF5EB88310F5085A9D405A7225EB306B459B41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B1198 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c6be101880ce49673b3dfb506d1277615028de6757d482f625535d75d785181c
                          • Instruction ID: 1202f09ebd8301d1b2af85d2c5aa49a91faf46a3af9301971155363683cb5d36
                          • Opcode Fuzzy Hash: c6be101880ce49673b3dfb506d1277615028de6757d482f625535d75d785181c
                          • Instruction Fuzzy Hash: 8EE01A31B0520DAB8B04DFB4DA51AAEBBEAEB84314741C5A8E5098B254EA31DA059B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B0B3A Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b366dfc2303d9871629eb35da4bc60fef65b672133ab43418af4386922d6c23b
                          • Instruction ID: 580cdf735893b5d7408aae3baf8592cc9925fa4aa3a27dbfeb4be51cb746ed76
                          • Opcode Fuzzy Hash: b366dfc2303d9871629eb35da4bc60fef65b672133ab43418af4386922d6c23b
                          • Instruction Fuzzy Hash: D0E0862129C7910FC316933C6550198ABE2ADC122174642B7D0048B69ACF688C4687E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009B09B5 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000028.00000002.2665272602.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_40_2_9b0000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c65994c8a34b56cbc01b21c3d1f924903a28cb10313f1a9f8fd77c1c828a28f9
                          • Instruction ID: bee16b0f6cf56fbea0258d57e1f795b67af785cd746e0e7a3577437895087263
                          • Opcode Fuzzy Hash: c65994c8a34b56cbc01b21c3d1f924903a28cb10313f1a9f8fd77c1c828a28f9
                          • Instruction Fuzzy Hash: EED09E35740219CFCF00EFA8D5485DC77B0EF88725F000469E109DB270D7759855CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B630840 Relevance: .5, Instructions: 516COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002A.00000002.2672050054.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_42_2_7ffd9b630000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 06dcf92018f945a4ea771ce1987a1de7cbafbe40bedbae854951c6de81101f9e
                          • Instruction ID: b5d0f7241b546c7c05b7ceb2f303eba35145a7d8b439e24087a6d5f94b533ea3
                          • Opcode Fuzzy Hash: 06dcf92018f945a4ea771ce1987a1de7cbafbe40bedbae854951c6de81101f9e
                          • Instruction Fuzzy Hash: C4E11A62B0FAC50FF37646A818662797FD1DF86750B1901FFD4D88B1EBD81A79068382
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B630960 Relevance: .5, Instructions: 495COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002A.00000002.2672050054.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_42_2_7ffd9b630000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25d8c607097fdceb59e25f648fecb23f6a09547b5da0f1038dd0bfa1fcbc0fa1
                          • Instruction ID: 42834de8154bd8ee4fa0b4592ec60f84313e22db26bbb40b2e80ba3a6f066d0a
                          • Opcode Fuzzy Hash: 25d8c607097fdceb59e25f648fecb23f6a09547b5da0f1038dd0bfa1fcbc0fa1
                          • Instruction Fuzzy Hash: F7E10652B0FAC90FF37556A828222797BD1DF86750B1941FFD4DC8B1EBD819B9068382
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B630FA8 Relevance: .3, Instructions: 260COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002A.00000002.2672050054.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_42_2_7ffd9b630000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 29eafb28cd9c1adfa7f40e594d0bc0455cc57412aff128a7f079de2fb02e21f1
                          • Instruction ID: 966febb85c24d13a7c0e752ddb786edffaed3f939ef7ad948a2e2aed83810e93
                          • Opcode Fuzzy Hash: 29eafb28cd9c1adfa7f40e594d0bc0455cc57412aff128a7f079de2fb02e21f1
                          • Instruction Fuzzy Hash: C7718653B0FAC50BF775469C28221256FD1DBD27A1B1901FBD4E88B1FF9856BA068382
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B63135A Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002A.00000002.2672050054.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_42_2_7ffd9b630000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f729ee17ff951630c48805f64eb7af56a417ac761bf8bd6233d9880d1df4e0c0
                          • Instruction ID: 8d8b521959628082444a09fe82e01ec96b34da4194bacc0fa3cbb55f4f8a23a8
                          • Opcode Fuzzy Hash: f729ee17ff951630c48805f64eb7af56a417ac761bf8bd6233d9880d1df4e0c0
                          • Instruction Fuzzy Hash: 8E21B631908A0C8FEB18DBA8D489AE9BBF0FF55310F00422ED059D3552DB756456CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B630CAE Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002A.00000002.2672050054.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_42_2_7ffd9b630000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 060cf5d28c5c2382318780b4b08e27e3bcd4a162f162b00879349f9c1b58365f
                          • Instruction ID: a009bfadc5bed87db61014c09d8f554153f8828c96a859bba0cb291a12968ed9
                          • Opcode Fuzzy Hash: 060cf5d28c5c2382318780b4b08e27e3bcd4a162f162b00879349f9c1b58365f
                          • Instruction Fuzzy Hash: 8F012021B0F99E4FD365E73858617B8B7D0DF05611B1444FEC09ECB1D7CC1968464342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B630DDF Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002A.00000002.2672050054.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_42_2_7ffd9b630000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cfc94328eea74494fcb9b2f315b3fc552d590bbee186a1919f67c6cf7155d917
                          • Instruction ID: 70ffab7e42dbd8c4c9e8d66e3b2c04dc73e9b6364604a7383edc9db81b9be7c5
                          • Opcode Fuzzy Hash: cfc94328eea74494fcb9b2f315b3fc552d590bbee186a1919f67c6cf7155d917
                          • Instruction Fuzzy Hash: ED018170A0E5895FD36AE7B440AAB797FD19F46211F0988FDC08A9B1B2C91D280A9701
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B630E47 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002A.00000002.2672050054.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_42_2_7ffd9b630000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb3aabbfeec1eeb3486e78e9d190ad35128414de2e8d9d8df52690e68d20c885
                          • Instruction ID: 8e644f2501de0fa12be48235b0d8c4144f67a3e0ab02f56beecb44ac73d70ef8
                          • Opcode Fuzzy Hash: bb3aabbfeec1eeb3486e78e9d190ad35128414de2e8d9d8df52690e68d20c885
                          • Instruction Fuzzy Hash: B3F0BB30A0DA484FD715AF68A8535E97BD0DF45264B1405FFE05EC7197C93AE5438282
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 017317F8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q$$^q
                          • API String ID: 0-355816377
                          • Opcode ID: 578ae281461437768d4ea4013a6d3d4f14738a8cd93cbddb5512b07d3594a705
                          • Instruction ID: cfdeec8655d6d02c0b7aed7a9feb17b0de20190c0a791f620525665b1f07a31c
                          • Opcode Fuzzy Hash: 578ae281461437768d4ea4013a6d3d4f14738a8cd93cbddb5512b07d3594a705
                          • Instruction Fuzzy Hash: 0C219F31E00709CFDF159F68D8448A9F7B4FF85310B058AAED5596B226EB71E888CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017317E9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID: $^q
                          • API String ID: 0-388095546
                          • Opcode ID: 9b60a11df85326655807e779a10cc9370faee2033a1feb4cbc08876a03d8ab41
                          • Instruction ID: 5e2ba047a4a0de47e3cc46dd6a9fc5d16b318d1c8fd59b4b295423665a53460c
                          • Opcode Fuzzy Hash: 9b60a11df85326655807e779a10cc9370faee2033a1feb4cbc08876a03d8ab41
                          • Instruction Fuzzy Hash: CF219031900719CFDF129F78D8544A9FBB1FF85310B068AAED4496F226EB71D885CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730848 Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 011fb83d10bb14d9e8b7c485e6f828c79c32aff20de3f76ecb7644858d77c7cf
                          • Instruction ID: c0f2dfca830203c578315b97bf1918ca919d62c5a759204c7e662f08ec387450
                          • Opcode Fuzzy Hash: 011fb83d10bb14d9e8b7c485e6f828c79c32aff20de3f76ecb7644858d77c7cf
                          • Instruction Fuzzy Hash: BB61AD30A00305CFDB16DBA4D4586AEBBB2FFC9704F008669E509AB355EB359D46CB82
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017315A2 Relevance: .1, Instructions: 144COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c8bc8c7458f286c2593e1a808897806f132e57b15fd1045acfe374b534ae5a4
                          • Instruction ID: 8ea973e0f2644cb7c256bcfb5dfcd92c926c38f6c08b9f9230d7eb4cd6cb1d95
                          • Opcode Fuzzy Hash: 7c8bc8c7458f286c2593e1a808897806f132e57b15fd1045acfe374b534ae5a4
                          • Instruction Fuzzy Hash: 22515132D50B06A6E710DBA4CC45A99F371FFD9700F21CB1AF6483B191EBB0A5D4C691
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017315B0 Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9a4b2c0ef4a858879fdb15891c2c4249b19f055595c7459c910de13a68bd004b
                          • Instruction ID: 17cc574ee196773e2da94a20dbb74465db6bbaa796df15d7692460e9b1908fb7
                          • Opcode Fuzzy Hash: 9a4b2c0ef4a858879fdb15891c2c4249b19f055595c7459c910de13a68bd004b
                          • Instruction Fuzzy Hash: 11516E32E50B06A6E710DBA5CC45B99F371FF99700F61CB16F6483B191EBB0A1D4C681
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730F20 Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fae634418fc19a73d511887264109104588c960631aa7f9eaf4ab064af83550a
                          • Instruction ID: 302b3c1a79ccb944a36a9f50be36f3445ff181bd2e2e1473b220fed000ee4532
                          • Opcode Fuzzy Hash: fae634418fc19a73d511887264109104588c960631aa7f9eaf4ab064af83550a
                          • Instruction Fuzzy Hash: 3021D93115C3855FD307A73C94645A9BFE6DFC2324B0545AFE0458F17BDA688C86C761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731DC8 Relevance: .1, Instructions: 118COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8c37cd98df90b8b2252e428eb95cd933fe76f1f06f906c007bb3029b1a38057f
                          • Instruction ID: bccad883ef395c9fb172e7ba3cc7e2561de8d28cf22e0e8af9bdb58998e88832
                          • Opcode Fuzzy Hash: 8c37cd98df90b8b2252e428eb95cd933fe76f1f06f906c007bb3029b1a38057f
                          • Instruction Fuzzy Hash: 0441A332E0074A9BCB01EFB8C8544DDF7B1FF95300B11C62AE555BB215EB30A586CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731029 Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dc9320cab024dda2b533a533dbaf3f010efe639d24eeb1e36521798b00615bc3
                          • Instruction ID: f894b9c0e52afd2366ab5d3b167e852e11df54d240a261d1e827e36cdc1085e2
                          • Opcode Fuzzy Hash: dc9320cab024dda2b533a533dbaf3f010efe639d24eeb1e36521798b00615bc3
                          • Instruction Fuzzy Hash: 0F418E30B0020A8FDB55DFB5D9549AEFBF2FFC4304B41C529D419AB2A9EB349906CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731F34 Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2d700596c10b37cb50ae78bec06d119a2aa2ae1b206962d3ccfce7b48671a3de
                          • Instruction ID: 235ecb8c579fa35ec2f20bb10b8db479db38eb4d51f6d933af4c0ab0f5308b26
                          • Opcode Fuzzy Hash: 2d700596c10b37cb50ae78bec06d119a2aa2ae1b206962d3ccfce7b48671a3de
                          • Instruction Fuzzy Hash: D04114B1D003098FDB10CFA9C944ADEFBB5BF88310F20862AE409BB205D7746A49CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731A89 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 17c603f7a7a32813d826214fe60f99b6a87b1437eea3eb7858cfc24b49ed7ee5
                          • Instruction ID: c4540548d3929afb31e2bb8799a333988e9e78c68b502b3cf2aedade376ff74e
                          • Opcode Fuzzy Hash: 17c603f7a7a32813d826214fe60f99b6a87b1437eea3eb7858cfc24b49ed7ee5
                          • Instruction Fuzzy Hash: F2319032E0160AAADB05DFB8D8844EEF7B2FFD4310F51C66AE544A7251FB30A585CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731934 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 334bc5c5e1c1fb7c2ff435d13e9cd144a75d900b75bcfb547392834c3f149503
                          • Instruction ID: decf3efdca2ea518c20bd520c4e5edcc885c572046f59ee86bc6dd59db362091
                          • Opcode Fuzzy Hash: 334bc5c5e1c1fb7c2ff435d13e9cd144a75d900b75bcfb547392834c3f149503
                          • Instruction Fuzzy Hash: EE4100B1D01258DFDB14CFAAC984BEEFBF5AF88314F10802AE409AB255DB345A46CF54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017311E4 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 31f8669c79476eddb57410f424125790ed3523b1915134efcb6a993048b3f4c4
                          • Instruction ID: e1a3b65f668984aba49a65939825b395ec4677f39fc57dbf66667aba95d91603
                          • Opcode Fuzzy Hash: 31f8669c79476eddb57410f424125790ed3523b1915134efcb6a993048b3f4c4
                          • Instruction Fuzzy Hash: D24122B1E01208DFDB14DFA9C994BDEFBF6AF88310F10802AE408AB250DB745945CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731F40 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 84fbf4940b94ca8efbf09046b78a480fdae17173c466cb27254095522c013a51
                          • Instruction ID: 28b287e85344efd7aa2c18b748fd228b10c94dc9bdad855a727ea94177c399e5
                          • Opcode Fuzzy Hash: 84fbf4940b94ca8efbf09046b78a480fdae17173c466cb27254095522c013a51
                          • Instruction Fuzzy Hash: 7F41F2B1D003598ADB10CFEAC944ADEFBB5BF88300F20852AD419BB205DB746A49CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017311F0 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7ea64528d11ca718ece15ec60d8e73f068234b096e398d46fcd31385d0551489
                          • Instruction ID: 9852841b2188087126e4142c816762e753a1c45dd17713bd8734dcf32b9182a7
                          • Opcode Fuzzy Hash: 7ea64528d11ca718ece15ec60d8e73f068234b096e398d46fcd31385d0551489
                          • Instruction Fuzzy Hash: 7C3102B1E012489FDB14DFAAC994BDEFFF6AF88300F10802AE409AB254DB745945CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731940 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2d1354eb5d20bb28178f606dabfd62460294d9da4f781c0c2c4e85846539ee0
                          • Instruction ID: 181c39647bdf79803ed289bdaeb881facf5f9be191af1cf1f92b2bfc6f88dc51
                          • Opcode Fuzzy Hash: f2d1354eb5d20bb28178f606dabfd62460294d9da4f781c0c2c4e85846539ee0
                          • Instruction Fuzzy Hash: FE3102B1D01248DFDB14DFAAC584BDEFBF5AF88304F10802AE409AB255DB745A46CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730830 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6eb6571602be56d01fc450a446a3de41f362dc72d719b269275d12bc1be3aa13
                          • Instruction ID: 977435308e61ed7cf6eb02a10c9116fdc1f456bbcb61c4d8c901a2cd106bf360
                          • Opcode Fuzzy Hash: 6eb6571602be56d01fc450a446a3de41f362dc72d719b269275d12bc1be3aa13
                          • Instruction Fuzzy Hash: DC21A131A003418BDB268B7498146BFBBB6ABC5704F0542AAD94997356DB3ACC0BC7C2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731BA4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4e8da703a3623ebbb7d1284f2c774ffcc4bcf496bda0873becbb425c0927e7d3
                          • Instruction ID: 0a8cfc7a64ffa8a9c585b08f054fa47997428c51c03fbd192c8cec6ee09121e7
                          • Opcode Fuzzy Hash: 4e8da703a3623ebbb7d1284f2c774ffcc4bcf496bda0873becbb425c0927e7d3
                          • Instruction Fuzzy Hash: E031C2B1D00258DFDB14CFA9D895BDEFFB8AB48314F24812AE419BB251CB759885CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731CB4 Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c8f45676eda4a5a1bb10e82e31619473f38dc3a98d108a7ed502c7a4f60b1eb8
                          • Instruction ID: 20e1e8e5c41dc5d3b622dbe558df39e894735d5860c4f96ed2859b5bdbf178cb
                          • Opcode Fuzzy Hash: c8f45676eda4a5a1bb10e82e31619473f38dc3a98d108a7ed502c7a4f60b1eb8
                          • Instruction Fuzzy Hash: D23105B1D102589FDB14DFA9C584ADEFFF5AF49310F24812AE418BB255C7359881CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731CC0 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ec107df046bfa35b3e79a3691b77cbf2ec77d9494f8f8bb45eadf2247bae3aaa
                          • Instruction ID: d2b1e92f6dae0ed7cd8defe6c7d08b383f9259b031c1e5f0c17663976f3a438a
                          • Opcode Fuzzy Hash: ec107df046bfa35b3e79a3691b77cbf2ec77d9494f8f8bb45eadf2247bae3aaa
                          • Instruction Fuzzy Hash: FA31F4B1D002589FDB24DFA9C484ADEFFF4AF49310F24802AE418AB251CB746885CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731BB0 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e93bb96c54d3ada808e1b270460a7b3f09d4bad6b7dd887227d15e7e37fdacbf
                          • Instruction ID: fca884886c66bd7d14d3440f2ad317298071d266178c32503159143a1fb52d07
                          • Opcode Fuzzy Hash: e93bb96c54d3ada808e1b270460a7b3f09d4bad6b7dd887227d15e7e37fdacbf
                          • Instruction Fuzzy Hash: 0D21D0B1D00258DFDB14CFAAD494BDEFFF8AF48310F24802AE419AB241CB756885CB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731188 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5f6efc6d00714a514470a57941ffdb97c13245c576141e61526cef3b4294fdc5
                          • Instruction ID: fa6bd1bfc3de409f4e58f6a5abe86aff3f7cc4691feaa002681f18fbcddad609
                          • Opcode Fuzzy Hash: 5f6efc6d00714a514470a57941ffdb97c13245c576141e61526cef3b4294fdc5
                          • Instruction Fuzzy Hash: 57F0E230A01209BFCB49CFB0C851CAEBBFAEB81314701C1ADE004CB161DA398D02CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017318E0 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0ff7c1f821e8bce2db377f2cb2db986c4d6ca4838aff1b3ac08ded3074ebeea2
                          • Instruction ID: 4a606e7ab6cdb6757ade71907c0683eeda19d1385da764edf6f89b761676fe07
                          • Opcode Fuzzy Hash: 0ff7c1f821e8bce2db377f2cb2db986c4d6ca4838aff1b3ac08ded3074ebeea2
                          • Instruction Fuzzy Hash: 91F0A730A4224AAFDB45CFB489518AA7BF6EFC2314706C1EDD009DF255DA388D069750
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730AD8 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7852369c57fd94fb051a591363bb2e39e8693c575af1c2c7ba3707210c08f77f
                          • Instruction ID: 89bcc9d7f6ce2b97e5994c4c511a4ead81b2099c1d2efd16f266dcdfaef4844a
                          • Opcode Fuzzy Hash: 7852369c57fd94fb051a591363bb2e39e8693c575af1c2c7ba3707210c08f77f
                          • Instruction Fuzzy Hash: A0F0FE30921109EFCB41EFB8E55559CBBF5FB85200F5089A9C5059B254EB305E489F80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730B3A Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c6f10f5e546e78e106ea9b27ed24778d2129d617f868c8e1b394b45173fa1625
                          • Instruction ID: 3718fc5d72370c094e5d92759a16c2105a2d44b69dbe7e3eb07e17f0d470d19e
                          • Opcode Fuzzy Hash: c6f10f5e546e78e106ea9b27ed24778d2129d617f868c8e1b394b45173fa1625
                          • Instruction Fuzzy Hash: 6BE086326A47115FD34AE76D54404D6EBE6FEC5330715466AD0088B26DEF688C4687E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731198 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f0cbf95368eace486088dd6658ba34f5c120498f0f6b2a29b15ec575e21bf1f7
                          • Instruction ID: 96e0d783c402221286a96c9825172f72e3c2f3cceb5d40f1e77f31a974fda788
                          • Opcode Fuzzy Hash: f0cbf95368eace486088dd6658ba34f5c120498f0f6b2a29b15ec575e21bf1f7
                          • Instruction Fuzzy Hash: C4E0DF31B0210EBFCB14DFB0C910C6EBBEAEB81204740C4A8E508CB254EA31EA059BD0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017309B5 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002C.00000002.2679958904.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_44_2_1730000_DefMic.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e225119280a9d85e2fdcb5e03db13960512d087fd414ce60bb0031ffa757ee4c
                          • Instruction ID: f763f20f6e924b85f18c011156a73873cb303f440f4819e4a2421b2518331822
                          • Opcode Fuzzy Hash: e225119280a9d85e2fdcb5e03db13960512d087fd414ce60bb0031ffa757ee4c
                          • Instruction Fuzzy Hash: A7D09E35740119CFCF00EFA8D5445DC77B0EF88715F0001A9E109DB271D7759955CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B630808 Relevance: .8, Instructions: 776COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002E.00000002.2684014211.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_46_2_7ffd9b630000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 39371b6cbb4b8e07d6dc6c8589bfb1e81571d1c2dc3e2ca23fa88b3b06566e19
                          • Instruction ID: 774079af1def129734d2504b273dd655930281adf2ca184922bc6ac93b2f033d
                          • Opcode Fuzzy Hash: 39371b6cbb4b8e07d6dc6c8589bfb1e81571d1c2dc3e2ca23fa88b3b06566e19
                          • Instruction Fuzzy Hash: FE322621B0E6890FF7659A68942177937D1EF86354F1540BED85CCB2EFCD2ABD068382
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B630548 Relevance: 3.8, Strings: 3, Instructions: 3COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000002E.00000002.2684014211.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_46_2_7ffd9b630000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID: <L_I$=L_I$?L_I
                          • API String ID: 0-1507809878
                          • Opcode ID: 672c30fbe4667649d2517f34da33bfef716cc38e434599912ca8f3601f122250
                          • Instruction ID: c67634263f62de81a12fdb718508e65d03e2127b3057077a771adc3444d18b50
                          • Opcode Fuzzy Hash: 672c30fbe4667649d2517f34da33bfef716cc38e434599912ca8f3601f122250
                          • Instruction Fuzzy Hash: 0F90020150C1D2079609257460394E46B104F02115A0885E1D1DD1C0C7490420868144
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B630FA8 Relevance: .3, Instructions: 260COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002E.00000002.2684014211.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_46_2_7ffd9b630000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 29eafb28cd9c1adfa7f40e594d0bc0455cc57412aff128a7f079de2fb02e21f1
                          • Instruction ID: 966febb85c24d13a7c0e752ddb786edffaed3f939ef7ad948a2e2aed83810e93
                          • Opcode Fuzzy Hash: 29eafb28cd9c1adfa7f40e594d0bc0455cc57412aff128a7f079de2fb02e21f1
                          • Instruction Fuzzy Hash: C7718653B0FAC50BF775469C28221256FD1DBD27A1B1901FBD4E88B1FF9856BA068382
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B63135A Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000002E.00000002.2684014211.00007FFD9B630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B630000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_46_2_7ffd9b630000_sbdrvmgr.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f729ee17ff951630c48805f64eb7af56a417ac761bf8bd6233d9880d1df4e0c0
                          • Instruction ID: 8d8b521959628082444a09fe82e01ec96b34da4194bacc0fa3cbb55f4f8a23a8
                          • Opcode Fuzzy Hash: f729ee17ff951630c48805f64eb7af56a417ac761bf8bd6233d9880d1df4e0c0
                          • Instruction Fuzzy Hash: 8E21B631908A0C8FEB18DBA8D489AE9BBF0FF55310F00422ED059D3552DB756456CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Executed Functions

                          Function 00007FFD9B6E12C0 Relevance: 2.2, Strings: 1, Instructions: 915COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000030.00000003.2705002529.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_48_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: 2A_I
                          • API String ID: 0-941469806
                          • Opcode ID: 8aedefe5a09cecd0a4e7e2913ab6fded90e5e3b3fdfa2fe3823a07775e5f0f8a
                          • Instruction ID: 873e729e44885fbdff29f45eba18f5b97d5cdd1147f324cb2a2fccaa0f247dd2
                          • Opcode Fuzzy Hash: 8aedefe5a09cecd0a4e7e2913ab6fded90e5e3b3fdfa2fe3823a07775e5f0f8a
                          • Instruction Fuzzy Hash: 16520BA3B0F6C50FEB694EAC54251296BD2EF96350B1900FFE0998F1FBE815BD129341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E1518 Relevance: .5, Instructions: 487COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000030.00000003.2705002529.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_48_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2af35b076567e5f280e4c256e3d19298333ef91403bc87ee2f8c0da95aa49479
                          • Instruction ID: f876f3140037314e3e1b5dff85abc9b58257a33a8c7db8b95793f11f47fd52ed
                          • Opcode Fuzzy Hash: 2af35b076567e5f280e4c256e3d19298333ef91403bc87ee2f8c0da95aa49479
                          • Instruction Fuzzy Hash: 9DE118A2B0F6C90FEB694EBC14291696BD1EF56350B1901FFD0A98B1EBEC15BD128341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E3751 Relevance: .3, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000030.00000003.2705002529.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_48_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f20a358829887f7e4f0bae46d7154827e5d237b2bea01d5fbe666ae28149395d
                          • Instruction ID: 5c8f88308e6c1711474244100ae04154182c50fee934c08507f3b66a73e4f489
                          • Opcode Fuzzy Hash: f20a358829887f7e4f0bae46d7154827e5d237b2bea01d5fbe666ae28149395d
                          • Instruction Fuzzy Hash: 2091182160E6C95FE7679B7C98746717FE0EF53214B0A01FED0A9CB0A3E9086C56C342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E449D Relevance: .2, Instructions: 235COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000030.00000003.2705002529.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_48_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 985dd85e5fb2797c91d7b0012712e40aca4ff26b8bb6bc847ccca99d2f2589e7
                          • Instruction ID: 9191d77aaba0d52ba9a59d77b40adbad1f6e1328b19325ec255ecc458fa082ce
                          • Opcode Fuzzy Hash: 985dd85e5fb2797c91d7b0012712e40aca4ff26b8bb6bc847ccca99d2f2589e7
                          • Instruction Fuzzy Hash: A061D112B0EA8A0FE7B996B814762B92BD1EF85310F1600BED46DCF1E7ED08BD564341
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E1D90 Relevance: .2, Instructions: 162COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000030.00000003.2705002529.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_48_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e9621f0ee1139b73b9f19cb08d73a84ff60a982cc5f8b66030257aac59a1c95
                          • Instruction ID: 3d1af66a5460f6276c96640041224ef9f1c70d88e1ab730fddbcd9e756ca5e59
                          • Opcode Fuzzy Hash: 7e9621f0ee1139b73b9f19cb08d73a84ff60a982cc5f8b66030257aac59a1c95
                          • Instruction Fuzzy Hash: D241F511A0FB8A0FE7AA967848766A43BE1DF56350B0501FBD468CB0E7EC4C6D568342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E1C51 Relevance: .2, Instructions: 154COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000030.00000003.2705002529.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_48_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac8f8cacc9e3f3a75eb621d4d013efa2b5e66726d27ec07ab0d5ab440261e01c
                          • Instruction ID: f770d65b3fc132d7c47176cb2db6a7557f178385a29d4c5d93fca2f5ed32171f
                          • Opcode Fuzzy Hash: ac8f8cacc9e3f3a75eb621d4d013efa2b5e66726d27ec07ab0d5ab440261e01c
                          • Instruction Fuzzy Hash: CE41E43091E7CD4FDB2A9BB958646F97FA4EF13325F0801BFD099C61A3CA182416C746
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E2C25 Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000030.00000003.2705002529.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_48_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a03782f2241463ffefb2012b9679a4b1fd09cca1ac4eb7903fcdab381d81df1e
                          • Instruction ID: 63f676dd9ea14d632f32f38fc72e939c12c407db28b521b747a7d8e017d5d82d
                          • Opcode Fuzzy Hash: a03782f2241463ffefb2012b9679a4b1fd09cca1ac4eb7903fcdab381d81df1e
                          • Instruction Fuzzy Hash: 4B210812F0FA9A0FEBFA52BC94751A92B929F45A10B0511FAC0B8CE1E7DD086D534381
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E39F7 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000030.00000003.2705002529.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_48_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cb5dec982700e683a1258947e8d7ab3f0426b813a14e75cef5694bef0f208b75
                          • Instruction ID: 5a0fb99bd3e038f15b8fb5577a2ac36fddc831a4454df9dfb619db8ee706bf11
                          • Opcode Fuzzy Hash: cb5dec982700e683a1258947e8d7ab3f0426b813a14e75cef5694bef0f208b75
                          • Instruction Fuzzy Hash: 2B21D720A0E68E9FD7A2EAE884655FA3BA1EF46300F0545A9D45DCF1A6C938E951C301
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E48A1 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000030.00000003.2705002529.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_48_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dbf91615d8d1329c646b54ce57dcdf9eaad3dfa4c37b54478163877c53e315e3
                          • Instruction ID: 6ae596d1c91847d9b97152aec31e7bfb00bec79295641501f0c5540f77ea3923
                          • Opcode Fuzzy Hash: dbf91615d8d1329c646b54ce57dcdf9eaad3dfa4c37b54478163877c53e315e3
                          • Instruction Fuzzy Hash: D201F72250E1C94EEB62977818705A67FE0DF43224B1900EFD0E8CA0A3D449A965C342
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E3168 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000030.00000003.2705002529.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_48_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 541a70610279a7b9a06eb046ac182c21db6f5000a706209918b7925d6e6872e6
                          • Instruction ID: 2fdb90c30b19c22d481648b3917b56ff6799a8cd656c407d362154fa7dfd4a84
                          • Opcode Fuzzy Hash: 541a70610279a7b9a06eb046ac182c21db6f5000a706209918b7925d6e6872e6
                          • Instruction Fuzzy Hash: B3F06211B1A85F05F27711E816A52F52181AB45221FA7063DE83DCE1F2DC08BA620352
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00007FFD9B6E27D7 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000030.00000003.2705002529.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_48_3_7ffd9b6e0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 02185a8a521255f19c15d1a29eb667a2252fc7f3576ab7d4f5eff4db8687210f
                          • Instruction ID: 2fdbab4a9b396166a47651eb9e5c7144daea53c627074bad306ed07a4fc38e9b
                          • Opcode Fuzzy Hash: 02185a8a521255f19c15d1a29eb667a2252fc7f3576ab7d4f5eff4db8687210f
                          • Instruction Fuzzy Hash: 47E07D7260F94C5BCF00EAAB6C604CA3FA9FB8D318B01012AF45CC3251E212A521C351
                          Uniqueness

                          Uniqueness Score: -1.00%