Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ScreenBeam_Conference_Windows_1.0.5.9.msi

Overview

General Information

Sample name:ScreenBeam_Conference_Windows_1.0.5.9.msi
Analysis ID:1492053
MD5:a770cb1544e4ce49e254dcc8b0a92ff9
SHA1:1ec5c384f1e1700692642933f3bc6ed97f1e703f
SHA256:e8fa77eca6f7a5db3b7ad7fe0ecf363db990ddd4359579500fbc56eba67c06de
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Drops executables to the windows directory (C:\Windows) and starts them
Sample is not signed and drops a device driver
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to read device registry values (via SetupAPI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7096 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ScreenBeam_Conference_Windows_1.0.5.9.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6380 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 4180 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 0E3DF5012F3B4169CA96DD45D36CF523 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 1228 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 83970C7A15921B07EA6C6C5B0F912C8C C MD5: E5DA170027542E25EDE42FC54C929077)
      • rundll32.exe (PID: 1028 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5938703 98 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 6832 cmdline: "DefMic.exe" --def MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 7148 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA388.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5940125 108 ByomCustomAction!ByomCustomAction.CustomActions.VerifyDriverBusy MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 4176 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 2080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 2344 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • DefMic.exe (PID: 1340 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 1284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 2768 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 5804 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC74E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5949281 136 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 3636 cmdline: "DefMic.exe" --def MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 2520 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSICBD3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5950437 146 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 980 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 8 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 3488 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 3684 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID346.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5952328 172 ByomCustomAction!ByomCustomAction.CustomActions.RemoveDriver MD5: EF3179D498793BF4234F708D3BE28633)
        • sbdrvmgr.exe (PID: 1704 cmdline: "sbdrvmgr.exe" --remove "ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5" MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 6608 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8C4DFE4B0FD77B464A03913D859715A5 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 6724 cmdline: C:\Windows\System32\MsiExec.exe -Embedding E7D2AB119D1112766403D568BA232170 MD5: E5DA170027542E25EDE42FC54C929077)
      • rundll32.exe (PID: 6856 cmdline: rundll32.exe "C:\Windows\Installer\MSIE9D2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5958140 141 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 6972 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 5104 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 2084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 344 cmdline: rundll32.exe "C:\Windows\Installer\MSIF3D7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5960671 168 ByomCustomAction!ByomCustomAction.CustomActions.WaitForUnpairDeviceApp MD5: EF3179D498793BF4234F708D3BE28633)
      • rundll32.exe (PID: 7080 cmdline: rundll32.exe "C:\Windows\Installer\MSIC34.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5966937 176 ByomCustomAction!ByomCustomAction.CustomActions.StopSBUCProcesses MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 2136 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 2024 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 2112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • DefMic.exe (PID: 4548 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 4192 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 1144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 2724 cmdline: rundll32.exe "C:\Windows\Installer\MSI1A8D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5970578 228 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 792 cmdline: "DefMic.exe" --def MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 5124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 2164 cmdline: rundll32.exe "C:\Windows\Installer\MSI2339.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5972890 238 ByomCustomAction!ByomCustomAction.CustomActions.SetIsInstallingTrue MD5: EF3179D498793BF4234F708D3BE28633)
      • rundll32.exe (PID: 5228 cmdline: rundll32.exe "C:\Windows\Installer\MSI2A31.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5974609 445 ByomCustomAction!ByomCustomAction.CustomActions.IsDriverBusy MD5: EF3179D498793BF4234F708D3BE28633)
        • DefMic.exe (PID: 1060 cmdline: "DefMic.exe" --list MD5: F03298C90AB58E72A04E1AA310608B4C)
          • conhost.exe (PID: 3912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sbdrvmgr.exe (PID: 940 cmdline: "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5 MD5: C7EEAC397EC6B4EC895E89D0E43C652D)
          • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 1608 cmdline: rundll32.exe "C:\Windows\Installer\MSI3619.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5977656 460 ByomCustomAction!ByomCustomAction.CustomActions.DisableCampfilters MD5: EF3179D498793BF4234F708D3BE28633)
  • svchost.exe (PID: 2944 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files\ScreenBeam\Conference\service\netstandard.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Sigma Signatures

    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 2944, ProcessName: svchost.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeamJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\ConferenceJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\appJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\appsettingsJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\appsettings\settings.jsonJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\eula.rtfJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\ScreenBeam.bmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\ScreenBeam.icoJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\deJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\de\MahApps.Metro.resources.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\FiltersJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avcodec-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avformat-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avutil-56.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libcrypto-1_1-x64.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libssl-1_1-x64.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\OnvifClientLibrary.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBCamFilter64.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBRTSPAudio64.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swresample-3.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swscale-5.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avcodec-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avformat-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avutil-56.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libcrypto-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libssl-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\OnvifClientLibrary.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBCamFilter32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBRTSPAudio32.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swresample-3.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swscale-5.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\serviceJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vacdisable.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vacenable.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Fizzler.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\HtmlToXamlConverter.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ImagesJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Camera 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Camera 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 02.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 02b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 02.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 02b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Devices 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Devices 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 02.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 02b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Go2Meeting.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\GoogleMeet_audio.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\GoogleMeet_video.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Hamburger 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Hamburger 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\ham_menu.svgJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\info-icon.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\panic_button.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\repair_icon.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\ScreenBeamLogo.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Settings 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Settings 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Source 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Source 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Teams_03.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\teams_settings.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\warning-orange.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Warning_blk.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Warning_red.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Webex_audio.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Webex_video.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Zoom_audio.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\zoom_settings.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Zoom_video.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\NLog.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\NLog.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\NLog.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\qf4net.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Svg.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Svg.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Buffers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Buffers.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Memory.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Memory.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audioJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\instrmv.cmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgrJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\NLog.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\NLog.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\NLog.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\qf4net.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\instrmv.cmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd6x.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd6x.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbcp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbcp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgrJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Windows.WinMDJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\CreateProcessAsUser.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Microsoft.Win32.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\netstandard.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.AppContext.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Concurrent.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.NonGeneric.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Specialized.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.EventBasedAsync.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.TypeConverter.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Console.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Data.Common.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Contracts.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Debug.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.FileVersionInfo.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Process.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.StackTrace.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tools.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TraceSource.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tracing.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Drawing.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Dynamic.Runtime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Calendars.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.ZipFile.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.DriveInfo.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Watcher.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.IsolatedStorage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.MemoryMappedFiles.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Pipes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.UnmanagedMemoryStream.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Expressions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Parallel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Queryable.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Http.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.NameResolution.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.NetworkInformation.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Ping.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Requests.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Security.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Sockets.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebHeaderCollection.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.Client.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ObjectModel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Reader.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.ResourceManager.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Writer.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.CompilerServices.VisualC.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Handles.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Numerics.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Formatters.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Json.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Xml.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Claims.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Algorithms.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Csp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Encoding.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.X509Certificates.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Principal.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.SecureString.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Text.RegularExpressions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Overlapped.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.Parallel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Thread.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.ThreadPool.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Timer.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ValueTuple.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.ReaderWriter.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XDocument.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlDocument.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlSerializer.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.XDocument.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.FoundationContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.UniversalApiContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Windows.WinMDJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\config1_base.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ipsee.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libcrypto-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libssl-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\MultiOnvifServer.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\runconfig.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ssl.caJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ssl.keyJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\user manual.pdfJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\zlibwapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\en-USJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\en-US\SBConference.Model.resources.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Interop.NetFwTypeLib.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\config2_base.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Direct3D9.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.DXGI.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Mathematics.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.MediaFoundation.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\BouncyCastle.Crypto.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacdisable.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacenable.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreenBeam Conference 1.0.5.9Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\eula.rtfJump to behavior
    Source: Binary string: \??\C:\Windows\Installer\MSIE9D2.tmp-\DefMic.pdbesmjP% source: DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbuser\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\UsersC: source: DefMic.exe, 00000029.00000002.2601695537.0000000000885000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: DefMic.exe, 0000000C.00000002.2332882724.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Release\DefMic.pdb source: DefMic.exe, 00000015.00000002.2418031873.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000114E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb& source: DefMic.exe, 00000018.00000002.2434106425.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dows\exe\DefMic.pdbb source: DefMic.exe, 00000009.00000002.2315385049.0000000001421000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2434106425.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000113A000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\agent\_work\66\s\build\ship\x64\SfxCA.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi, MSIA388.tmp.0.dr
    Source: Binary string: Microsoft.Xaml.Behaviors.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.pdb089 source: DefMic.exe, 00000018.00000002.2434106425.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: m,C:\Windows\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315352819.000000000137A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332066418.000000000059A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2338778949.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2417347437.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2433790232.0000000000BFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2509531647.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2600559828.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2609929834.000000000093A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2633223685.0000000000BDA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682300284.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIE9D2.tmp-\DefMic.pdb source: DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315385049.0000000001421000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2434106425.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000113A000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb source: System.Reflection.Primitives.dll.1.dr
    Source: Binary string: enkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb source: DefMic.exe, 00000023.00000002.2514999105.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Windows\Installer\MSIC34.tmp-\DefMic.pdb source: DefMic.exe, 00000029.00000002.2600559828.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2609929834.000000000093A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdbAE source: DefMic.exe, 00000032.00000002.2634106384.0000000001120000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: NLog.dll.1.dr
    Source: Binary string: mC:\Windows\Installer\MSI2A31.tmp-\DefMic.pdb source: DefMic.exe, 00000036.00000002.2682300284.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.pdb9 source: DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb/jIj ;j_CorExeMainmscoree.dll source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000009.00000000.2312611326.0000000000FE2000.00000002.00000001.01000000.00000007.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332882724.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2434106425.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2514999105.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.PDB source: DefMic.exe, 00000018.00000002.2434106425.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.pdb source: DefMic.exe, 00000018.00000002.2433790232.0000000000BFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: MahApps.Metro.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: dows\dll\mscorlib.pdb source: DefMic.exe, 00000009.00000002.2315385049.0000000001421000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000113A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ]XiX XamlAnimatedGif.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.ResourceManager\4.0.1.0\System.Resources.ResourceManager.pdb source: System.Resources.ResourceManager.dll.1.dr
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb* source: System.Diagnostics.Process.dll.1.dr
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO\4.1.2.0\System.IO.pdb source: System.IO.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbb;k source: DefMic.exe, 00000010.00000002.2339064034.0000000001363000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\Installer\MSIC34.tmp-\DefMic.pdb source: DefMic.exe, 0000002D.00000002.2610891134.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ControlzEx.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSIC74E.tmp-\DefMic.PDB source: DefMic.exe, 00000015.00000002.2417347437.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: Release\DefMic.pdb/jI source: DefMic.exe, 00000015.00000002.2418031873.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000114E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: enkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbqq source: DefMic.exe, 00000029.00000002.2601695537.0000000000885000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: DefMic.exe, 00000009.00000002.2315385049.0000000001401000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332882724.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2418031873.0000000000E41000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2601695537.0000000000854000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UnpairDeviceApp.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: X StreamPlayback.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\mscorlib.pdbqO source: DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Data.Common/netfx\System.Data.Common.pdb source: System.Data.Common.dll.1.dr
    Source: Binary string: X SBConference.Common.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: X SBConference.Model.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Writer\4.0.2.0\System.Resources.Writer.pdb source: System.Resources.Writer.dll.1.dr
    Source: Binary string: X UnpairDeviceApp.pdb^ source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: D]XiX ControlzEx.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: SBConference.Model.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.PDBdoS source: DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: ScreenBeamConference.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb__z source: DefMic.exe, 0000000C.00000002.2332882724.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb$*>* 0*_CorDllMainmscoree.dll source: System.Reflection.Primitives.dll.1.dr
    Source: Binary string: \??\C:\Windows\DefMic.pdbr source: DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \mscorlib.pdbZ source: DefMic.exe, 00000036.00000002.2682664496.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdbC source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbp-\DefMic.PDB source: DefMic.exe, 00000029.00000002.2600559828.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2609929834.000000000093A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbbtcP source: DefMic.exe, 00000018.00000002.2434106425.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbv source: DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: X SBConference.ViewModel.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\Installer\MSIC34.tmp-\DefMic.pdb source: DefMic.exe, 00000029.00000002.2601695537.0000000000854000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer\msi-installer\ByomCustomAction\ByomCustomAction\obj\x64\Release\ByomCustomAction.pdb source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71442000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A123000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F265000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A775E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5143000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A259000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\Installer\MSI1A8D.tmp-\DefMic.pdb< source: DefMic.exe, 00000032.00000002.2634106384.000000000113A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71442000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A123000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F265000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A775E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5143000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A259000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.53.dr
    Source: Binary string: \??\C:\Windows\DefMic.pdbb source: DefMic.exe, 00000015.00000002.2418031873.0000000000E41000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.0000000001120000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbp source: DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XPath\4.0.3.0\System.Xml.XPath.pdb source: System.Xml.XPath.dll.1.dr
    Source: Binary string: symbols\exe\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315352819.000000000137A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2338778949.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2417347437.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2433790232.0000000000BFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2609929834.000000000093A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2633223685.0000000000BDA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682300284.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315385049.0000000001429000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256 source: NLog.dll.1.dr
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.PDBs source: DefMic.exe, 0000000C.00000002.2332882724.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.pdb source: DefMic.exe, 00000015.00000002.2417347437.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: enkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbe source: DefMic.exe, 0000000C.00000002.2332882724.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2418031873.0000000000E71000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ns\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbPP source: DefMic.exe, 00000015.00000002.2418031873.0000000000E71000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb.F source: DefMic.exe, 0000000C.00000002.2332882724.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb&C?W source: DefMic.exe, 00000015.00000002.2418031873.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ase\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315385049.0000000001429000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Writer\4.0.2.0\System.Resources.Writer.pdbl( source: System.Resources.Writer.dll.1.dr
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=joE= source: DefMic.exe, 00000023.00000002.2514999105.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb)) source: DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbaa source: DefMic.exe, 00000018.00000002.2434106425.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbM source: DefMic.exe, 00000010.00000002.2339064034.0000000001376000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.pdb source: DefMic.exe, 00000018.00000002.2434106425.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSI2A31.tmp-\DefMic.pdb: source: DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSI9DCB.tmp-\DefMic.PDB source: DefMic.exe, 00000009.00000002.2315352819.000000000137A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbbz source: DefMic.exe, 0000000C.00000002.2332882724.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: StreamPlayback.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\DefMic.pdbC source: DefMic.exe, 00000009.00000002.2315385049.0000000001401000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001376000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Windows\Installer\MSIE9D2.tmp-\DefMic.pdb source: DefMic.exe, 00000023.00000002.2509531647.00000000006FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: X SBConference.Common.pdb_1 source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: mC:\Windows\Installer\MSI1A8D.tmp-\DefMic.pdb source: DefMic.exe, 00000032.00000002.2633223685.0000000000BDA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.pdbs* source: DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdb% source: DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\svn\happytimesoft\onvifclient\bin\x64\OnvifClientLibrary.pdb source: OnvifClientLibrary.dll.1.dr
    Source: Binary string: C:\Windows\DefMic.pdbpdbMic.pdb source: DefMic.exe, 0000000C.00000002.2332882724.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dows\exe\DefMic.pdb source: DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Ysymbols\exe\DefMic.pdb source: DefMic.exe, 0000000C.00000002.2332066418.000000000059A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\NetFirewall.pdb; source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\Installer\MSI1A8D.tmp-\DefMic.pdb source: DefMic.exe, 00000032.00000002.2634106384.000000000113A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315385049.0000000001401000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332882724.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2601695537.0000000000854000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSICBD3.tmp-\DefMic.PDB source: DefMic.exe, 00000018.00000002.2433790232.0000000000BFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb source: DefMic.exe, 00000023.00000002.2514999105.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2601394830.000000000083B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdbV source: DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: b77a5c561934e089\mscorlib.pdb9\ source: DefMic.exe, 00000023.00000002.2514999105.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbmp-\DefMic.PDB source: DefMic.exe, 00000023.00000002.2509531647.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2633223685.0000000000BDA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682300284.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: SBConference.ViewModel.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.IsolatedStorage\4.0.2.0\System.IO.IsolatedStorage.pdb source: System.IO.IsolatedStorage.dll.1.dr
    Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71442000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A123000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F265000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A775E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5143000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A259000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.53.dr
    Source: Binary string: XamlAnimatedGif.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: X SBConference.Service.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.pdb source: DefMic.exe, 0000000C.00000002.2332066418.000000000059A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2338778949.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: X SBConfDiag.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: C:\Windows\DefMic.pdbpdbMic.pdb( source: DefMic.exe, 00000029.00000002.2601695537.0000000000854000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbbS source: DefMic.exe, 0000002D.00000002.2610891134.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Service.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: SBConference.Common.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbK source: DefMic.exe, 00000032.00000002.2634106384.0000000001120000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: System.Windows.Interactivity.dll.1.dr
    Source: Binary string: \??\C:\Windows\mscorlib.pdb- source: DefMic.exe, 00000010.00000002.2339064034.0000000001376000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConfDiag.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbj source: DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.pdb source: DefMic.exe, 0000000C.00000002.2332882724.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315352819.000000000137A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbB source: DefMic.exe, 00000029.00000002.2601394830.000000000083B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdb1 source: DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\ScreenBeam\Projects\sb-conference-installer\byom-rtsp-client\sbdrvmgr\sbdrvmgr\obj\x64\Release\sbdrvmgr.pdb source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, sbdrvmgr.exe, 0000000E.00000000.2334300986.000002051B4A2000.00000002.00000001.01000000.0000000C.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626877689.0000029A8D7F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626783567.0000029A8D7F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652551033.000001E2A5D91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbF source: DefMic.exe, 00000023.00000002.2514999105.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.PDB@ source: DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Common.pdb_1 source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb source: System.Diagnostics.Process.dll.1.dr
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbb source: DefMic.exe, 00000009.00000002.2315385049.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2434106425.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbf source: DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XDocument\4.0.11.0\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.1.dr
    Source: Binary string: C:\svn\happytimesoft\onvifclient\bin\x64\OnvifClientLibrary.pdb22 source: OnvifClientLibrary.dll.1.dr
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbd source: DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.53.dr
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbb source: DefMic.exe, 0000000C.00000002.2332882724.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2601695537.0000000000877000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.53.dr
    Source: Binary string: ]XiX Microsoft.Xaml.Behaviors.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb2 source: DefMic.exe, 00000032.00000002.2634106384.0000000001120000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb)Nz source: DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: X ScreenBeamConference.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbX source: DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: osymbols\exe\DefMic.pdb source: DefMic.exe, 00000023.00000002.2509531647.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2600559828.00000000006FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb04 source: DefMic.exe, 00000015.00000002.2418031873.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \mscorlib.pdb source: DefMic.exe, 00000029.00000002.2601695537.0000000000877000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\NetFirewall.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSIA388.tmp-\DefMic.PDB source: DefMic.exe, 0000000C.00000002.2332066418.000000000059A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2338778949.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbAO source: DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Primitives\4.0.3.0\System.IO.FileSystem.Primitives.pdb source: System.IO.FileSystem.Primitives.dll.1.dr
    Source: Binary string: dows\exe\DefMic.pdbC source: DefMic.exe, 00000032.00000002.2634106384.000000000113A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: DefMic.exe, 00000009.00000002.2315385049.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332882724.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001363000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2418031873.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2514999105.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.0000000001120000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.NonGeneric\4.0.3.0\System.Collections.NonGeneric.pdb source: System.Collections.NonGeneric.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb3 source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.PDB+ source: DefMic.exe, 00000009.00000002.2315385049.0000000001429000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: .pdbR source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\Installer\MSI2A31.tmp-\DefMic.pdbes source: DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000009.00000002.2315352819.000000000137A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000009.00000002.2315385049.0000000001429000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000009.00000000.2312611326.0000000000FE2000.00000002.00000001.01000000.00000007.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332066418.000000000059A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332882724.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2338778949.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2417347437.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2434106425.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2433790232.0000000000BFA000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2509531647.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2514999105.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2600559828.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2609929834.000000000093A000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000114E000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2633223685.0000000000BDA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000115B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb8 source: DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\mscorlib.pdbv source: DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Json\4.0.1.0\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.1.dr
    Source: Binary string: m.pdb source: DefMic.exe, 00000009.00000002.2315352819.000000000137A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332066418.000000000059A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2338778949.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2417347437.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2433790232.0000000000BFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2509531647.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2600559828.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2609929834.000000000093A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2633223685.0000000000BDA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682300284.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: ]XiX MahApps.Metro.pdbx& source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\mscorlib.pdb} source: DefMic.exe, 00000010.00000002.2339064034.0000000001376000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdbDc` source: DefMic.exe, 00000018.00000002.2434106425.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

    Networking

    barindex
    Yara detected Generic Downloader
    Source: Yara matchFile source: C:\Program Files\ScreenBeam\Conference\service\netstandard.dll, type: DROPPED
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiString found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.dr, System.Runtime.Serialization.Json.dll.1.dr, System.Collections.NonGeneric.dll.1.dr, System.Xml.XPath.dll.1.dr, System.Diagnostics.Process.dll.1.dr, System.Windows.Interactivity.dll.1.dr, System.Resources.Writer.dll.1.dr, System.IO.dll.1.dr, System.Resources.ResourceManager.dll.1.dr, OnvifClientLibrary.dll.1.dr, SBConference.Model.dll.1.dr, NLog.dll.1.dr, avcodec-58.dll.1.dr, avutil-56.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.dr, System.Runtime.Serialization.Json.dll.1.dr, System.Collections.NonGeneric.dll.1.dr, System.Xml.XPath.dll.1.dr, System.Diagnostics.Process.dll.1.dr, System.Windows.Interactivity.dll.1.dr, System.Resources.Writer.dll.1.dr, System.IO.dll.1.dr, System.Resources.ResourceManager.dll.1.dr, OnvifClientLibrary.dll.1.dr, SBConference.Model.dll.1.dr, NLog.dll.1.dr, avcodec-58.dll.1.dr, avutil-56.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.dr, System.Runtime.Serialization.Json.dll.1.dr, System.Collections.NonGeneric.dll.1.dr, System.Xml.XPath.dll.1.dr, System.Diagnostics.Process.dll.1.dr, System.Windows.Interactivity.dll.1.dr, System.Resources.Writer.dll.1.dr, System.IO.dll.1.dr, System.Resources.ResourceManager.dll.1.dr, OnvifClientLibrary.dll.1.dr, SBConference.Model.dll.1.dr, NLog.dll.1.dr, avcodec-58.dll.1.dr, avutil-56.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.dr, System.Runtime.Serialization.Json.dll.1.dr, System.Collections.NonGeneric.dll.1.dr, System.Xml.XPath.dll.1.dr, System.Diagnostics.Process.dll.1.dr, System.Windows.Interactivity.dll.1.dr, System.Resources.Writer.dll.1.dr, System.IO.dll.1.dr, System.Resources.ResourceManager.dll.1.dr, OnvifClientLibrary.dll.1.dr, SBConference.Model.dll.1.dr, NLog.dll.1.dr, avcodec-58.dll.1.dr, avutil-56.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.53.dr, Newtonsoft.Json.dll.53.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.dr, System.Runtime.Serialization.Json.dll.1.dr, System.Collections.NonGeneric.dll.1.dr, System.Xml.XPath.dll.1.dr, System.Diagnostics.Process.dll.1.dr, System.Windows.Interactivity.dll.1.dr, System.Resources.Writer.dll.1.dr, System.IO.dll.1.dr, System.Resources.ResourceManager.dll.1.dr, OnvifClientLibrary.dll.1.dr, SBConference.Model.dll.1.dr, NLog.dll.1.dr, avcodec-58.dll.1.dr, avutil-56.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.53.dr, Newtonsoft.Json.dll.53.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.dr, System.Runtime.Serialization.Json.dll.1.dr, System.Collections.NonGeneric.dll.1.dr, System.Xml.XPath.dll.1.dr, System.Diagnostics.Process.dll.1.dr, System.Windows.Interactivity.dll.1.dr, System.Resources.Writer.dll.1.dr, System.IO.dll.1.dr, System.Resources.ResourceManager.dll.1.dr, OnvifClientLibrary.dll.1.dr, SBConference.Model.dll.1.dr, NLog.dll.1.dr, avcodec-58.dll.1.dr, avutil-56.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.dr, System.Runtime.Serialization.Json.dll.1.dr, System.Collections.NonGeneric.dll.1.dr, System.Xml.XPath.dll.1.dr, System.Diagnostics.Process.dll.1.dr, System.Windows.Interactivity.dll.1.dr, System.Resources.Writer.dll.1.dr, System.IO.dll.1.dr, System.Resources.ResourceManager.dll.1.dr, OnvifClientLibrary.dll.1.dr, SBConference.Model.dll.1.dr, NLog.dll.1.dr, avcodec-58.dll.1.dr, avutil-56.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: System.Resources.ResourceManager.dll.1.dr, OnvifClientLibrary.dll.1.dr, SBConference.Model.dll.1.dr, NLog.dll.1.dr, avcodec-58.dll.1.dr, avutil-56.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.53.dr, Newtonsoft.Json.dll.53.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.dr, System.Runtime.Serialization.Json.dll.1.dr, System.Collections.NonGeneric.dll.1.dr, System.Xml.XPath.dll.1.dr, System.Diagnostics.Process.dll.1.dr, System.Windows.Interactivity.dll.1.dr, System.Resources.Writer.dll.1.dr, System.IO.dll.1.dr, System.Resources.ResourceManager.dll.1.dr, OnvifClientLibrary.dll.1.dr, SBConference.Model.dll.1.dr, NLog.dll.1.dr, avcodec-58.dll.1.dr, avutil-56.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.53.dr, Newtonsoft.Json.dll.53.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://docs.oasis-open.org/wsn/bw-2/NotificationProducer/SubscribeRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://docs.oasis-open.org/wsn/bw-2/PausableSubscriptionManager/PauseSubscriptionRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://docs.oasis-open.org/wsn/bw-2/PausableSubscriptionManager/ResumeSubscriptionRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://docs.oasis-open.org/wsn/bw-2/PullPoint/DestroyPullPointRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://docs.oasis-open.org/wsn/bw-2/PullPoint/GetMessagesRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://docs.oasis-open.org/wsn/bw-2/SubscriptionManager/RenewRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://docs.oasis-open.org/wsn/bw-2/SubscriptionManager/UnsubscribeRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
    Source: Newtonsoft.Json.dll.53.drString found in binary or memory: http://james.newtonking.com/projects/json
    Source: rundll32.exe, 00000017.00000002.2440754056.0000026F71A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msdn.m
    Source: rundll32.exe, 00000028.00000002.2619629046.000001D1D3FD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msdn.micro
    Source: rundll32.exe, 0000000B.00000002.2345983673.0000023EB74F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msdn.microso
    Source: rundll32.exe, 00000008.00000002.2318236283.0000022DED824000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msdn.microsoft.c
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.dr, System.Runtime.Serialization.Json.dll.1.dr, System.Collections.NonGeneric.dll.1.dr, System.Xml.XPath.dll.1.dr, System.Diagnostics.Process.dll.1.dr, System.Windows.Interactivity.dll.1.dr, System.Resources.Writer.dll.1.dr, System.IO.dll.1.dr, System.Resources.ResourceManager.dll.1.dr, OnvifClientLibrary.dll.1.dr, SBConference.Model.dll.1.dr, NLog.dll.1.dr, avcodec-58.dll.1.dr, avutil-56.dll.1.drString found in binary or memory: http://ocsp.digicert.com0
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.dr, System.Runtime.Serialization.Json.dll.1.dr, System.Collections.NonGeneric.dll.1.dr, System.Xml.XPath.dll.1.dr, System.Diagnostics.Process.dll.1.dr, System.Windows.Interactivity.dll.1.dr, System.Resources.Writer.dll.1.dr, System.IO.dll.1.dr, System.Resources.ResourceManager.dll.1.dr, OnvifClientLibrary.dll.1.dr, SBConference.Model.dll.1.dr, NLog.dll.1.dr, avcodec-58.dll.1.dr, avutil-56.dll.1.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.53.dr, Newtonsoft.Json.dll.53.drString found in binary or memory: http://ocsp.digicert.com0K
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msi, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Reflection.Primitives.dll.1.dr, System.Data.Common.dll.1.dr, System.Runtime.Serialization.Json.dll.1.dr, System.Collections.NonGeneric.dll.1.dr, System.Xml.XPath.dll.1.dr, System.Diagnostics.Process.dll.1.dr, System.Windows.Interactivity.dll.1.dr, System.Resources.Writer.dll.1.dr, System.IO.dll.1.dr, System.Resources.ResourceManager.dll.1.dr, OnvifClientLibrary.dll.1.dr, SBConference.Model.dll.1.dr, NLog.dll.1.dr, avcodec-58.dll.1.dr, avutil-56.dll.1.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.53.drString found in binary or memory: http://wixtoolset.org
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71442000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A123000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F265000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A775E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5143000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A259000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.53.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71442000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A123000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F265000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A775E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5143000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A259000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.53.drString found in binary or memory: http://wixtoolset.org/news/
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71442000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A123000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F265000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A775E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5143000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A259000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.53.drString found in binary or memory: http://wixtoolset.org/releases/
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accesscontrol/wsdl/DisableAccessPoint
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accesscontrol/wsdl/EnableAccessPoint
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accesscontrol/wsdl/GetAccessPointInfo
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accesscontrol/wsdl/GetAccessPointInfoList
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accesscontrol/wsdl/GetAccessPointState
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accesscontrol/wsdl/GetAreaInfo
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accesscontrol/wsdl/GetAreaInfoList
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accesscontrol/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/CreateAccessProfile
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/CreateAccessProfileV
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/DeleteAccessProfile
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/DeleteAccessProfileX
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfileInfo
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfileInfoList
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfileInfoListS
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfileInfoR
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfileList
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfileListU
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfiles
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfilesT
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/GetServiceCapabilitiesQ
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/ModifyAccessProfile
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/accessrules/wsdl/ModifyAccessProfileW
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/CreateCredential
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/CreateCredentialC
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/DeleteCredential
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/DeleteCredentialAccessProfiles
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/DeleteCredentialAccessProfilesP
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/DeleteCredentialE
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/DeleteCredentialIdentifier
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/DeleteCredentialIdentifierM
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/DisableCredential
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/DisableCredentialH
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/EnableCredential
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/EnableCredentialG
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentialAccessProfiles
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentialAccessProfilesN
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentialIdentifiers
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentialIdentifiersK
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentialInfo
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentialInfo?
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentialInfoList
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentialList
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentialListB
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentialState
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentialStateF
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentials
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetCredentialsA
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetSupportedFormatTypes
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/GetSupportedFormatTypesJ
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/ModifyCredential
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/ModifyCredentialD
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/ResetAntipassbackViolation
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/ResetAntipassbackViolationI
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/SetCredentialAccessProfiles
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/SetCredentialAccessProfilesO
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/SetCredentialIdentifier
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/credential/wsdl/SetCredentialIdentifierL
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/AddIPAddressFilter
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/AddScopes
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/CreateStorageConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/CreateUsers
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/DeleteGeoLocation
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/DeleteStorageConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/DeleteUsers
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetAccessPolicy
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetDNS
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetDeviceInformation
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetDiscoveryMode
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetDot11Capabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetDot11Status
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetDynamicDNS
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetEndpointReference
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetGeoLocation
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetHostname
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetIPAddressFilter
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetNTP
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetNetworkDefaultGateway
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetNetworkInterfaces
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetNetworkProtocols
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetRelayOutputs
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetRemoteUser
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetScopes
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetServices
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetStorageConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetStorageConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetSystemDateAndTime
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetSystemLog
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetSystemUris
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetUsers
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetWsdlUrl
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/GetZeroConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/RemoveIPAddressFilter
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/RemoveScopes
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/ScanAvailableDot11Networks
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SendAuxiliaryCommand
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetAccessPolicy
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetDNS
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetDiscoveryMode
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetDynamicDNS
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetGeoLocation
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetHostname
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetHostnameFromDHCP
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetIPAddressFilter
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetNTP
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetNetworkDefaultGateway
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetNetworkInterfaces
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetNetworkProtocols
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetRelayOutputSettings
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetRelayOutputState
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetRemoteUser
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetScopes
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetStorageConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetSystemDateAndTime
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetSystemFactoryDefault
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetUser
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SetZeroConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/StartFirmwareUpgrade
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/StartSystemRestore
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/device/wsdl/SystemReboot
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/deviceio/wsdl/GetDigitalInputConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/deviceio/wsdl/GetDigitalInputs
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/deviceio/wsdl/GetRelayOutputOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/deviceio/wsdl/GetRelayOutputs
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/deviceio/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/deviceio/wsdl/SetDigitalInputConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/deviceio/wsdl/SetRelayOutputSettings
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/deviceio/wsdl/SetRelayOutputState
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/AccessDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/BlockDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/CreateDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/CreateDoor2
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/DeleteDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/DeleteDoor5
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/DoubleLockDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorInfo
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorInfo%
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorInfoList
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorInfoList$
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorList
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorList1
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorState
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorState&
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoors
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoors0
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/GetServiceCapabilities#
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/LockDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/LockDoor(
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/LockDownDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/LockDownReleaseDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/LockDownReleaseDoor-
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/LockOpenDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/LockOpenDoor.
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/LockOpenReleaseDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/LockOpenReleaseDoor/
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/ModifyDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/ModifyDoor4
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/SetDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/SetDoor3
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/UnlockDoor
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/doorcontrol/wsdl/UnlockDoor)
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/events/wsdl/EventPortType/CreatePullPointSubscriptionRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/events/wsdl/EventPortType/GetEventPropertiesRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/events/wsdl/EventPortType/GetServiceCapabilitiesRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/events/wsdl/PullPointSubscription/PullMessagesRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/events/wsdl/PullPointSubscription/SeekRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/events/wsdl/PullPointSubscription/SetSynchronizationPointRequest
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/AddAudioDecoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/AddAudioEncoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/AddAudioOutputConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/AddAudioSourceConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/AddPTZConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/AddVideoAnalyticsConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/AddVideoEncoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/AddVideoSourceConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/CreateOSD
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/CreateProfile
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/DeleteOSD
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/DeleteProfile
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioDecoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioDecoderConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioDecoderConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioEncoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioEncoderConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioEncoderConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioOutputConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioOutputConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioOutputConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioOutputs
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioSourceConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioSourceConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioSourceConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetAudioSources
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetGuaranteedNumberOfVideoEncoderInstances
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetOSD
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetOSDOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetOSDs
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetProfile
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetProfiles
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetSnapshotUri
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetStreamUri
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetVideoAnalyticsConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetVideoEncoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetVideoEncoderConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetVideoEncoderConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetVideoSourceConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetVideoSourceConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetVideoSourceConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetVideoSourceModes
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/GetVideoSources
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/RemoveAudioDecoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/RemoveAudioEncoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/RemoveAudioOutputConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/RemoveAudioSourceConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/RemovePTZConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/RemoveVideoAnalyticsConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/RemoveVideoEncoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/RemoveVideoSourceConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/SetAudioDecoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/SetAudioEncoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/SetAudioOutputConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/SetAudioSourceConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/SetOSD
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/SetSynchronizationPoint
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/SetVideoAnalyticsConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/SetVideoEncoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/SetVideoSourceConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/media/wsdl/SetVideoSourceMode
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/provisioning/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/provisioning/wsdl/GetServiceCapabilitiesq
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/provisioning/wsdl/PanMove
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/provisioning/wsdl/PanMover
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/provisioning/wsdl/RollMove
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/provisioning/wsdl/RollMoveu
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/provisioning/wsdl/TiltMove
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/provisioning/wsdl/TiltMoves
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/provisioning/wsdl/ZoomMove
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/provisioning/wsdl/ZoomMovet
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/ConfigureReceiver
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/ConfigureReceivern
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/CreateReceiver
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/CreateReceiverl
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/DeleteReceiver
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/DeleteReceiverm
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/GetReceiver
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/GetReceiverState
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/GetReceiverStatep
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/GetReceiverk
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/GetReceivers
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/GetReceiversj
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/GetServiceCapabilitiesi
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/SetReceiverMode
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/receiver/wsdl/SetReceiverModeo
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/CreateRecording
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/CreateRecordingJob
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/CreateTrack
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/DeleteRecording
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/DeleteRecordingJob
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/DeleteTrack
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/GetRecordingConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/GetRecordingJobConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/GetRecordingJobState
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/GetRecordingJobs
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/GetRecordingOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/GetRecordings
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/GetTrackConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/SetRecordingConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/SetRecordingJobConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/SetRecordingJobMode
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/recording/wsdl/SetTrackConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/replay/wsdl/GetReplayConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/replay/wsdl/GetReplayUri
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/replay/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/replay/wsdl/SetReplayConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/CreateSchedule
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/CreateSpecialDayGroup
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/CreateSpecialDayGroupe
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/DeleteSchedule
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/DeleteSpecialDayGroup
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/DeleteSpecialDayGroupg
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetScheduleInfo
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetScheduleInfoList
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetScheduleInfoZ
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetScheduleList
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetScheduleState
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetScheduleStateh
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetSchedules
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetServiceCapabilitiesY
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetSpecialDayGroupInfo
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetSpecialDayGroupInfoList
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetSpecialDayGroupInfoListb
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetSpecialDayGroupInfoa
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetSpecialDayGroupList
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetSpecialDayGroupListd
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetSpecialDayGroups
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/GetSpecialDayGroupsc
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/ModifySchedule
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/ModifySchedule_
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/ModifySpecialDayGroup
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/schedule/wsdl/ModifySpecialDayGroupf
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/EndSearch
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/FindEvents
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/FindMetadata
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/FindPTZPosition
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/FindRecordings
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/GetEventSearchResults
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/GetMediaAttributes
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/GetMetadataSearchResults
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/GetPTZPositionSearchResults
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/GetRecordingInformation
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/GetRecordingSearchResults
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/GetRecordingSummary
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/GetSearchState
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/search/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/GetConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/GetConfiguration8
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/GetConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/GetConfigurationOptions:
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/GetConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/GetConfigurations7
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/GetRadiometryConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/GetRadiometryConfiguration;
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/GetRadiometryConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/GetRadiometryConfigurationOptions=
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/GetServiceCapabilities6
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/SetConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/SetConfiguration9
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/thermal/wsdl/SetRadiometryConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/tptz/PanTiltSpaces/GenericSpeedSpace
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/tptz/PanTiltSpaces/PositionGenericSpace
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/tptz/PanTiltSpaces/TranslationGenericSpace
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/tptz/PanTiltSpaces/VelocityGenericSpace
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/tptz/ZoomSpaces/PositionGenericSpace
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/tptz/ZoomSpaces/TranslationGenericSpace
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/tptz/ZoomSpaces/VelocityGenericSpace
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver10/tptz/ZoomSpaces/ZoomGenericSpeedSpace
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/CreateAnalyticsModules
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/CreateRules
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/DeleteAnalyticsModules
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/DeleteRules
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/GetAnalyticsModuleOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/GetAnalyticsModules
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/GetRuleOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/GetRules
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/GetSupportedAnalyticsModules
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/GetSupportedRules
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/ModifyAnalyticsModules
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/analytics/wsdl/ModifyRules
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/imaging/wsdl/FocusStop
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/imaging/wsdl/GetCurrentPreset
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/imaging/wsdl/GetImagingSettings
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/imaging/wsdl/GetMoveOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/imaging/wsdl/GetOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/imaging/wsdl/GetPresets
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/imaging/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/imaging/wsdl/GetStatus
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/imaging/wsdl/Move
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/imaging/wsdl/SetCurrentPreset
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/imaging/wsdl/SetImagingSettings
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/AddConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/CreateMask
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/CreateOSD
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/CreateProfile
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/DeleteMask
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/DeleteOSD
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/DeleteProfile
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetAnalyticsConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetAudioDecoderConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetAudioDecoderConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetAudioEncoderConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetAudioEncoderConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetAudioOutputConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetAudioOutputConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetAudioSourceConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetAudioSourceConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetMaskOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetMasks
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetMetadataConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetMetadataConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetOSDOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetOSDs
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetProfiles
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetSnapshotUri
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetStreamUri
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetVideoEncoderConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetVideoEncoderConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetVideoEncoderInstances
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetVideoSourceConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetVideoSourceConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/GetVideoSourceModes
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/RemoveConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/SetAudioDecoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/SetAudioEncoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/SetAudioOutputConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/SetAudioSourceConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/SetMask
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/SetMetadataConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/SetOSD
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/SetSynchronizationPoint
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/SetVideoEncoderConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/SetVideoSourceConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/SetVideoSourceMode
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/StartMulticastStreaming
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/media/wsdl/StopMulticastStreaming
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/AbsoluteMove
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/ContinuousMove
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/CreatePresetTour
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GeoMove
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GetConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GetConfigurationOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GetConfigurations
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GetNode
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GetNodes
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GetPresetTour
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GetPresetTourOptions
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GetPresetTours
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GetPresets
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GetServiceCapabilities
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GetStatus
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GotoHomePosition
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/GotoPreset
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/ModifyPresetTour
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/OperatePresetTour
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/RelativeMove
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/RemovePreset
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/RemovePresetTour
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/SendAuxiliaryCommand
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/SetConfiguration
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/SetHomePosition
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/SetPreset
    Source: OnvifClientLibrary.dll.1.drString found in binary or memory: http://www.onvif.org/ver20/ptz/wsdl/Stop
    Source: vacscbkd.inf0.1.drString found in binary or memory: http://www.screenbeam.com
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.53.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
    Source: rundll32.exe, 0000003A.00000003.2700327404.000002806A259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.screenbeam.com
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.53.drString found in binary or memory: https://www.newtonsoft.com/json
    Source: Newtonsoft.Json.dll.53.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
    Source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.53.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5adaf8.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE847.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE8C5.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE8F5.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE944.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE9A2.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE9D2.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF3A7.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF3D7.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBE4.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC04.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC34.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1A8D.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2339.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27ED.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A11.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A31.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3619.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3DAB.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}Jump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}\ScreenBeam.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI746C.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5adafa.msiJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5adafa.msiJump to behavior
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\ByomCustomAction.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\Microsoft.Deployment.WindowsInstaller.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\Newtonsoft.Json.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\CustomAction.config
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\ByomCustomAction.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\Microsoft.Deployment.WindowsInstaller.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\Newtonsoft.Json.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\CustomAction.config
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\sbdrvmgr.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\ByomCustomAction.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\Microsoft.Deployment.WindowsInstaller.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\Newtonsoft.Json.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\CustomAction.config
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\ByomCustomAction.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\Microsoft.Deployment.WindowsInstaller.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\Newtonsoft.Json.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\CustomAction.config
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\sbdrvmgr.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\ByomCustomAction.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\Microsoft.Deployment.WindowsInstaller.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\Newtonsoft.Json.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\CustomAction.config
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\sbdrvmgr.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\ByomCustomAction.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\Microsoft.Deployment.WindowsInstaller.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\Newtonsoft.Json.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\CustomAction.config
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\ByomCustomAction.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\Microsoft.Deployment.WindowsInstaller.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\Newtonsoft.Json.dll
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\CustomAction.config
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\sbdrvmgr.exe
    Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIE847.tmpJump to behavior
    Source: C:\Windows\System32\rundll32.exeCode function: 8_3_00007FFD9B4B12C08_3_00007FFD9B4B12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 8_3_00007FFD9B4B15188_3_00007FFD9B4B1518
    Source: C:\Windows\System32\rundll32.exeCode function: 8_3_00007FFD9B4B37518_3_00007FFD9B4B3751
    Source: C:\Windows\System32\rundll32.exeCode function: 11_3_00007FFD9B4C12C011_3_00007FFD9B4C12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 11_3_00007FFD9B4C151811_3_00007FFD9B4C1518
    Source: C:\Windows\System32\rundll32.exeCode function: 11_3_00007FFD9B4C375111_3_00007FFD9B4C3751
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeCode function: 14_2_00007FFD9B3F080814_2_00007FFD9B3F0808
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeCode function: 18_2_00007FFD9B3E082818_2_00007FFD9B3E0828
    Source: C:\Windows\System32\rundll32.exeCode function: 20_3_00007FFD9B4D12C020_3_00007FFD9B4D12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 20_3_00007FFD9B4D151820_3_00007FFD9B4D1518
    Source: C:\Windows\System32\rundll32.exeCode function: 20_3_00007FFD9B4D375120_3_00007FFD9B4D3751
    Source: C:\Windows\System32\rundll32.exeCode function: 23_3_00007FFD9B4C12C023_3_00007FFD9B4C12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 23_3_00007FFD9B4C151823_3_00007FFD9B4C1518
    Source: C:\Windows\System32\rundll32.exeCode function: 23_3_00007FFD9B4C375123_3_00007FFD9B4C3751
    Source: C:\Windows\System32\rundll32.exeCode function: 28_3_00007FFD9B4B12C028_3_00007FFD9B4B12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 28_3_00007FFD9B4B151828_3_00007FFD9B4B1518
    Source: C:\Windows\System32\rundll32.exeCode function: 28_3_00007FFD9B4B375128_3_00007FFD9B4B3751
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeCode function: 29_2_00007FFD9B4012E929_2_00007FFD9B4012E9
    Source: C:\Windows\System32\rundll32.exeCode function: 34_3_00007FFD9B4B12C034_3_00007FFD9B4B12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 34_3_00007FFD9B4B151834_3_00007FFD9B4B1518
    Source: C:\Windows\System32\rundll32.exeCode function: 34_3_00007FFD9B4B375134_3_00007FFD9B4B3751
    Source: C:\Windows\System32\rundll32.exeCode function: 39_3_00007FFD9B4C3A8C39_3_00007FFD9B4C3A8C
    Source: C:\Windows\System32\rundll32.exeCode function: 39_3_00007FFD9B4C12DE39_3_00007FFD9B4C12DE
    Source: C:\Windows\System32\rundll32.exeCode function: 39_3_00007FFD9B4C151839_3_00007FFD9B4C1518
    Source: C:\Windows\System32\rundll32.exeCode function: 39_3_00007FFD9B4C375139_3_00007FFD9B4C3751
    Source: C:\Windows\System32\rundll32.exeCode function: 40_3_00007FFD9B4B12C040_3_00007FFD9B4B12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 40_3_00007FFD9B4B151840_3_00007FFD9B4B1518
    Source: C:\Windows\System32\rundll32.exeCode function: 40_3_00007FFD9B4B375140_3_00007FFD9B4B3751
    Source: C:\Windows\System32\rundll32.exeCode function: 49_3_00007FFD9B4912C049_3_00007FFD9B4912C0
    Source: C:\Windows\System32\rundll32.exeCode function: 49_3_00007FFD9B49151849_3_00007FFD9B491518
    Source: C:\Windows\System32\rundll32.exeCode function: 49_3_00007FFD9B49375149_3_00007FFD9B493751
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeCode function: 50_2_013B10B950_2_013B10B9
    Source: C:\Windows\System32\rundll32.exeCode function: 52_3_00007FFD9B4A151852_3_00007FFD9B4A1518
    Source: C:\Windows\System32\rundll32.exeCode function: 52_3_00007FFD9B4A375152_3_00007FFD9B4A3751
    Source: C:\Windows\System32\rundll32.exeCode function: 52_3_00007FFD9B4A12F052_3_00007FFD9B4A12F0
    Source: C:\Windows\System32\rundll32.exeCode function: 53_3_00007FFD9B4A12C053_3_00007FFD9B4A12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 53_3_00007FFD9B4A151853_3_00007FFD9B4A1518
    Source: C:\Windows\System32\rundll32.exeCode function: 53_3_00007FFD9B4A375153_3_00007FFD9B4A3751
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeCode function: 56_2_00007FFD9B3E082856_2_00007FFD9B3E0828
    Source: C:\Windows\System32\rundll32.exeCode function: 58_3_00007FFD9B4A12C058_3_00007FFD9B4A12C0
    Source: C:\Windows\System32\rundll32.exeCode function: 58_3_00007FFD9B4A151858_3_00007FFD9B4A1518
    Source: C:\Windows\System32\rundll32.exeCode function: 58_3_00007FFD9B4A375158_3_00007FFD9B4A3751
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiBinary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x86.exe vs ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiBinary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiBinary or memory string: OriginalFilenameviewer.exeF vs ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiBinary or memory string: OriginalFileNameaipackagechainer.exeh vs ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiBinary or memory string: OriginalFilenameNetFirewall.dllF vs ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiBinary or memory string: OriginalFilenamePrereq.dllF vs ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiBinary or memory string: OriginalFilenameExternalUICleaner.dllF vs ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiBinary or memory string: OriginalFilenameByomCustomAction.dllB vs ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: classification engineClassification label: mal52.troj.evad.winMSI@92/405@0/0
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeamJump to behavior
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.logJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1144:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2080:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_03
    Source: C:\Windows\System32\rundll32.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5124:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2112:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1284:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4960:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3912:120:WilError_03
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA44D.tmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\win.iniJump to behavior
    Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5938703 98 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ScreenBeam_Conference_Windows_1.0.5.9.msi"
    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0E3DF5012F3B4169CA96DD45D36CF523 C
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 83970C7A15921B07EA6C6C5B0F912C8C C
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5938703 98 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA388.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5940125 108 ByomCustomAction!ByomCustomAction.CustomActions.VerifyDriverBusy
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC74E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5949281 136 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSICBD3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5950437 146 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID346.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5952328 172 ByomCustomAction!ByomCustomAction.CustomActions.RemoveDriver
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --remove "ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5"
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8C4DFE4B0FD77B464A03913D859715A5
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding E7D2AB119D1112766403D568BA232170
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE9D2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5958140 141 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF3D7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5960671 168 ByomCustomAction!ByomCustomAction.CustomActions.WaitForUnpairDeviceApp
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC34.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5966937 176 ByomCustomAction!ByomCustomAction.CustomActions.StopSBUCProcesses
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC34.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC34.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1A8D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5970578 228 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2339.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5972890 238 ByomCustomAction!ByomCustomAction.CustomActions.SetIsInstallingTrue
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2A31.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5974609 445 ByomCustomAction!ByomCustomAction.CustomActions.IsDriverBusy
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3619.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5977656 460 ByomCustomAction!ByomCustomAction.CustomActions.DisableCampfilters
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0E3DF5012F3B4169CA96DD45D36CF523 CJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 83970C7A15921B07EA6C6C5B0F912C8C CJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8C4DFE4B0FD77B464A03913D859715A5Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding E7D2AB119D1112766403D568BA232170Jump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5938703 98 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSettingJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA388.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5940125 108 ByomCustomAction!ByomCustomAction.CustomActions.VerifyDriverBusyJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC74E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5949281 136 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSettingJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSICBD3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5950437 146 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcessesJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID346.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5952328 172 ByomCustomAction!ByomCustomAction.CustomActions.RemoveDriverJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exe "DefMic.exe" --defJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe "DefMic.exe" --listJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5Jump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe "DefMic.exe" --listJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5Jump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --remove "ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5"
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE9D2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5958140 141 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF3D7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5960671 168 ByomCustomAction!ByomCustomAction.CustomActions.WaitForUnpairDeviceApp
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC34.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5966937 176 ByomCustomAction!ByomCustomAction.CustomActions.StopSBUCProcesses
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1A8D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5970578 228 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2339.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5972890 238 ByomCustomAction!ByomCustomAction.CustomActions.SetIsInstallingTrue
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2A31.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5974609 445 ByomCustomAction!ByomCustomAction.CustomActions.IsDriverBusy
    Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3619.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5977656 460 ByomCustomAction!ByomCustomAction.CustomActions.DisableCampfilters
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC34.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC34.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
    Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeSection loaded: mmdevapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeSection loaded: audioses.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: mmdevapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: audioses.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeSection loaded: mscoree.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeSection loaded: apphelp.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeSection loaded: kernel.appcore.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeSection loaded: version.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: mscoree.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: kernel.appcore.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: version.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: mmdevapi.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: devobj.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: audioses.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: powrprof.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeSection loaded: umpdc.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeSection loaded: mscoree.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeSection loaded: kernel.appcore.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeSection loaded: version.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeSection loaded: mscoree.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeSection loaded: apphelp.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeSection loaded: kernel.appcore.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeSection loaded: version.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeSection loaded: mmdevapi.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeSection loaded: devobj.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeSection loaded: audioses.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeSection loaded: powrprof.dll
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeSection loaded: umpdc.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeSection loaded: mscoree.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeSection loaded: apphelp.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeSection loaded: kernel.appcore.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeSection loaded: version.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeSection loaded: mmdevapi.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeSection loaded: devobj.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeSection loaded: audioses.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeSection loaded: powrprof.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeSection loaded: umpdc.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeSection loaded: mscoree.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeSection loaded: apphelp.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeSection loaded: kernel.appcore.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeSection loaded: version.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeSection loaded: mscoree.dll
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeSection loaded: apphelp.dll
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeSection loaded: kernel.appcore.dll
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeSection loaded: version.dll
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeSection loaded: devobj.dll
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
    Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeSection loaded: mscoree.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeSection loaded: apphelp.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeSection loaded: version.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeSection loaded: mmdevapi.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeSection loaded: devobj.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeSection loaded: audioses.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeSection loaded: powrprof.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeSection loaded: umpdc.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeSection loaded: mscoree.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeSection loaded: apphelp.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeSection loaded: version.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: mscoree.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: apphelp.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: version.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: mmdevapi.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: devobj.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: audioses.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: powrprof.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: umpdc.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: mscoree.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: apphelp.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: version.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: mscoree.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: version.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: mmdevapi.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: devobj.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: audioses.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: powrprof.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeSection loaded: umpdc.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: mscoree.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: version.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeSection loaded: mscoree.dll
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeSection loaded: apphelp.dll
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeSection loaded: version.dll
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeSection loaded: mmdevapi.dll
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeSection loaded: devobj.dll
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeSection loaded: audioses.dll
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeSection loaded: powrprof.dll
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeSection loaded: umpdc.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeSection loaded: mscoree.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeSection loaded: apphelp.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeSection loaded: version.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeSection loaded: mmdevapi.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeSection loaded: devobj.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeSection loaded: audioses.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeSection loaded: powrprof.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeSection loaded: umpdc.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeSection loaded: mscoree.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeSection loaded: apphelp.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeSection loaded: version.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
    Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
    Source: C:\Windows\System32\msiexec.exeAutomated click: Accept
    Source: C:\Windows\System32\msiexec.exeAutomated click: Install
    Source: C:\Windows\System32\msiexec.exeAutomated click: Install
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeamJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\ConferenceJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\appJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\appsettingsJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\appsettings\settings.jsonJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\eula.rtfJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\ScreenBeam.bmpJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\ScreenBeam.icoJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\deJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\de\MahApps.Metro.resources.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\FiltersJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avcodec-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avformat-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avutil-56.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libcrypto-1_1-x64.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libssl-1_1-x64.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\OnvifClientLibrary.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBCamFilter64.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBRTSPAudio64.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swresample-3.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swscale-5.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avcodec-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avformat-58.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avutil-56.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libcrypto-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libssl-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\OnvifClientLibrary.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBCamFilter32.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBRTSPAudio32.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swresample-3.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swscale-5.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\serviceJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vacdisable.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vacenable.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Fizzler.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\HtmlToXamlConverter.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ImagesJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Camera 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Camera 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 02.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Conf 02b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 02.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Connect 02b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Devices 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Devices 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 02.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Display 02b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Go2Meeting.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\GoogleMeet_audio.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\GoogleMeet_video.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Hamburger 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Hamburger 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\ham_menu.svgJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\info-icon.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\panic_button.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\repair_icon.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\ScreenBeamLogo.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Settings 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Settings 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Source 01.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Source 01b.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Teams_03.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\teams_settings.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\warning-orange.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Warning_blk.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Warning_red.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Webex_audio.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Webex_video.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Zoom_audio.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\zoom_settings.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Images\Zoom_video.pngJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\NLog.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\NLog.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\NLog.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\qf4net.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Svg.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Svg.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Buffers.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Buffers.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Memory.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Memory.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audioJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\instrmv.cmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgrJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\NLog.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\NLog.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\NLog.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\qf4net.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\instrmv.cmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vacJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd6x.catJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd6x.infJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbcp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbcp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgrJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Windows.WinMDJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\CreateProcessAsUser.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Microsoft.Win32.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\netstandard.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.AppContext.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Concurrent.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.NonGeneric.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Specialized.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.EventBasedAsync.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.TypeConverter.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Console.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Data.Common.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Contracts.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Debug.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.FileVersionInfo.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Process.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.StackTrace.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tools.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TraceSource.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tracing.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Drawing.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Dynamic.Runtime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Calendars.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.ZipFile.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.DriveInfo.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Watcher.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.IsolatedStorage.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.MemoryMappedFiles.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Pipes.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.IO.UnmanagedMemoryStream.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Expressions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Parallel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Queryable.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Http.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.NameResolution.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.NetworkInformation.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Ping.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Requests.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Security.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Sockets.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebHeaderCollection.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.Client.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ObjectModel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Reader.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.ResourceManager.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Writer.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.CompilerServices.VisualC.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Handles.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Numerics.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Formatters.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Json.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Xml.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Claims.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Algorithms.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Csp.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Encoding.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Primitives.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.X509Certificates.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Principal.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Security.SecureString.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.Extensions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Text.RegularExpressions.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Overlapped.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.Parallel.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Thread.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.ThreadPool.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Timer.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.ValueTuple.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.ReaderWriter.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XDocument.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlDocument.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlSerializer.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.XDocument.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.FoundationContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.UniversalApiContract.winmdJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\service\Windows.WinMDJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32Jump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\config1_base.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ipsee.txtJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libcrypto-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libssl-1_1.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\MultiOnvifServer.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\runconfig.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ssl.caJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ssl.keyJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\user manual.pdfJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\zlibwapi.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\en-USJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\en-US\SBConference.Model.resources.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Interop.NetFwTypeLib.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\config2_base.xmlJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Direct3D9.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.DXGI.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Mathematics.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.MediaFoundation.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exe.configJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.pdbJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\BouncyCastle.Crypto.dllJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacdisable.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacenable.exeJump to behavior
    Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreenBeam Conference 1.0.5.9Jump to behavior
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiStatic file information: File size 102135296 > 1048576
    Source: Binary string: \??\C:\Windows\Installer\MSIE9D2.tmp-\DefMic.pdbesmjP% source: DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbuser\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\UsersC: source: DefMic.exe, 00000029.00000002.2601695537.0000000000885000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: DefMic.exe, 0000000C.00000002.2332882724.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Release\DefMic.pdb source: DefMic.exe, 00000015.00000002.2418031873.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000114E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb& source: DefMic.exe, 00000018.00000002.2434106425.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dows\exe\DefMic.pdbb source: DefMic.exe, 00000009.00000002.2315385049.0000000001421000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2434106425.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000113A000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\agent\_work\66\s\build\ship\x64\SfxCA.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi, MSIA388.tmp.0.dr
    Source: Binary string: Microsoft.Xaml.Behaviors.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.pdb089 source: DefMic.exe, 00000018.00000002.2434106425.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: m,C:\Windows\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315352819.000000000137A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332066418.000000000059A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2338778949.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2417347437.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2433790232.0000000000BFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2509531647.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2600559828.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2609929834.000000000093A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2633223685.0000000000BDA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682300284.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSIE9D2.tmp-\DefMic.pdb source: DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315385049.0000000001421000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2434106425.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000113A000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb source: System.Reflection.Primitives.dll.1.dr
    Source: Binary string: enkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb source: DefMic.exe, 00000023.00000002.2514999105.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Windows\Installer\MSIC34.tmp-\DefMic.pdb source: DefMic.exe, 00000029.00000002.2600559828.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2609929834.000000000093A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdbAE source: DefMic.exe, 00000032.00000002.2634106384.0000000001120000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: NLog.dll.1.dr
    Source: Binary string: mC:\Windows\Installer\MSI2A31.tmp-\DefMic.pdb source: DefMic.exe, 00000036.00000002.2682300284.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.pdb9 source: DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb/jIj ;j_CorExeMainmscoree.dll source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000009.00000000.2312611326.0000000000FE2000.00000002.00000001.01000000.00000007.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332882724.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2434106425.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2514999105.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.PDB source: DefMic.exe, 00000018.00000002.2434106425.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.pdb source: DefMic.exe, 00000018.00000002.2433790232.0000000000BFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: MahApps.Metro.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: dows\dll\mscorlib.pdb source: DefMic.exe, 00000009.00000002.2315385049.0000000001421000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000113A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ]XiX XamlAnimatedGif.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.ResourceManager\4.0.1.0\System.Resources.ResourceManager.pdb source: System.Resources.ResourceManager.dll.1.dr
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb* source: System.Diagnostics.Process.dll.1.dr
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO\4.1.2.0\System.IO.pdb source: System.IO.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbb;k source: DefMic.exe, 00000010.00000002.2339064034.0000000001363000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\Installer\MSIC34.tmp-\DefMic.pdb source: DefMic.exe, 0000002D.00000002.2610891134.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ControlzEx.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSIC74E.tmp-\DefMic.PDB source: DefMic.exe, 00000015.00000002.2417347437.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: Release\DefMic.pdb/jI source: DefMic.exe, 00000015.00000002.2418031873.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000114E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: enkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbqq source: DefMic.exe, 00000029.00000002.2601695537.0000000000885000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: DefMic.exe, 00000009.00000002.2315385049.0000000001401000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332882724.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2418031873.0000000000E41000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2601695537.0000000000854000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UnpairDeviceApp.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: X StreamPlayback.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\mscorlib.pdbqO source: DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Data.Common/netfx\System.Data.Common.pdb source: System.Data.Common.dll.1.dr
    Source: Binary string: X SBConference.Common.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: X SBConference.Model.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Writer\4.0.2.0\System.Resources.Writer.pdb source: System.Resources.Writer.dll.1.dr
    Source: Binary string: X UnpairDeviceApp.pdb^ source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: D]XiX ControlzEx.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: SBConference.Model.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.PDBdoS source: DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: ScreenBeamConference.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb__z source: DefMic.exe, 0000000C.00000002.2332882724.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb$*>* 0*_CorDllMainmscoree.dll source: System.Reflection.Primitives.dll.1.dr
    Source: Binary string: \??\C:\Windows\DefMic.pdbr source: DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \mscorlib.pdbZ source: DefMic.exe, 00000036.00000002.2682664496.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdbC source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbp-\DefMic.PDB source: DefMic.exe, 00000029.00000002.2600559828.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2609929834.000000000093A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbbtcP source: DefMic.exe, 00000018.00000002.2434106425.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbv source: DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: X SBConference.ViewModel.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\Installer\MSIC34.tmp-\DefMic.pdb source: DefMic.exe, 00000029.00000002.2601695537.0000000000854000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer\msi-installer\ByomCustomAction\ByomCustomAction\obj\x64\Release\ByomCustomAction.pdb source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71442000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A123000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F265000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A775E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5143000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A259000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\Installer\MSI1A8D.tmp-\DefMic.pdb< source: DefMic.exe, 00000032.00000002.2634106384.000000000113A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71442000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A123000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F265000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A775E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5143000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A259000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.53.dr
    Source: Binary string: \??\C:\Windows\DefMic.pdbb source: DefMic.exe, 00000015.00000002.2418031873.0000000000E41000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.0000000001120000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbp source: DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XPath\4.0.3.0\System.Xml.XPath.pdb source: System.Xml.XPath.dll.1.dr
    Source: Binary string: symbols\exe\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315352819.000000000137A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2338778949.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2417347437.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2433790232.0000000000BFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2609929834.000000000093A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2633223685.0000000000BDA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682300284.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315385049.0000000001429000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256 source: NLog.dll.1.dr
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.PDBs source: DefMic.exe, 0000000C.00000002.2332882724.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.pdb source: DefMic.exe, 00000015.00000002.2417347437.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: enkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbe source: DefMic.exe, 0000000C.00000002.2332882724.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2418031873.0000000000E71000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ns\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbPP source: DefMic.exe, 00000015.00000002.2418031873.0000000000E71000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb.F source: DefMic.exe, 0000000C.00000002.2332882724.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb&C?W source: DefMic.exe, 00000015.00000002.2418031873.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ase\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315385049.0000000001429000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Writer\4.0.2.0\System.Resources.Writer.pdbl( source: System.Resources.Writer.dll.1.dr
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=joE= source: DefMic.exe, 00000023.00000002.2514999105.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb)) source: DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbaa source: DefMic.exe, 00000018.00000002.2434106425.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbM source: DefMic.exe, 00000010.00000002.2339064034.0000000001376000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.pdb source: DefMic.exe, 00000018.00000002.2434106425.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Installer\MSI2A31.tmp-\DefMic.pdb: source: DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSI9DCB.tmp-\DefMic.PDB source: DefMic.exe, 00000009.00000002.2315352819.000000000137A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbbz source: DefMic.exe, 0000000C.00000002.2332882724.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: StreamPlayback.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\DefMic.pdbC source: DefMic.exe, 00000009.00000002.2315385049.0000000001401000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001376000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Windows\Installer\MSIE9D2.tmp-\DefMic.pdb source: DefMic.exe, 00000023.00000002.2509531647.00000000006FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: X SBConference.Common.pdb_1 source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: mC:\Windows\Installer\MSI1A8D.tmp-\DefMic.pdb source: DefMic.exe, 00000032.00000002.2633223685.0000000000BDA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.pdbs* source: DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdb% source: DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\svn\happytimesoft\onvifclient\bin\x64\OnvifClientLibrary.pdb source: OnvifClientLibrary.dll.1.dr
    Source: Binary string: C:\Windows\DefMic.pdbpdbMic.pdb source: DefMic.exe, 0000000C.00000002.2332882724.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dows\exe\DefMic.pdb source: DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Ysymbols\exe\DefMic.pdb source: DefMic.exe, 0000000C.00000002.2332066418.000000000059A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\NetFirewall.pdb; source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\Installer\MSI1A8D.tmp-\DefMic.pdb source: DefMic.exe, 00000032.00000002.2634106384.000000000113A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315385049.0000000001401000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332882724.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2601695537.0000000000854000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSICBD3.tmp-\DefMic.PDB source: DefMic.exe, 00000018.00000002.2433790232.0000000000BFA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb source: DefMic.exe, 00000023.00000002.2514999105.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2601394830.000000000083B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdbV source: DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: b77a5c561934e089\mscorlib.pdb9\ source: DefMic.exe, 00000023.00000002.2514999105.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbmp-\DefMic.PDB source: DefMic.exe, 00000023.00000002.2509531647.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2633223685.0000000000BDA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682300284.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: SBConference.ViewModel.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.IsolatedStorage\4.0.2.0\System.IO.IsolatedStorage.pdb source: System.IO.IsolatedStorage.dll.1.dr
    Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71442000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A123000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F3B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AB6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F265000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A775E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5143000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A259000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.53.dr
    Source: Binary string: XamlAnimatedGif.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: X SBConference.Service.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.pdb source: DefMic.exe, 0000000C.00000002.2332066418.000000000059A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2338778949.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: X SBConfDiag.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: C:\Windows\DefMic.pdbpdbMic.pdb( source: DefMic.exe, 00000029.00000002.2601695537.0000000000854000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbbS source: DefMic.exe, 0000002D.00000002.2610891134.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Service.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: SBConference.Common.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbK source: DefMic.exe, 00000032.00000002.2634106384.0000000001120000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: System.Windows.Interactivity.dll.1.dr
    Source: Binary string: \??\C:\Windows\mscorlib.pdb- source: DefMic.exe, 00000010.00000002.2339064034.0000000001376000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConfDiag.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbj source: DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.pdb source: DefMic.exe, 0000000C.00000002.2332882724.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mC:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.pdb source: DefMic.exe, 00000009.00000002.2315352819.000000000137A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbB source: DefMic.exe, 00000029.00000002.2601394830.000000000083B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdb1 source: DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\ScreenBeam\Projects\sb-conference-installer\byom-rtsp-client\sbdrvmgr\sbdrvmgr\obj\x64\Release\sbdrvmgr.pdb source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307453659.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2307507660.0000022DED780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326505467.0000023E9D28F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, sbdrvmgr.exe, 0000000E.00000000.2334300986.000002051B4A2000.00000002.00000001.01000000.0000000C.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412657115.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412706204.000001FFF32B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2425117897.0000026F6F9A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443933473.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443755624.00000227686A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502207658.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2502092223.0000020633EA2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2527104301.000001EBD34E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590597773.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590438906.000001D1D3F91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626877689.0000029A8D7F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626783567.0000029A8D7F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652551033.000001E2A5D91000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbF source: DefMic.exe, 00000023.00000002.2514999105.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.PDB@ source: DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SBConference.Common.pdb_1 source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb source: System.Diagnostics.Process.dll.1.dr
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdbb source: DefMic.exe, 00000009.00000002.2315385049.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2434106425.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbf source: DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XDocument\4.0.11.0\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.1.dr
    Source: Binary string: C:\svn\happytimesoft\onvifclient\bin\x64\OnvifClientLibrary.pdb22 source: OnvifClientLibrary.dll.1.dr
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbd source: DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.53.dr
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbb source: DefMic.exe, 0000000C.00000002.2332882724.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2601695537.0000000000877000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2700327404.000002806A28D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.53.dr
    Source: Binary string: ]XiX Microsoft.Xaml.Behaviors.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb2 source: DefMic.exe, 00000032.00000002.2634106384.0000000001120000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb)Nz source: DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: X ScreenBeamConference.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\exe\DefMic.pdbX source: DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: osymbols\exe\DefMic.pdb source: DefMic.exe, 00000023.00000002.2509531647.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2600559828.00000000006FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: DefMic.exe, 0000002D.00000002.2610891134.0000000000C06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\exe\DefMic.pdb04 source: DefMic.exe, 00000015.00000002.2418031873.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \mscorlib.pdb source: DefMic.exe, 00000029.00000002.2601695537.0000000000877000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\NetFirewall.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdbemp\MSIA388.tmp-\DefMic.PDB source: DefMic.exe, 0000000C.00000002.2332066418.000000000059A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2338778949.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\DefMic.pdbAO source: DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Primitives\4.0.3.0\System.IO.FileSystem.Primitives.pdb source: System.IO.FileSystem.Primitives.dll.1.dr
    Source: Binary string: dows\exe\DefMic.pdbC source: DefMic.exe, 00000032.00000002.2634106384.000000000113A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: DefMic.exe, 00000009.00000002.2315385049.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332882724.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001363000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2418031873.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2514999105.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.0000000001120000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682664496.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.NonGeneric\4.0.3.0\System.Collections.NonGeneric.pdb source: System.Collections.NonGeneric.dll.1.dr
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb3 source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.PDB+ source: DefMic.exe, 00000009.00000002.2315385049.0000000001429000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: .pdbR source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\Installer\MSI2A31.tmp-\DefMic.pdbes source: DefMic.exe, 00000036.00000002.2682664496.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Jenkins\workspace\sb-conference-installer-working\byom-rtsp-client\defmic\DefMic\obj\Release\DefMic.pdb source: rundll32.exe, 00000008.00000003.2307308294.0000022DEF1F5000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000009.00000002.2315352819.000000000137A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000009.00000002.2315385049.0000000001429000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000009.00000000.2312611326.0000000000FE2000.00000002.00000001.01000000.00000007.sdmp, rundll32.exe, 0000000B.00000003.2326345661.0000023E9EE40000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332066418.000000000059A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332882724.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2338778949.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2339064034.0000000001399000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000003.2412542920.000001FFF4D66000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2417347437.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2424627838.0000026F71476000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2434106425.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2433790232.0000000000BFA000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000003.2443459069.000002276A157000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000022.00000003.2501873994.00000206358F6000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2509531647.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2514999105.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000027.00000003.2526925684.000001EBD4F6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.2590175660.000001D1D5AEA000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2600559828.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2610891134.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2609929834.000000000093A000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2626570480.0000029A8F299000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000114E000.00000004.00000020.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2633223685.0000000000BDA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2634106384.000000000115B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000034.00000003.2652270209.000001E2A7792000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000035.00000003.2668621372.000001B5A5177000.00000
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb8 source: DefMic.exe, 00000015.00000002.2418031873.0000000000E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\mscorlib.pdbv source: DefMic.exe, 00000023.00000002.2514999105.0000000000A70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Json\4.0.1.0\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.1.dr
    Source: Binary string: m.pdb source: DefMic.exe, 00000009.00000002.2315352819.000000000137A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000000C.00000002.2332066418.000000000059A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000010.00000002.2338778949.0000000000FCA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000015.00000002.2417347437.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000018.00000002.2433790232.0000000000BFA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000023.00000002.2509531647.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000029.00000002.2600559828.00000000006FA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 0000002D.00000002.2609929834.000000000093A000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000032.00000002.2633223685.0000000000BDA000.00000004.00000010.00020000.00000000.sdmp, DefMic.exe, 00000036.00000002.2682300284.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: ]XiX MahApps.Metro.pdbx& source: ScreenBeam_Conference_Windows_1.0.5.9.msi
    Source: Binary string: \??\C:\Windows\mscorlib.pdb} source: DefMic.exe, 00000010.00000002.2339064034.0000000001376000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdbDc` source: DefMic.exe, 00000018.00000002.2434106425.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp
    Source: MahApps.Metro.dll.1.drStatic PE information: 0x9A2ED0EB [Thu Dec 21 08:16:43 2051 UTC]
    Source: MSI9DCB.tmp.0.drStatic PE information: real checksum: 0x3d808 should be: 0x82c19
    Source: MSICBD3.tmp.0.drStatic PE information: real checksum: 0x3d808 should be: 0x82c19
    Source: MSIA388.tmp.0.drStatic PE information: real checksum: 0x3d808 should be: 0x82c19
    Source: MSID346.tmp.0.drStatic PE information: real checksum: 0x3d808 should be: 0x82c19
    Source: MSIC74E.tmp.0.drStatic PE information: real checksum: 0x3d808 should be: 0x82c19

    Persistence and Installation Behavior

    barindex
    Drops executables to the windows directory (C:\Windows) and starts them
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSIC34.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exe
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exe
    Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exe
    Sample is not signed and drops a device driver
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbkd.sysJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA388.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF3A7.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swscale-5.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Overlapped.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\OnvifClientLibrary.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27ED.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Thread.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Parallel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.XDocument.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avcodec-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.ThreadPool.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avutil-56.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.NameResolution.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.ZipFile.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libcrypto-1_1.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.IsolatedStorage.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vacdisable.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Specialized.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.UniversalApiContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vacenable.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Requests.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.X509Certificates.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Security.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Direct3D9.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Interop.NetFwTypeLib.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.SecureString.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A31.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Text.RegularExpressions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Dynamic.Runtime.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE9A2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID877.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA791.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\HtmlToXamlConverter.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC04.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\NLog.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.MemoryMappedFiles.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC34.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Http.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.Buffers.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA654.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shiE960.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Expressions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Writer.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.Parallel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacdisable.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA674.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBRTSPAudio64.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libcrypto-1_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2339.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\en-US\SBConference.Model.resources.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3619.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID346.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE8C5.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.Client.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TraceSource.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avutil-56.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Fizzler.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.NetworkInformation.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1A8D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.NonGeneric.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDA8C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Sockets.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.ReaderWriter.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tools.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XDocument.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlSerializer.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avformat-58.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE847.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA44D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\netstandard.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacenable.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Xml.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Ping.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libssl-1_1.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE944.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\BouncyCastle.Crypto.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swresample-3.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSICBD3.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\NLog.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbcp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Windows.WinMDJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libssl-1_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA4CB.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.FileVersionInfo.dllJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shiA73B.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\qf4net.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBCamFilter32.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI746C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3DAB.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Csp.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.FoundationContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Contracts.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Microsoft.Win32.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Reader.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avformat-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Debug.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\de\MahApps.Metro.resources.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\CreateProcessAsUser.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libssl-1_1-x64.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Drawing.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA703.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebHeaderCollection.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Mathematics.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.EventBasedAsync.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tracing.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Calendars.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE9D2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Claims.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Handles.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA761.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.ObjectModel.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\qf4net.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBCamFilter64.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbcp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.Pipes.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Principal.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Console.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avcodec-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Numerics.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIC74E.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE8F5.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Net.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Encoding.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Timer.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.MediaFoundation.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Data.Common.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.TypeConverter.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Svg.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Windows.WinMDJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Process.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.ValueTuple.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Queryable.dllJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\viewer.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBE4.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SharpDX.DXGI.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA4FB.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.UnmanagedMemoryStream.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\OnvifClientLibrary.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Concurrent.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF3D7.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Resources.ResourceManager.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\MultiOnvifServer.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\vcruntime140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swresample-3.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\zlibwapi.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.AppContext.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libcrypto-1_1-x64.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.DriveInfo.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.StackTrace.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlDocument.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Formatters.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA7B2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Watcher.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBRTSPAudio32.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID914.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swscale-5.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA694.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Algorithms.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\System.Memory.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE8F5.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF3A7.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE944.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27ED.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI746C.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3DAB.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2339.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBE4.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3619.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE8C5.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI3619.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF3D7.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1A8D.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A31.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI1A8D.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE9D2.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE9A2.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIE9D2.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSIF3D7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE847.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC04.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC34.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\Installer\MSI2339.tmp-\sbdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.FoundationContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.UniversalApiContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\service\Windows.WinMDJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\app\Windows.WinMDJump to dropped file
    Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ScreenBeam\Conference\eula.rtfJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ScreenBeamJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ScreenBeam\ConferenceJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ScreenBeam\Conference\ScreenBeam Conference.lnkJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeMemory allocated: 1800000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeMemory allocated: 3540000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeMemory allocated: 1860000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeMemory allocated: 27E0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeMemory allocated: 2051CF90000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeMemory allocated: 20535190000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeMemory allocated: 2F70000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeMemory allocated: 3140000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeMemory allocated: 2F70000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeMemory allocated: 1F144690000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeMemory allocated: 1F15E110000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeMemory allocated: 1080000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeMemory allocated: 2AD0000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeMemory allocated: 10D0000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeMemory allocated: 1270000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeMemory allocated: 2C10000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeMemory allocated: 4D50000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeMemory allocated: 1A6D8D70000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeMemory allocated: 1A6F27C0000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeMemory allocated: 28FC7C90000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeMemory allocated: 28FE17C0000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeMemory allocated: 2420000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeMemory allocated: 2600000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeMemory allocated: 2440000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeMemory allocated: 23F74F50000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeMemory allocated: 23F769B0000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeMemory allocated: A90000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeMemory allocated: 2590000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeMemory allocated: 4590000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeMemory allocated: 217325D0000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeMemory allocated: 2174BDA0000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeMemory allocated: 1020000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeMemory allocated: 2940000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeMemory allocated: 4940000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeMemory allocated: 2BDAC5C0000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeMemory allocated: 2BDC5FD0000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeMemory allocated: 13B0000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeMemory allocated: 2D10000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeMemory allocated: 4D10000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeMemory allocated: 2680000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeMemory allocated: 2840000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeMemory allocated: 4840000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeMemory allocated: 2CCEF280000 memory reserve | memory write watch
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeMemory allocated: 2CCF0CE0000 memory reserve | memory write watch
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeCode function: 29_2_00007FFD9B4017FA SetupDiGetDeviceRegistryPropertyW,29_2_00007FFD9B4017FA
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 565Jump to behavior
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 388Jump to behavior
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 2730Jump to behavior
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 1142Jump to behavior
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 647
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 1117
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 800
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 541
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 419
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 1454
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 455
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 1502
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 2303
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 429
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 528
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 1340
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 577
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 387
    Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 888
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA388.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF3A7.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC34.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swscale-5.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Overlapped.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\OnvifClientLibrary.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI27ED.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Thread.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Parallel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.XDocument.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avcodec-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.ThreadPool.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2A31.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avutil-56.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.ZipFile.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.NameResolution.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libcrypto-1_1.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3619.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF3D7.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.IsolatedStorage.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vacdisable.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3619.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Specialized.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.UniversalApiContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vacenable.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.Requests.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.X509Certificates.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.Security.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Direct3D9.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Interop.NetFwTypeLib.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.SecureString.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2A31.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Text.RegularExpressions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Dynamic.Runtime.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE9A2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID877.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA791.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\HtmlToXamlConverter.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC04.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\NLog.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.MemoryMappedFiles.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC34.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.Http.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.Buffers.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA654.tmpJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiE960.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE9D2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbkd.sysJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Expressions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Writer.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.Parallel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacdisable.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA674.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBRTSPAudio64.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libcrypto-1_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Linq.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2339.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3619.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\en-US\SBConference.Model.resources.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3619.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2339.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID346.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE8C5.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.Client.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TraceSource.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avutil-56.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Fizzler.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.NetworkInformation.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1A8D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Collections.NonGeneric.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1A8D.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIDA8C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.Sockets.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Xml.ReaderWriter.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tools.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XDocument.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE9D2.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avformat-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlSerializer.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2339.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE847.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA44D.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Collections.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\netstandard.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacenable.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Xml.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.Ping.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2A31.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libssl-1_1.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1A8D.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE944.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE9D2.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\BouncyCastle.Crypto.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swresample-3.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICBD3.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\NLog.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbcp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SharpDX.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\Windows.WinMDJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libssl-1_1.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.FileVersionInfo.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA4CB.tmpJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiA73B.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\qf4net.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBCamFilter32.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI746C.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3DAB.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Csp.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.FoundationContract.winmdJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Contracts.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\Microsoft.Win32.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC34.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Resources.Reader.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avformat-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Debug.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\de\MahApps.Metro.resources.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC34.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\CreateProcessAsUser.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Reflection.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2A31.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1A8D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libssl-1_1-x64.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF3D7.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Drawing.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA703.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SharpDX.Mathematics.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.WebHeaderCollection.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.EventBasedAsync.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tracing.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Calendars.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE9D2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Claims.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF3D7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Handles.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA761.tmpJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.ObjectModel.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\qf4net.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBCamFilter64.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbcp.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.Pipes.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Principal.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Console.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avcodec-58.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Numerics.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC74E.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE8F5.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Net.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Encoding.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Timer.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SharpDX.MediaFoundation.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Data.Common.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.Extensions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86\wdmdrvmgr.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.TypeConverter.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Windows.WinMDJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Svg.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Process.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Globalization.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.ValueTuple.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Linq.Queryable.dllJump to dropped file
    Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\viewer.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBE4.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SharpDX.DXGI.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA4FB.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Primitives.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.UnmanagedMemoryStream.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\OnvifClientLibrary.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF3D7.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Collections.Concurrent.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\MultiOnvifServer.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\vcruntime140.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Resources.ResourceManager.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\Newtonsoft.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swresample-3.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\zlibwapi.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.AppContext.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libcrypto-1_1-x64.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2339.tmp-\ByomCustomAction.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.DriveInfo.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.StackTrace.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Json.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlDocument.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Formatters.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA7B2.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Watcher.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBRTSPAudio32.exeJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID914.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swscale-5.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA694.tmpJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Algorithms.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\System.Memory.dllJump to dropped file
    Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.dllJump to dropped file
    Source: C:\Windows\System32\rundll32.exe TID: 3264Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\rundll32.exe TID: 1804Thread sleep count: 565 > 30Jump to behavior
    Source: C:\Windows\System32\rundll32.exe TID: 1804Thread sleep count: 388 > 30Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exe TID: 2124Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\rundll32.exe TID: 4996Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\rundll32.exe TID: 3520Thread sleep count: 2730 > 30Jump to behavior
    Source: C:\Windows\System32\rundll32.exe TID: 6072Thread sleep count: 1142 > 30Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe TID: 5848Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe TID: 2848Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe TID: 2112Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe TID: 4144Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 5780Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 5212Thread sleep count: 647 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 5212Thread sleep count: 315 > 30
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exe TID: 7052Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 940Thread sleep time: -3689348814741908s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 4948Thread sleep count: 1117 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 3652Thread sleep count: 800 > 30
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exe TID: 4500Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exe TID: 5288Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 2844Thread sleep time: -2767011611056431s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 2740Thread sleep count: 541 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 2740Thread sleep count: 419 > 30
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exe TID: 5824Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 6996Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 3068Thread sleep count: 1454 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 3068Thread sleep count: 455 > 30
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exe TID: 7048Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exe TID: 6832Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 3244Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 6120Thread sleep count: 1502 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 6120Thread sleep count: 2303 > 30
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exe TID: 4900Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe TID: 4348Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exe TID: 4176Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe TID: 7144Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 5316Thread sleep time: -2767011611056431s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 3272Thread sleep count: 429 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 3272Thread sleep count: 528 > 30
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exe TID: 3740Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 2288Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 5288Thread sleep count: 1340 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 4856Thread sleep count: 577 > 30
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exe TID: 5932Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exe TID: 2172Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 1704Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\rundll32.exe TID: 3196Thread sleep count: 387 > 30
    Source: C:\Windows\System32\rundll32.exe TID: 3196Thread sleep count: 888 > 30
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477
    Source: avcodec-58.dll.1.drBinary or memory string: vmncVMware Screen Codec / VMware VideoDuplicate value found in floor 1 X coordinates
    Source: ScreenBeam_Conference_Windows_1.0.5.9.msiBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
    Source: avcodec-58.dll.1.drBinary or memory string: VMware Screen Codec / VMware Video
    Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exe "DefMic.exe" --defJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe "DefMic.exe" --listJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5Jump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe "DefMic.exe" --listJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5Jump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --remove "ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5"
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC34.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC34.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exe "DefMic.exe" --def
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exe "DefMic.exe" --list
    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exe "sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
    Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
    Source: rundll32.exe, 00000008.00000002.2318880273.0000022DEF8A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeCode function: 29_2_00007FFD9B4017FA SetupDiGetDeviceRegistryPropertyW,29_2_00007FFD9B4017FA
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\ByomCustomAction.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\ByomCustomAction.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSIE9D2.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSIE9D2.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exeQueries volume information: C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exe VolumeInformation
    Source: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exeQueries volume information: C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF3D7.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF3D7.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSIC34.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSIC34.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeQueries volume information: C:\Windows\Installer\MSIC34.tmp-\DefMic.exe VolumeInformation
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeQueries volume information: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\Installer\MSIC34.tmp-\DefMic.exeQueries volume information: C:\Windows\Installer\MSIC34.tmp-\DefMic.exe VolumeInformation
    Source: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exeQueries volume information: C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1A8D.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1A8D.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exeQueries volume information: C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2339.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2339.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2A31.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2A31.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exeQueries volume information: C:\Windows\Installer\MSI2A31.tmp-\DefMic.exe VolumeInformation
    Source: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exeQueries volume information: C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exe VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3619.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3619.tmp-\ByomCustomAction.dll VolumeInformation
    Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure1
    Replication Through Removable Media    		Windows Management Instrumentation11
    Windows Service    		11
    Windows Service    		133
    Masquerading    		OS Credential Dumping1
    Query Registry    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/Job1
    Registry Run Keys / Startup Folder    		12
    Process Injection    		1
    Disable or Modify Tools    		LSASS Memory1
    Security Software Discovery    		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAt1
    DLL Side-Loading    		1
    Registry Run Keys / Startup Folder    		31
    Virtualization/Sandbox Evasion    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
    DLL Side-Loading    		12
    Process Injection    		NTDS31
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Rundll32    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Timestomp    		Cached Domain Credentials11
    Peripheral Device Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync1
    File and Directory Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    File Deletion    		Proc Filesystem23
    System Information Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1492053 Sample: ScreenBeam_Conference_Windo... Startdate: 13/08/2024 Architecture: WINDOWS Score: 52 120 Yara detected Generic Downloader 2->120 9 msiexec.exe 253 351 2->9         started        13 msiexec.exe 23 2->13         started        15 svchost.exe 2->15         started        process3 file4 86 C:\Windows\Installer\MSIE9D2.tmp, PE32+ 9->86 dropped 88 C:\Windows\Installer\MSIC34.tmp, PE32+ 9->88 dropped 90 C:\Windows\Installer\MSI2A31.tmp, PE32+ 9->90 dropped 98 197 other files (6 malicious) 9->98 dropped 122 Sample is not signed and drops a device driver 9->122 17 msiexec.exe 9->17         started        19 msiexec.exe 9->19         started        21 msiexec.exe 2 9->21         started        24 msiexec.exe 9->24         started        92 C:\Users\user\AppData\Local\...\MSIDA8C.tmp, PE32 13->92 dropped 94 C:\Users\user\AppData\Local\...\MSID914.tmp, PE32 13->94 dropped 96 C:\Users\user\AppData\Local\...\MSID877.tmp, PE32 13->96 dropped 100 15 other files (none is malicious) 13->100 dropped signatures5 process6 file7 26 rundll32.exe 17->26         started        30 rundll32.exe 17->30         started        32 rundll32.exe 17->32         started        40 4 other processes 17->40 34 rundll32.exe 8 19->34         started        36 rundll32.exe 19->36         started        38 rundll32.exe 9 19->38         started        42 2 other processes 19->42 80 C:\Users\user\AppData\Local\Temp\viewer.exe, PE32 21->80 dropped 82 C:\Users\user\AppData\Local\...\shiA73B.tmp, PE32 21->82 dropped 84 C:\Users\user\AppData\Local\...\shiE960.tmp, PE32 24->84 dropped process8 file9 104 5 other files (2 malicious) 26->104 dropped 124 Drops executables to the windows directory (C:\Windows) and starts them 26->124 50 4 other processes 26->50 102 C:\Windows\Installer\...\sbdrvmgr.exe, PE32+ 30->102 dropped 106 4 other files (1 malicious) 30->106 dropped 52 2 other processes 30->52 108 5 other files (2 malicious) 32->108 dropped 54 2 other processes 32->54 110 5 other files (none is malicious) 34->110 dropped 44 DefMic.exe 1 34->44         started        56 3 other processes 34->56 112 5 other files (none is malicious) 36->112 dropped 58 2 other processes 36->58 114 5 other files (none is malicious) 38->114 dropped 46 DefMic.exe 2 38->46         started        116 20 other files (1 malicious) 40->116 dropped 48 DefMic.exe 40->48         started        118 10 other files (none is malicious) 42->118 dropped 60 2 other processes 42->60 signatures10 process11 process12 62 conhost.exe 44->62         started        64 conhost.exe 46->64         started        66 conhost.exe 48->66         started        68 4 other processes 50->68 70 2 other processes 52->70 72 2 other processes 54->72 74 3 other processes 56->74 76 2 other processes 58->76 78 2 other processes 60->78

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ScreenBeam_Conference_Windows_1.0.5.9.msi3%ReversingLabs
    ScreenBeam_Conference_Windows_1.0.5.9.msi2%VirustotalBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files\ScreenBeam\Conference\app\BouncyCastle.Crypto.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\OnvifClientLibrary.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBCamFilter64.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBRTSPAudio64.exe0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avcodec-58.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avformat-58.dll3%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avutil-56.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libcrypto-1_1-x64.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libssl-1_1-x64.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swresample-3.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swscale-5.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\OnvifClientLibrary.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBCamFilter32.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBRTSPAudio32.exe0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avcodec-58.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avformat-58.dll3%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avutil-56.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libcrypto-1_1.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libssl-1_1.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swresample-3.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swscale-5.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacdisable.exe0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacenable.exe0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Fizzler.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\HtmlToXamlConverter.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Interop.NetFwTypeLib.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\MultiOnvifServer.exe0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libcrypto-1_1.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libssl-1_1.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\vcruntime140.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\zlibwapi.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.dll0%ReversingLabs
    C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.onvif.org/ver10/replay/wsdl/GetReplayConfiguration0%Avira URL Cloudsafe
    http://docs.oasis-open.org/wsn/bw-2/PausableSubscriptionManager/ResumeSubscriptionRequest0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorList0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfileInfo0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/provisioning/wsdl/RollMoveu0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/device/wsdl/DeleteStorageConfiguration0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/schedule/wsdl/GetSpecialDayGroupsc0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfileInfo0%VirustotalBrowse
    http://www.onvif.org/ver10/thermal/wsdl/GetRadiometryConfigurationOptions=0%Avira URL Cloudsafe
    http://docs.oasis-open.org/wsn/bw-2/PausableSubscriptionManager/ResumeSubscriptionRequest0%VirustotalBrowse
    http://www.onvif.org/ver10/replay/wsdl/GetReplayConfiguration0%VirustotalBrowse
    http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorList0%VirustotalBrowse
    http://www.onvif.org/ver10/provisioning/wsdl/RollMoveu0%VirustotalBrowse
    http://www.onvif.org/ver10/device/wsdl/DeleteStorageConfiguration0%VirustotalBrowse
    http://www.onvif.org/ver10/thermal/wsdl/GetRadiometryConfigurationOptions=0%VirustotalBrowse
    http://www.onvif.org/ver10/schedule/wsdl/GetSpecialDayGroupsc0%VirustotalBrowse
    http://www.onvif.org/ver10/thermal/wsdl/GetConfiguration0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/thermal/wsdl/GetConfiguration0%VirustotalBrowse
    http://www.onvif.org/ver10/search/wsdl/GetMetadataSearchResults0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/media/wsdl/RemoveVideoAnalyticsConfiguration0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/schedule/wsdl/GetScheduleList0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfileList0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorInfo0%Avira URL Cloudsafe
    http://www.onvif.org/ver20/imaging/wsdl/GetCurrentPreset0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/schedule/wsdl/GetScheduleList0%VirustotalBrowse
    http://www.onvif.org/ver10/device/wsdl/GetStorageConfiguration0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfileList0%VirustotalBrowse
    http://www.onvif.org/ver10/search/wsdl/GetMetadataSearchResults0%VirustotalBrowse
    http://www.onvif.org/ver10/recording/wsdl/GetServiceCapabilities0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfilesT0%Avira URL Cloudsafe
    http://www.onvif.org/ver20/ptz/wsdl/GotoHomePosition0%Avira URL Cloudsafe
    http://www.onvif.org/ver20/imaging/wsdl/GetCurrentPreset0%VirustotalBrowse
    http://www.onvif.org/ver10/device/wsdl/GetStorageConfiguration0%VirustotalBrowse
    http://www.onvif.org/ver10/media/wsdl/RemoveVideoAnalyticsConfiguration0%VirustotalBrowse
    http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorInfo0%VirustotalBrowse
    http://www.onvif.org/ver10/credential/wsdl/GetCredentialStateF0%Avira URL Cloudsafe
    http://docs.oasis-open.org/wsn/bw-2/NotificationProducer/SubscribeRequest0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/device/wsdl/SetNetworkDefaultGateway0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/recording/wsdl/GetServiceCapabilities0%VirustotalBrowse
    http://www.onvif.org/ver10/receiver/wsdl/CreateReceiverl0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/credential/wsdl/GetCredentials0%Avira URL Cloudsafe
    http://www.onvif.org/ver20/ptz/wsdl/GotoHomePosition0%VirustotalBrowse
    http://www.onvif.org/ver10/provisioning/wsdl/ZoomMovet0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/credential/wsdl/GetCredentialStateF0%VirustotalBrowse
    http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfilesT0%VirustotalBrowse
    http://www.onvif.org/ver10/doorcontrol/wsdl/LockOpenReleaseDoor/0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/media/wsdl/DeleteProfile0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/media/wsdl/SetOSD0%Avira URL Cloudsafe
    http://docs.oasis-open.org/wsn/bw-2/NotificationProducer/SubscribeRequest0%VirustotalBrowse
    http://www.onvif.org/ver10/credential/wsdl/GetCredentials0%VirustotalBrowse
    http://www.onvif.org/ver10/device/wsdl/SetNetworkDefaultGateway0%VirustotalBrowse
    http://www.onvif.org/ver10/credential/wsdl/GetCredentialState0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/provisioning/wsdl/ZoomMovet0%VirustotalBrowse
    http://www.onvif.org/ver10/media/wsdl/DeleteProfile0%VirustotalBrowse
    http://www.onvif.org/ver10/media/wsdl/GetAudioEncoderConfiguration0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/doorcontrol/wsdl/LockOpenReleaseDoor/0%VirustotalBrowse
    http://www.onvif.org/ver20/media/wsdl/GetMasks0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/receiver/wsdl/CreateReceiverl0%VirustotalBrowse
    http://www.onvif.org/ver10/doorcontrol/wsdl/LockDoor0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/media/wsdl/RemoveVideoSourceConfiguration0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/media/wsdl/SetOSD0%VirustotalBrowse
    http://www.onvif.org/ver10/media/wsdl/GetAudioEncoderConfiguration0%VirustotalBrowse
    http://www.onvif.org/ver10/credential/wsdl/GetCredentialState0%VirustotalBrowse
    http://www.onvif.org/ver10/thermal/wsdl/GetConfigurationOptions:0%Avira URL Cloudsafe
    http://www.onvif.org/ver20/ptz/wsdl/OperatePresetTour0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/doorcontrol/wsdl/LockDoor0%VirustotalBrowse
    http://www.onvif.org/ver20/media/wsdl/GetMasks0%VirustotalBrowse
    http://www.onvif.org/ver10/deviceio/wsdl/GetDigitalInputs0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/device/wsdl/GetDot11Status0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/device/wsdl/GetRemoteUser0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/thermal/wsdl/SetConfiguration0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/media/wsdl/RemoveVideoSourceConfiguration0%VirustotalBrowse
    http://www.onvif.org/ver10/device/wsdl/GetDot11Status0%VirustotalBrowse
    http://www.onvif.org/ver20/ptz/wsdl/OperatePresetTour0%VirustotalBrowse
    http://www.onvif.org/ver10/device/wsdl/GetIPAddressFilter0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/thermal/wsdl/SetConfiguration0%VirustotalBrowse
    http://www.onvif.org/ver10/doorcontrol/wsdl/GetServiceCapabilities0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/device/wsdl/GetRemoteUser0%VirustotalBrowse
    http://www.onvif.org/ver20/media/wsdl/GetVideoSourceModes0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/media/wsdl/GetVideoEncoderConfigurationOptions0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/media/wsdl/SetVideoAnalyticsConfiguration0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/device/wsdl/GetIPAddressFilter0%VirustotalBrowse
    http://www.onvif.org/ver10/media/wsdl/GetVideoSourceConfiguration0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/device/wsdl/AddIPAddressFilter0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorInfo%0%Avira URL Cloudsafe
    http://www.onvif.org/ver20/analytics/wsdl/GetAnalyticsModuleOptions0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/credential/wsdl/DisableCredentialH0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/device/wsdl/DeleteUsers0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/accessrules/wsdl/CreateAccessProfileV0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/doorcontrol/wsdl/LockDownReleaseDoor-0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/media/wsdl/DeleteOSD0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/media/wsdl/GetServiceCapabilities0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/thermal/wsdl/GetConfigurationOptions:0%VirustotalBrowse
    http://www.onvif.org/ver20/media/wsdl/DeleteProfile0%Avira URL Cloudsafe
    http://www.onvif.org/ver20/media/wsdl/SetAudioSourceConfiguration0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/media/wsdl/RemovePTZConfiguration0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/provisioning/wsdl/GetServiceCapabilities0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/credential/wsdl/GetCredentialAccessProfiles0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/schedule/wsdl/GetScheduleState0%Avira URL Cloudsafe
    http://www.onvif.org/ver10/device/wsdl/StartSystemRestore0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.onvif.org/ver10/replay/wsdl/GetReplayConfigurationOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfileInfoOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/provisioning/wsdl/RollMoveuOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://docs.oasis-open.org/wsn/bw-2/PausableSubscriptionManager/ResumeSubscriptionRequestOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorListOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/DeleteStorageConfigurationOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/schedule/wsdl/GetSpecialDayGroupscOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/thermal/wsdl/GetRadiometryConfigurationOptions=OnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/thermal/wsdl/GetConfigurationOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/search/wsdl/GetMetadataSearchResultsOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/RemoveVideoAnalyticsConfigurationOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/schedule/wsdl/GetScheduleListOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfileListOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorInfoOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/imaging/wsdl/GetCurrentPresetOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/GetStorageConfigurationOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/recording/wsdl/GetServiceCapabilitiesOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/ptz/wsdl/GotoHomePositionOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/accessrules/wsdl/GetAccessProfilesTOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/credential/wsdl/GetCredentialStateFOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://docs.oasis-open.org/wsn/bw-2/NotificationProducer/SubscribeRequestOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/SetNetworkDefaultGatewayOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/receiver/wsdl/CreateReceiverlOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/credential/wsdl/GetCredentialsOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/provisioning/wsdl/ZoomMovetOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/doorcontrol/wsdl/LockOpenReleaseDoor/OnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/DeleteProfileOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/SetOSDOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/credential/wsdl/GetCredentialStateOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/GetAudioEncoderConfigurationOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/media/wsdl/GetMasksOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/doorcontrol/wsdl/LockDoorOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/RemoveVideoSourceConfigurationOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/thermal/wsdl/GetConfigurationOptions:OnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/ptz/wsdl/OperatePresetTourOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/deviceio/wsdl/GetDigitalInputsOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/GetDot11StatusOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/GetRemoteUserOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/thermal/wsdl/SetConfigurationOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/GetIPAddressFilterOnvifClientLibrary.dll.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/doorcontrol/wsdl/GetServiceCapabilitiesOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/media/wsdl/GetVideoSourceModesOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/GetVideoEncoderConfigurationOptionsOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/SetVideoAnalyticsConfigurationOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/GetVideoSourceConfigurationOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/AddIPAddressFilterOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/doorcontrol/wsdl/GetDoorInfo%OnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/analytics/wsdl/GetAnalyticsModuleOptionsOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/credential/wsdl/DisableCredentialHOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/DeleteUsersOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/accessrules/wsdl/CreateAccessProfileVOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/doorcontrol/wsdl/LockDownReleaseDoor-OnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/DeleteOSDOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/GetServiceCapabilitiesOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/media/wsdl/DeleteProfileOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/media/wsdl/SetAudioSourceConfigurationOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/RemovePTZConfigurationOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/provisioning/wsdl/GetServiceCapabilitiesOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/credential/wsdl/GetCredentialAccessProfilesOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/schedule/wsdl/GetScheduleStateOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/StartSystemRestoreOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/credential/wsdl/EnableCredentialOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/media/wsdl/SetAudioEncoderConfigurationOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/SetScopesOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/thermal/wsdl/GetRadiometryConfigurationOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/SetNTPOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/analytics/wsdl/ModifyAnalyticsModulesOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/GetNetworkProtocolsOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/accessrules/wsdl/GetServiceCapabilitiesQOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/search/wsdl/GetEventSearchResultsOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/credential/wsdl/GetCredentialListBOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/ptz/wsdl/GetConfigurationOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/RemoveAudioSourceConfigurationOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/RemoveAudioDecoderConfigurationOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/imaging/wsdl/SetCurrentPresetOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/media/wsdl/GetAudioSourceConfigurationsOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/doorcontrol/wsdl/DeleteDoor5OnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/receiver/wsdl/ConfigureReceiverOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/receiver/wsdl/GetReceiverStateOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/thermal/wsdl/GetRadiometryConfiguration;OnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/search/wsdl/FindMetadataOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/doorcontrol/wsdl/LockDoor(OnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/analytics/wsdl/ModifyRulesOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/accesscontrol/wsdl/DisableAccessPointOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/ptz/wsdl/GetStatusOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/accesscontrol/wsdl/GetServiceCapabilitiesOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/GetDNSOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/events/wsdl/EventPortType/CreatePullPointSubscriptionRequestOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/GetScopesOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/recording/wsdl/DeleteTrackOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/SetSynchronizationPointOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/schedule/wsdl/ModifySchedule_OnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/thermal/wsdl/GetConfigurationsOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/events/wsdl/EventPortType/GetEventPropertiesRequestOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/GetAudioDecoderConfigurationOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/deviceio/wsdl/SetRelayOutputStateOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/media/wsdl/GetOSDsOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/recording/wsdl/SetRecordingJobConfigurationOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver20/ptz/wsdl/GetNodesOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.onvif.org/ver10/device/wsdl/SetRemoteUserOnvifClientLibrary.dll.1.drfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1492053
    Start date and time:2024-08-13 10:01:04 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 11m 13s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Run name:Potential for more IOCs and behavior
    Number of analysed new started processes analysed:59
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:ScreenBeam_Conference_Windows_1.0.5.9.msi
    Detection:MAL
    Classification:mal52.troj.evad.winMSI@92/405@0/0
    EGA Information:
    • Successful, ratio: 3.3%
    HCA Information:
    • Successful, ratio: 98%
    • Number of executed functions: 447
    • Number of non-executed functions: 1
    Cookbook Comments:
    • Found application associated with file extension: .msi
    • Close Viewer

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Execution Graph export aborted for target DefMic.exe, PID 1060 because it is empty
    • Execution Graph export aborted for target DefMic.exe, PID 1340 because it is empty
    • Execution Graph export aborted for target DefMic.exe, PID 2136 because it is empty
    • Execution Graph export aborted for target DefMic.exe, PID 3636 because it is empty
    • Execution Graph export aborted for target DefMic.exe, PID 4176 because it is empty
    • Execution Graph export aborted for target DefMic.exe, PID 4548 because it is empty
    • Execution Graph export aborted for target DefMic.exe, PID 6832 because it is empty
    • Execution Graph export aborted for target DefMic.exe, PID 6972 because it is empty
    • Execution Graph export aborted for target DefMic.exe, PID 792 because it is empty
    • Execution Graph export aborted for target DefMic.exe, PID 980 because it is empty
    • Execution Graph export aborted for target rundll32.exe, PID 1028 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 1608 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 2164 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 2520 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 2724 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 344 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 3684 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 5228 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 5804 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 6856 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7080 because there are no executed function
    • Execution Graph export aborted for target rundll32.exe, PID 7148 because there are no executed function
    • Execution Graph export aborted for target sbdrvmgr.exe, PID 2024 because it is empty
    • Execution Graph export aborted for target sbdrvmgr.exe, PID 2344 because it is empty
    • Execution Graph export aborted for target sbdrvmgr.exe, PID 2768 because it is empty
    • Execution Graph export aborted for target sbdrvmgr.exe, PID 3488 because it is empty
    • Execution Graph export aborted for target sbdrvmgr.exe, PID 4192 because it is empty
    • Execution Graph export aborted for target sbdrvmgr.exe, PID 5104 because it is empty
    • Execution Graph export aborted for target sbdrvmgr.exe, PID 940 because it is empty
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Report size getting too big, too many NtSetInformationFile calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Config.Msi\5adaf9.rbs

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):396850
    Entropy (8bit):6.648910474807397
    Encrypted:false
    SSDEEP:6144:Hk34xsB95xMzgFkesmW1XAORoUSUU+eVWRAItCc9:E34xC95xMMFd88UyWRAIUc9
    MD5:D7B3F5E272241985F2134F4FA30F51A2
    SHA1:03695517CF7B49931AAC39E989A9A74433E41B6E
    SHA-256:84A6AF719270AA50D1540A621B6234F1801964D5927D6C4C159FA185A463AE8E
    SHA-512:1DD07FE64B02B79B323170CE2731F1E952BB6AF72D62C473371193391E2AAB28BA568BA9A0E288A254C5B5D0531A5E9998BA59D37D3CA523349E2ED24CBCCB4F
    Malicious:false
    Preview:...@IXOS.@.....@t .Y.@.....@.....@.....@.....@.....@......&.{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}..ScreenBeam Conference).ScreenBeam_Conference_Windows_1.0.5.9.msi.@.....@.....@.....@......ScreenBeam.exe..&.{6EBE4205-4E27-4DB1-9068-3012795620A8}.....@.....@.....@.....@.......@.....@.....@.......@......ScreenBeam Conference......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{7199D981-9853-484B-8139-2C2B34F1FA2A}&.{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}.@......&.{EC32DB67-553E-42DB-8AB0-D93C26D64C7E}&.{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}.@......&.{85245CA4-064E-4C9A-A44A-343774C760F3}&.{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}.@......&.{041A7DD2-445F-4C98-9186-26507D7F21CB}&.{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}.@......&.{842B369E-7954-42CE-9AB2-483659A134B0}&.{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}.@......&.{83A516A4-A4ED-41F1-9664-F5C300DB76DF}&.{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}.@......&.

    C:\Program Files\ScreenBeam\Conference\ScreenBeam.bmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PC bitmap, Windows 98/2000 and newer format, 128 x 128 x 32, cbSize 65674, bits offset 138
    Category:dropped
    Size (bytes):65674
    Entropy (8bit):1.2805694815835584
    Encrypted:false
    SSDEEP:48:ShnSIinOAsEqANIz8SmIpCvlPPlU7ppLkzDPDQLXK6BWL3FoX5vD6qN88+:mlin5/NE2N2ppLkXPQX21ODPv+
    MD5:58B1F585FF6CF1FFBECD9E063D15663F
    SHA1:DE69F2894AA800DA0A6B2AD5564478352FC213B2
    SHA-256:5821322E5650C78A47E986C99507E58F79B507C8BD33C35E39FC799BDA9A963C
    SHA-512:D67164A9725CA4A3DF88FB102512AB8B27B56D5E7441105F03ACA6466214E5CE414BB49C7BBBCDD187CF7BD42742BD1BDA474FDD16F5E0CB1E0A10CCC6C3F991
    Malicious:false
    Preview:BM............|............. .........#...#...........................BGRs..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\ScreenBeam.ico

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MS Windows icon resource - 1 icon, 64x64, 32 bits/pixel
    Category:dropped
    Size (bytes):16958
    Entropy (8bit):2.3402736777188395
    Encrypted:false
    SSDEEP:96:a+Ngz9wjTeE7144BQ2DFFnEbHIcXExGErQa2Nvv4wG:acgz9qaE7144BQ2DPEzEMErQaAX4L
    MD5:D75CA2815FA84BC36C36D18B6AD9048F
    SHA1:5353AE1430AC909C25484047713712520C3A2AE2
    SHA-256:3B156EDE48A466BDEC4FF5F230B2841899DF2B0A4ED7A645CFF72F7DC3CBC318
    SHA-512:008A5D9B83143AC59ECF5CC2654C2597199052B0876225CF32102188F192DC7CAA87F3D7DC76E03C76AB682884198DD6A5CC3DC3AF6993DD9A7C47AB85832496
    Malicious:false
    Preview:......@@.... .(B......(...@......... ......@........................................._...................................................................................................................................................................................................................j...................................8...................................................................................................................................................................................................................................J.......................T................................................................................................................|bT.......................................................................................................................e...............5................................................................................................................pSD.L(..W5#.......................................

    C:\Program Files\ScreenBeam\Conference\app\BouncyCastle.Crypto.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):2246936
    Entropy (8bit):5.7763466363318745
    Encrypted:false
    SSDEEP:49152:QFSSSusJVEDm2CNrmynmTF3P++3UEOkK59Vz4oukkb3KZ50:QFSSSusJeDm2WrmynmTF3m+EI
    MD5:B319517366EB57EAAF3D940253E7DDB1
    SHA1:5C76D693105FBBF92C1E73DF03C0D84A6C3F18E5
    SHA-256:220C8F3F962A6D9E45F1E7A8E98494964652AF14AF5220FE22DEC37F0498A8B0
    SHA-512:B0C5E8BEA4FEBB7365B710A2C7B379091B9567E7781E4AD0419D916163EA3253DD0DFBA45A7E9961A09D7FEC329333504CFE7C0B1CB249FB54FA755B325C5B19
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...aI.V...........!......!.. ......>.".. ... "...@.. .......................`"......t".......................................".S.... ".`............ "..)...@"...................................................... ............... ..H............text...D.!.. ....!................. ..`.rsrc...`.... ".......".............@..@.reloc.......@".......".............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):252696
    Entropy (8bit):6.354986727534602
    Encrypted:false
    SSDEEP:6144:A6bRKhjsomR8PpY82VG7gP2rxp+7vVNviPF1WANK+57:A6Yye
    MD5:E3CA0D40151E06997F950BB3291DBE28
    SHA1:C4CEB86086F7A31FF0CE716E969C96E8716EDA70
    SHA-256:207BEB3D702355E498CE22580ED6256538F5EF83845019C9F133457916C80035
    SHA-512:0D86F3119184DD11282D3EBB8324B36BCFA95894940AFED6033DBEA2182C7C0C278F5FE2D63A01833810559AC2DAD541D9DD647FF09DE63CA327F21D7463841B
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... ............`.....................................O........................)..........0...8............................................ ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......4 ..4p..........h...H5............................................(C...*..(C...*^.(C..........%...}....*:.(C.....}....*:.(C.....}....*2.~....(D...*6.~.....(E...*F.~....(D...t&...*6.~.....(E...*F.~....(D....'...*J.~......'...(E...*F.~....(D....(...*J.~......(...(E...*F.~....(D....)...*J.~......)...(E...*F.~....(D........*J.~..........(E...*F.~....(D...t*...*6.~.....(E...*F.~....(D...t*...*6.~.....(E...*F.~....(D...t*...*6.~.....(E...*F.~....(D....+...*J.~......+...(E..

    C:\Program Files\ScreenBeam\Conference\app\ControlzEx.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MSVC program database ver 7.00, 512*1647 bytes
    Category:dropped
    Size (bytes):843264
    Entropy (8bit):5.758644766369451
    Encrypted:false
    SSDEEP:12288:UmM/3QPubNiFGNnvG2TF6HeYNg9mM/3QPubNiyg2TF:l+3QmMFGNnvnTFSeYNj+3QmMypTF
    MD5:3C429F78E96B6C009A11E64711C8D147
    SHA1:92C0896C60437E5A3655214ED8EC507C21B8B372
    SHA-256:D1632349A5BED60C6CD6118A5559C794C6CD6B6E30A33B4AF0B00F2ABC867E31
    SHA-512:2972DF0E51F07E22AF84D9E76B3DA405188E6F5508346E844AA7197865EA68DBA79158284761888F109AE03A9BC94CF7E7F8E1CF3A46EA3D00B05FC0F57F5B55
    Malicious:false
    Preview:Microsoft C/C++ MSF 7.00...DS...........o...........l...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\ControlzEx.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
    Category:dropped
    Size (bytes):172506
    Entropy (8bit):4.677612844082003
    Encrypted:false
    SSDEEP:3072:3WA8J2D7EiLCG8GkJiy1UTvKSe6MBGjy6CV4qIuLCbD6vFx03Bt3Xvt3fU:3WA827EiLCG8GUpU9CV4qIuLqez8JV3M
    MD5:5157BF5DABBEC676D862F0A008F0A352
    SHA1:970DFA0A6E4C4CCE6D6E51D19F3BAA217D3C826E
    SHA-256:88BBCE0EB7059680C253DB0B2F8DB11D284D1E5BDF44B7DD329E25E270B2A18E
    SHA-512:A341CF11652D9B6D75E04D52FAE99A72ECB317BC683D3836B1AA8D9968EC454B8DF496ECE70E88DA4CE1A4F6CEA3D789F210BDC27923197F105A4DEDC2E88240
    Malicious:false
    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>ControlzEx</name>.. </assembly>.. <members>.. <member name="T:ControlzEx.Automation.Peers.TabControlExAutomationPeer">.. <summary>.. Automation-Peer for <see cref="T:ControlzEx.Controls.TabControlEx" />... </summary>.. </member>.. <member name="M:ControlzEx.Automation.Peers.TabControlExAutomationPeer.#ctor(System.Windows.Controls.TabControl)">.. <summary>.. Initializes a new instance... </summary>.. </member>.. <member name="M:ControlzEx.Automation.Peers.TabControlExAutomationPeer.CreateItemAutomationPeer(System.Object)">.. <inheritdoc />.. </member>.. <member name="T:ControlzEx.Automation.Peers.TabItemExAutomationPeer">.. <summary>.. Automation-Peer for <see cref="T:System.Windows.Controls.TabItem" /> in <see cref="T:ControlzEx.Controls.TabControlEx" />...

    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\OnvifClientLibrary.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):736536
    Entropy (8bit):6.147061471141729
    Encrypted:false
    SSDEEP:6144:vXTxgGpJxna4ZAVct9dwZpnjHAHS1M3a9Omuju9gQiK9pJczINMyLUO7HEYZ:ry4+cXdwfMHSzOm6ypJeINBbt
    MD5:D3C2BD8C0427F06156947353A12E94C4
    SHA1:0DCF0FC8444F90074460F20348BA87970D00C478
    SHA-256:BA2161B5E56865015D621E9F95E79D442FF228AE5002A2695004B362797896FA
    SHA-512:4A9EBD57C7F20A5E0F9BDCD72A4539D926CED1F6513F4E6F12F01CCE284C129BA92117EECFC017028971C65B4FDC8FF683143C25F8D8F7C3CD7403B4D30A3AF8
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..B..B..B.......B...C..B.X.C..B.Q....B...A..B...G..B...F..B..D...B..C.M.B.X.K..B.X.B..B.]...B.X.@..B.Rich.B.................PE..d.....5_.........." .....^..........T_.......................................p.......Y....`......................................... |..............P...................)...`..0.......p............................................p..x............................text....].......^.................. ..`.rdata.......p.......b..............@..@.data..............................@....pdata..............................@..@.gfids.......@......................@..@.rsrc........P......................@..@.reloc..0....`......................@..B........................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBCamFilter64.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):220952
    Entropy (8bit):6.357455126980153
    Encrypted:false
    SSDEEP:3072:Yrhj/qfa2x0qDE5NmergYEEf0nbAJu0/VoVAI+vCyEvpfBIrnaScTMz:c7qfapz5NmergbsJpVo9+6yEvpfBIWw
    MD5:A1683B73335E4047F6A6705CB645861E
    SHA1:41569EB0C2FABD7785980E73CFF024B01B0730C4
    SHA-256:ACDA54E77F58608D5A592F44C4153E08FDBE6B8AEAB2F7C23EE10489C254BDBA
    SHA-512:9BEB48B7ABAA6A20784EFA3A8D4CEBC1009F96ECD418421614A0CB9534103775198F9324869698BE0E47B99CA71B37DAF86FC5172C24233BF17062A64CBF188A
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......|..8...8...8...1...6......:....F.;......;.............4....PO.<.....;....PJ.(...8.......PQ.9...8...&.....'.....9....~.9...8...9.....9...Rich8...................PE..d...u..e.........." .........h............................................................ .........................................P....... ........p..X....0...&...6...)..............T...........................@................................................text...~........................... ..`.rdata........... ..................@..@.data...............................@....pdata...&...0...(..................@..@.gfids..D....`.......(..............@..@.rsrc...X....p.......*..............@..@.reloc...............2..............@..B........................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\SBRTSPAudio64.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (console) x86-64, for MS Windows
    Category:dropped
    Size (bytes):128280
    Entropy (8bit):6.422411286153021
    Encrypted:false
    SSDEEP:1536:l7H41bCYRdx+EvTbrKSUlDV4uh1QPC4aX10ozi32UiuNc7NQGyfNMS+ZXGCALZ6V:UnR9bd4Kuh1QzS1o32Ubq/8MSf4M1Q
    MD5:1CACA8FCE7CFA4CE69BBA74DEB81DE50
    SHA1:1EA5C04A71AD48B0EF24A17A1305F108F470170F
    SHA-256:BC160DF10D52A29DD5A5CA24C983DF81FBEC6E72AD725EB6D4953B2C358198F9
    SHA-512:1F8FE795A1A077F42CE5922CBA053145472EA713E0B1802D738130947E2969606AB4C42CF1A9285262CEA5D8F584DCB7B7C6EA861291224D83C714FE8BFB0912
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2..ea..ea..ea...a..ea..d`..ea7y.a..ea..f`..ea..``..ea..a`..eat&.a..eat&.a..ea..da..ea..ea..ea>.l`..ea;..a..ea>.g`..eaRich..ea................PE..d......e.........."......F...........F.........@....................................T0....`.................................................................`...........)......`...@...p............................................`..H............................text....D.......F.................. ..`.rdata...d...`...f...J..............@..@.data...P...........................@....pdata.......`......................@..@.gfids..8...........................@..@.rsrc...............................@..@.reloc..`...........................@..B........................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avcodec-58.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):63853336
    Entropy (8bit):6.731108284999287
    Encrypted:false
    SSDEEP:393216:UZUUv1DLIy8a6qJWDa2g+qloXyxE8JebXXpiom2QAmS2dht:ULdIyW+UwoyG5DpkFdht
    MD5:47B56699194E15DC5C3FC8CBE699C4A4
    SHA1:9DCAB60EB1A8F8768DD95747BED74ECEDD380BFB
    SHA-256:4C6FD0089DE8214B45641F597ABD6BB801EC8F845FDE838D1345EC1B0C16C398
    SHA-512:E8F6814184ADF2B2FFCCAD52556197A8B6119A71A0F85A6DD92437DB8B698550AEE50FD489191FEC403AA1F2E0CA84EBCB0CE7B4C5EDBBAD4E6E41F346B7C310
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...$..6..&....+.P........................................P.......6....`... .........................................r........U...0..........0h...*...)...@...............................V..(....................................................text.....6.......6.................`.``.data.........6.......6.............@.`..rdata...{...<...{...<.............@..@.rodata.l:...`...<...B..............@.`@.pdata..0h.......j...~..............@.0@.xdata..L..........................@.0@.bss....`.+...........................p..edata..r........ ..................@.0@.idata...U.......V..................@.0..CRT................................@.@..tls......... ......................@.@..rsrc........0....... ..............@.0..reloc.......@.......$..............@.0B........................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avformat-58.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):14810392
    Entropy (8bit):6.5980620165892025
    Encrypted:false
    SSDEEP:196608:rPWnEwrmp+eNN9frDN/kAOJV/lzfEapne1U:rPWnt3e7ZrDN/kAOvea/
    MD5:BE4D39105BCDB5C91032816CF0DA5E99
    SHA1:71FFE9DFD5F14B84D22A48BBF4B2EE5052465F71
    SHA-256:EC86AF18EFBBB2834FDE9779A9C411FD6C738CEB626CB86FEEA41C14E84C76A2
    SHA-512:C40B28526438DA2EC6203AD6139AEB7A1EF99C9C00DAED6E0C687611CDCFCF04242F7D039D131F36DDE4104AC33CFD8C88D5D341D4956E50B4042AF725791663
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 3%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...$............P........................................`............`... ......................................p..t.......Hl... ...................)...0...!..............................(...................|................................text...x...........................`..`.data....2.......4..................@.`..rodata.............................@.0..rdata....1.......1.................@.p@.pdata..............................@.0@.xdata...V.......X..................@.@@.bss....`....P........................`..edata..t....p....... ..............@.0@.idata..Hl.......n...<..............@.0..CRT....`...........................@.@..tls................................@.@..rsrc........ ......................@.0..reloc...!...0..."..................@.0B........................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\avutil-56.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):1300248
    Entropy (8bit):6.473519552184665
    Encrypted:false
    SSDEEP:12288:Qgv//dfzgfczGYxgt0K8nKKqv74N4VmTUtzRbMsp5bJmAnAygYJR3fQp4RsaMquJ:F7hzGYxg+twRbMspLmAFx/3OgNs5
    MD5:A17F9F604BE13DDF3D022F38DFB406BB
    SHA1:F39CA0A9EF4A15153563606EC4398A4F7056B400
    SHA-256:05430E91949C74A3161E2D3893AD3177BD7E8A01210FE5220261AE03A560BB0E
    SHA-512:87885BF1E31A7C868FD22DCE5B9DC5F49A50E35065EF1BD474B2BF86902CA1B28D50D0909CD946619305419D105CE292E01D18F528F1291E3FFE67A41A04AC78
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...$.`........!.P........................................ 5......g....`... ......................................`4..?....4..%....4.x....0..\........)....5..............................g..(.....................4.`............................text...h^.......`..................`.P`.data...@....p.......d..............@.`..rdata...............l..............@.`@.pdata..\....0......................@.0@.xdata..0...........................@.0@.bss....0. ..`........................`..edata...?...`4..@...*..............@.0@.idata...%....4..&...j..............@.0..CRT....`.....4.....................@.@..tls..........4.....................@.@..rsrc...x.....4.....................@.0..reloc........5.....................@.0B................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libcrypto-1_1-x64.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):3310872
    Entropy (8bit):6.132756680142563
    Encrypted:false
    SSDEEP:49152:vEVwASOnMIU6iW5GtlqTv2bAAO370ULehMxsI44Rk7ja0RyP6TvA+XfU1CPwDv3+:gj+W3Z2aUVTvAz1CPwDv3uFh+O
    MD5:0147E23D6E9DF8EBE8DD7FF9BFAEF73F
    SHA1:EAAADC88D8B2D6FC19754CFBC2A46FB19CC12F83
    SHA-256:5BCC47AC4567E56F829C3DDFB9D32D185D78BEDB814102E5E683C5689267F35D
    SHA-512:E674993902011BE529D30C43F16397DB9BCCD8E3018C6E7BFB8482EB6E8E9A59F5365E264A63B10BD944A328898EC62DAA450DF74325267C71E3285295CC6CED
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;...........v.-.m..D...}..D...|..D...u..D...u......t...........b.........~...A.~....~..Rich...........................PE..d....u.^.........." ......"..........n........................................3.......2...`..........................................h-.mg...:2.@.....2.|....`0.....\2..)....2..O....*.8.............................*..............02..............................text...7."......."................. ..`.rdata..=.....".......".............@..@.data....y..../..,..../.............@....pdata.. ....`0......./.............@..@.idata..."...02..$....1.............@..@.gfids.. ....`2.......1.............@..@.00cfg.......p2.......1.............@..@.rsrc...|.....2.......1.............@..@.reloc..tw....2..x....1.............@..B........................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\libssl-1_1-x64.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):668952
    Entropy (8bit):5.566012993088946
    Encrypted:false
    SSDEEP:12288:mY1P32jyJMze8mAcZjAoBcY+s31L9uK4hR4FPdWKRMccMwJ/s9U2lvzA:Ee8mlbBcY+KhYrhMwJYU2lvzA
    MD5:A594D8B3D230E48611D52BF4420923C8
    SHA1:B55385B77563CFF07E095DD5CEAE139309E6E1E3
    SHA-256:7980E8C2BC78D6963755B351FB546ED6854E0976BEBC2F083BE827ECAE4E3B12
    SHA-512:A01A6045BCBA6AC4EA8EA0BDCE3031087B02014CA8F3724DC20AAE3B9C536E8C13EAE5310C236133097964748F5525AA24FD43AB3FD511FDF59FD65FECADC0BA
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]N..< K.< K.< K.D.K.< K.b!J.< K.Z!J.< K.b#J.< K.b%J.< K.b$J.< KEb!J.< K.<!K4= KEb$J.< KEb J.< K@b.K.< KEb"J.< KRich.< K................PE..d....u.^.........." .........\......}$.......................................p......).....`..............................................N..8........@..s....`...P.......)...P..T....$..8...........................0%..................8............................text............................... ..`.rdata...0.......2..................@..@.data....M.......D..................@....pdata...Z...`...\...0..............@..@.idata...V.......X..................@..@.gfids.. .... ......................@..@.00cfg.......0......................@..@.rsrc...s....@......................@..@.reloc.......P......................@..B................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swresample-3.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):443160
    Entropy (8bit):6.598008771901665
    Encrypted:false
    SSDEEP:6144:aQ+kly145LnrfH/XqqPGFTci1WC2li9XFSJr12y0d4Ghtcuor:TnlyaPfXPuT1HyJrYdm
    MD5:A64FA95B87E553105202B27ECE579A80
    SHA1:FA3D5CD50E53EDE950E1DDA37AF9AF3264724876
    SHA-256:7006645467049CC4CF9AD303F13C3BD0C1B0DB26C1E063B2E1AC52C41ED52A8E
    SHA-512:E1DEC646A4CD069871BBE0C2916388FD31244D3DF8644B1D787D1C8A024AEA714770C62C8ED195EB9FF1DE1EE854DBF2B8DCCF6B45E5B91C433AA73A5E81D4F6
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...$.........R..P...............................................8Q....`... ...................................... .......0.......`.......p..L........)...p..@............................Q..(...................@2...............................text...............................`.P`.data...............................@.`..rdata.............................@.`@.pdata..L....p.......D..............@.0@.xdata... ......."...Z..............@.0@.bss.....Q............................`..edata....... .......|..............@.0@.idata.......0......................@.0..CRT....X....@......................@.@..tls.........P......................@.@..rsrc........`......................@.0..reloc..@....p......................@.0B................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x64\swscale-5.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):579352
    Entropy (8bit):6.59669966508533
    Encrypted:false
    SSDEEP:12288:3GvN1RaVaB3ct9DY6m0D0plE+Mb222+j5t9opFrybN1kmONjkvUY1:3GvNiww+hMb2219opFrybN1kmONjkMY1
    MD5:0C21864AE28024EE375A59C989DA78D8
    SHA1:714034F522523A41C1B3CF669684F10F77C78B93
    SHA-256:8A2FF7F56EDA66D02B2DFFC5B98990F563D47864B61BD5A54BDB7CF20EDC5EE1
    SHA-512:0B3B2D48837A77C4B1F98AE88064B08DD949AC7B1EE27E22541C3FECFD9065C3D5D75D649E6E94ABDBA2C61FA8C386F9747AE2FFAFF84F0A8FCA582E18FBD1B2
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...$............P.....................................................`... ......................................`.......p...............`..<'.......)...................................5..(....................q...............................text...............................`.P`.data...............................@.P..rdata...a.......b..................@.`@.pdata..<'...`...(...8..............@.0@.xdata..H5.......6...`..............@.0@.bss....`.............................`..edata.......`......................@.0@.idata.......p......................@.0..CRT....X...........................@.@..tls................................@.@..rsrc...............................@.0..reloc..............................@.0B................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\OnvifClientLibrary.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):617752
    Entropy (8bit):6.365436290518738
    Encrypted:false
    SSDEEP:12288:r5iNe9qJewEisecAEJrt6D/vlDcjRW+puJtKbcn:r5iT41isecAEJrt6D/vlQjRWRJtKbc
    MD5:E906644D965A2B136E0318A3ACC11F0C
    SHA1:991B33618F5DDCFB77048A08D424EEF8ECF77953
    SHA-256:3478B02482C139CB3E13D89655119243EDBB8BE14B8501734490F7A818AC7BB8
    SHA-512:F3554895906EFE73294F494B5D9B0E6843F8BD5601CFB5E4F98037460F6C1332DFF90E35B4F7BDE657E61991DE9CA47909E0F0459C6B7C2F2C4127F061AFD1B9
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............dtG.dtG.dtG...G.dtG.:uF.dtG,:uF.dtG%.G.dtG.:wF.dtG.:qF.dtG.:pF.dtGf..G.dtG.duG.dtG,:}F.dtG,:tF.dtG):.G.dtG,:vF.dtGRich.dtG........PE..L.....5_...........!.....................................................................@.........................p......\y.......0...............D...)...@..4O..`...p...............................@...............(............................text.............................. ..`.rdata..R...........................@..@.data................l..............@....gfids....... ......................@..@.rsrc........0......................@..@.reloc..4O...@...P..................@..B........................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBCamFilter32.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):207128
    Entropy (8bit):6.6690686641909025
    Encrypted:false
    SSDEEP:3072:jyrTSxfuvVlCcUfVVVVu1YFoT+V0y7DCcW1VoV+AIVKeUTP6cOAaUM/:+WcaVzuJT+37DOVo/LeUTP7
    MD5:A93CA6426264292D7BD0C60D5018BA00
    SHA1:65F49C4CABBFCAC4A9383E41940336C849502D31
    SHA-256:F17D3A4D6EE6D3D37963BDFBF6F495815157CBF52296E6E170B059C1BE061885
    SHA-512:F95C3B120A94687967EC60E1C78124311C88EB2C4077422F86E3E6EF45AF95BA3D4347529B88C3D347F66F6F40333B862BB78B2CCE50E94E9DE7EFD40A458944
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......}.a.9.._9.._9.._0._).._...^;.._..._:.._...^0.._...^/.._...^2.._.]._=.._.]._8.._...^;.._9.._'.._.]._(.._9.._.._...^&.._...^8.._..._8.._9.._8.._...^8.._Rich9.._........................PE..L...`..e...........!.................O....... ...............................@......sy..................................................X................)... ..........T...........................X...@............ ..X............................text............................... ..`.rdata....... ......................@..@.data...............................@....gfids..d...........................@..@.rsrc...X...........................@..@.reloc....... ... ..................@..B........................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\SBRTSPAudio32.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):102680
    Entropy (8bit):6.755253233607637
    Encrypted:false
    SSDEEP:1536:nn9dg1n2SEeFb/hoot9j14uM4UxgXLU/M0o1dE2WQ8OOHINQ4+kIErwJhOKNXg72:n9dLSEeFbprcgb+YKQ8DWehdNXgMW
    MD5:C38C47A05F632B9A27173F176A1CA88C
    SHA1:7451E3DD23A13EB1FFC932BED6E075BB47A5DB1D
    SHA-256:50027A2D0ACE14200FF0B3580BB270ADF664D5F0A9D86A4A30E7C59BCA9639E7
    SHA-512:64C1BF5F546307506EE2A33880C9E400C8B2E44439AEA512DBC1B775E604E3915C3B58CE144212A47EDAB2D4F33DCC107A3A3B43F2E809CE9835D08ECBFC253C
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#..Q#..Q#..Q*./Q1..Q...P!..Q.Z{Q!..Q...P&..Q...P?..Q...P...Q..sQ"..Q..wQ2..Q#..Q...Q#..Q5..Q...P<..Q..CQ"..Q...P"..QRich#..Q................PE..L......e..................................... ....@..........................0......q(....@..................................R.......................h...)... .......K..p...........................`L..@............ ...............................text.../........................... ..`.rdata...A... ...B..................@..@.data........p.......R..............@....gfids..P............T..............@..@.rsrc................V..............@..@.reloc....... .......X..............@..B................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avcodec-58.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):31070488
    Entropy (8bit):6.655670107641019
    Encrypted:false
    SSDEEP:393216:QVbJv2NcGjFg23Xs0qUANf0//O5U0zvhkHxc3gSEkSa0Lpb/GdMX:QbKjHCkO5U0zpkHxcHwYdM
    MD5:FFF29DB8588F45CEB785BEAE9122C9CA
    SHA1:7E8B7D06853CF22BC20EEEDE477EC4FAFA92E9B2
    SHA-256:C436FC3554338C7EE62AFE6FA6AC693C7923C6688362284A23CF93AA0FD1CA88
    SHA-512:1290ED6C61BDCAE44972D6E4291FED0D4FE3616A47F4FBE0ADB3AA17201424469B15C1DE943610E4B167317C9D232428C76CDE45A046044D8038945F6FE9A6CB
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....d|..6................|..............................0v.....w>....@... .......................n......0o..3....o.P................)....o.............................$.......................d7o..............................text...T.y.......y.................`..`.rodata.......y.......y.............`.p`.rotext.......z.......z............. .P`.data...P.....|......h|.............@.p..rdata...jS..p...lS..:..............@..@.bss..................................`..edata........n.....................@.0@.idata...3...0o..4...(..............@.0..CRT....,....po......\..............@.0..tls..........o......^..............@.0..rsrc...P.....o......`..............@.0..reloc........o......d..............@.0B................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avformat-58.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):5892888
    Entropy (8bit):6.443013431996634
    Encrypted:false
    SSDEEP:98304:dyFLLyoBzl9R5Vr3jEx06Jz2kBtDR4BsZ/rSukHuCn73jTyReZZFloHEnKEECn9u:dyFnyoRl9R5lAx06JDBtF4BsZ/rSukH2
    MD5:B8E695C5FF734D667B188E4A980D9B70
    SHA1:2FF84B4EB92476F8686B1913D39047025B25D48B
    SHA-256:C8BE9476FCF4ED0A51C4C37C95ED4F63F404DEF31A8509A77E69622A928AAF4A
    SHA-512:87DBF05D9BE83E7400FFAAC7AF87075234744DBB670227A344B563804A4CE173ABDF18F8E921501A9156FE8E3BB5CC9E3EAF61B220871D65741C869D90B730B2
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 3%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#......E...Y...............F..............................@Z.......Z...@... ......................@W......`W..H....W.`.............Y..)....W.H^..........................l.V..................... jW.X............................text.....E.......E.................`.p`.data...D.....F.......E.............@.`..rdata..4.....F.......F.............@.`@.bss.... -....W.......................`..edata.......@W.......V.............@.0@.idata...H...`W..J....W.............@.0..CRT....,.....W......ZW.............@.0..tls..........W......\W.............@.0..rsrc...`.....W......^W.............@.0..reloc..H^....W..`...bW.............@.0B................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\avutil-56.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):679192
    Entropy (8bit):6.515263431142381
    Encrypted:false
    SSDEEP:12288:y+T88wHM+RsWJWYYzVzJnCOO5/vY75Ash6HM+RAJgAniCkT:y+oPHM+RsCRYGDY9Ash6MJgAg
    MD5:8EA66CBCCFF6B4D63F991ED357A42933
    SHA1:F3E255691B4E8CC06BC97847096C1AA4337B1FE5
    SHA-256:74A739784F0DCD2F5202FC8E299208236B4B7629D4710A1E7BC17CE50BFE56F9
    SHA-512:09B6A81076EE098BF459721FFB43F9300DF36E7576DD2DB16634973C62C8B2B6C3550A2751A6063A8668B0297D943F1F1E5735CC35B95B7EB45C2B78C4382297
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........0............................................................@... .........................7<...........@..H............4...)...P...@...........................z.......................................................text...............................`.P`.data...(...........................@.P..rdata.. ...........................@.`@.bss....`.............................`..edata..7<.......>..................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.........0......................@.0..rsrc...H....@......................@.0..reloc...@...P...B..................@.0B................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libcrypto-1_1.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):2434328
    Entropy (8bit):6.265979426186699
    Encrypted:false
    SSDEEP:49152:nQ1VVA2kTpvTDuW8VNd1CPwDv3uFh+0nU:nQ1Vu5DuW8fd1CPwDv3uFh+0
    MD5:48BC9B83C483F85888A132698E741FCA
    SHA1:BB728576164A9F9E53E365F0E2DEA59CEB124A8D
    SHA-256:BE3168E75618607B82BEA2F6CDE1235808A5733F83815775F61975D09B79F93A
    SHA-512:D1361148358B0AA158404C2C73371625358F0A16BC57B02BEE0DFAEF24FAB7595F4F9CF4A0B7E11C36ED322CBD0B2559BCBCE83018511A3E07995C808678D193
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#..eg..6g..6g..6n.L6s..6\..7e..6\..7m..6\..7m..6\..7l..6...7l..6g..6...6g..6q..6..7...6..7f..6.. 6f..6..7f..6Richg..6................PE..L....o.^...........!................E.........................................%.......%...@...........................!.hg...U$.T.....$.|.............$..)....$..... g!.8...........................Xg!.@............P$..............................text.............................. ..`.rdata..............................@..@.data....Y....#.......#.............@....idata..J....P$.......#.............@..@.gfids..%....p$.......$.............@..@.00cfg........$.......$.............@..@.rsrc...|.....$.......$.............@..@.reloc..D.....$.......$.............@..B........................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\libssl-1_1.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):515352
    Entropy (8bit):5.814231043634429
    Encrypted:false
    SSDEEP:12288:jJ8sR6fYGsTRZ9vpHvG9ZiBgp/GidLzVaU2lvzXE5I:j/Xsf8WaU2lvzXE5I
    MD5:E76B017EFAC9A0DABCAC26D30897B687
    SHA1:FE2F44DD6A3B6CB210E3AD369285AC6752891ADF
    SHA-256:3AA419A893A61D5017A84E46507CBA8BCA7E5F3C0E83DD298137F41F83F4F7A8
    SHA-512:9494D25206F8D4C4E4FE5CC5355E7CCE8A078D47C348B4AD3DBB707806467D5871D74A5652696FA689329C2DC798481ABBD9F198AC30D6BE12536DFE90DDD682
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.7..xd..xd..xd.b.d..xd.Dye..xd.|ye..xd.D{e..xd.D}e..xd.D|e..xd9Dye..xd..ydL.xd9D|e..xd9Dxe..xd<D.d..xd9Dze..xdRich..xd........................PE..L....o.^...........!.........0...........................................................@..............................N...Z..........s................).......3......8...............................@............P...............................text...y........................... ..`.rdata...i.......j..................@..@.data....;.......6..................@....idata..3A...P...B...*..............@..@.gfids..%............l..............@..@.00cfg...............n..............@..@.rsrc...s............p..............@..@.reloc...:.......<...x..............@..B................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swresample-3.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):334104
    Entropy (8bit):6.6807710119710455
    Encrypted:false
    SSDEEP:6144:9NfWE1yQKJdyKqIi3AhrX49fCWM1xiWs7hjy+NY9S+yCod7yHVWjtEjPFpHEP/nN:9NfWE1yQKJdyKqIi3AhrX49fsxuu89C0
    MD5:BAE0503E83F1F75EA6196BEA6991BA3E
    SHA1:9013A5FB2BDD0161427CA85AD7E04573745905F8
    SHA-256:45C1BBFC24876E35A06038403CD2702A2E17C58FC6AB0166E319E7EB5E3FE3D2
    SHA-512:87D8E783827FD5195AA6F81B53C650A685E560BEC59E9DFF78C7DBC9849B4D3DCD84180061A73133FC17C0CE2E3214592FA8DB0C5AF8C60F118E5459E50BD333
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....P.......T...........`......................................._....@... ......................@.......P..t.......h................)..........................................................pQ.. ............................text....O.......P..................`.P`.data........`.......T..............@.`..rdata...g...p...h...X..............@.`@.bss.....S............................`..edata.......@......................@.0@.idata..t....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..rsrc...h...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\swscale-5.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
    Category:dropped
    Size (bytes):524056
    Entropy (8bit):6.61080860638549
    Encrypted:false
    SSDEEP:12288:Xvwyqf/9FGgiw8ed+wya6khNyY6DRmx51JT6cZijgkiiMiiiiiKNrrrrrrrrjkiE:XYLf/9FGgiw8ed+wya6khNyY6DRmx51I
    MD5:E1684E1942FDCFC13E11B91AB63A3828
    SHA1:4D8A1281140C84AD9961803D3AF4BE870D312176
    SHA-256:969D39573D82555571E74613DDC93B11D8BC39816FE996CF7D02CA8FFCBB8E0D
    SHA-512:7BEE08DDA5CDB87454148CC795681FA8404E66F9AF4B61BB54CF44936D00BA1BA7E88EBB35B7400B0B6173A00FF5281D85470C9901A6CFA0217C612F7F021804
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....X...................p.......................................]....@... ......................P.......`..........X................)......,#..................................................<a...............................text....W.......X..................`.P`.data...H....p.......\..............@.P..rdata..(?.......@...^..............@.`@.bss....d.............................`..edata.......P......................@.0@.idata.......`......................@.0..CRT....,....p......................@.0..tls................................@.0..rsrc...X...........................@.0..reloc..,#.......$..................@.0B................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacdisable.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):22808
    Entropy (8bit):6.651269522625864
    Encrypted:false
    SSDEEP:384:DwmfOy4CLLTkOJFIQvojDV7OLIYiQ3ygAM+o/8E9VF0Ny08ni6:Umf14CLnkAC5YiQ5AMxkE3ni6
    MD5:47D4EBEBEAD197CB39656890D63EED87
    SHA1:5CF5944DDE439DDD08FA9003AD705FB39FF8922A
    SHA-256:03D4F97B81F30AE6BE513CD568B17885B06FA36DF08819BBAD6918C7593EF432
    SHA-512:A2B37B83DDC8FE58D4BE01180CBC2ABC7CA5AA4606CFF42657F6D077E348EBD2A419B98F0725DE470A807C2CADFDCEDCF2E2217BB1402535DA92C54F3AE7DC9B
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B..v,.v,.v,....v,.(-.v,.(/.v,.().v,.((.v,.e...v,.v-..v,./(%.v,./(..v,.Rich.v,.........................PE..L...=..e.....................................0....@..................................!....@.................................D9.......................0...)...p......`5..T............................5..@............0...............................text...}........................... ..`.rdata..^....0......................@..@.data........P.......*..............@....gfids.. ....`.......,..............@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Filters\x86\vacenable.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):22808
    Entropy (8bit):6.65159308859288
    Encrypted:false
    SSDEEP:384:vwmfOyUCLLTkOJFIQeRjDV7RIYiQ3ZEAM+o/8E9VF0Nyvj:omf1UCLHkAUGYiQOAMxkEF
    MD5:06EDB16F31D8C30C2218BD61E5E00FEF
    SHA1:2B360B76E032D9003A03D5E328AF1FDBCF47C2C8
    SHA-256:82C08DE0A2D46FF94FA6741AF14AB2ADB7E98DF4A7279B7919688E3592FEDAE3
    SHA-512:0963DE86932879D279F88DDF1E9B4DF003BBED80B55F0A9FEB645160A41ACCDE6674939A36798E4366298199B0F95459EEEC7A82ABB0E1ECF3E08D7F30035A2E
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B..v,.v,.v,....v,.(-.v,.(/.v,.().v,.((.v,.e...v,.v-..v,./(%.v,./(..v,.Rich.v,.........................PE..L...?..e.....................................0....@.................................Z.....@.................................D9.......................0...)...p......`5..T............................5..@............0...............................text...}........................... ..`.rdata..^....0......................@..@.data........P.......*..............@....gfids.. ....`.......,..............@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Fizzler.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):45336
    Entropy (8bit):6.1587442722942765
    Encrypted:false
    SSDEEP:768:PEWL7brtn44Esp4/S3d4WiQCijG6FWd3VmigYOIlS8YiQ9AMxkE:PECrt4I4/S3dHFyyW1O/87QVx
    MD5:6255347BE108F3B58A2505E183C96E93
    SHA1:85351F90D078590042D25E25F6C44231E318C892
    SHA-256:41658F6E2E173EB6B2BAFC41B6D4EED13C17DD477AF76C1C9D158F5158B49A22
    SHA-512:FE490D21EEB90D3A5A7512B7D67037B289D238B1C5E5F69FC0A1D148A43CDF824D8C3E66608A1392679CBEB961282A66F9EECB7DDE2AE37BAE4F63DEE84EFDBD
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..~............... ........... ..............................mY....@.....................................O........................)..............8............................................ ............... ..H............text....|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......PH..LR............................................................(....*..s....*..s....*"..(....*..{....*"..}....*..(....(....,..r...p(....*..(....r...p(....(....*...(....o ...(......(....ry..p(....(....*...(.....%-.&r...ps!...z(....(....*J.r...p.("...(....*2.r...p(....*J.r...p.("...(....*J.r...p.("...(....*J.r;..p.("...(....*N.r...p..(#...(....*N.r...p..(#...(....*N.rM..p..(#...(....*N.r...p..(#...(....*N.rL..p..(#...(....*N.r...p..(#...(....*2.r"..p(....*2.rx..p(...

    C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):107800
    Entropy (8bit):7.332701254839187
    Encrypted:false
    SSDEEP:1536:otn5VJM3T5szyxa9PuIKb8wmtyYVzH0cfNbQSi/GoP4YNjZ34d7Qrxb:otWsEa9GIdyAUKWeYNl34dMB
    MD5:796041B7713ED0E8263DB254B7926FC5
    SHA1:4C5CCE0D1A01B13885D709CE17F036DF122D0C3F
    SHA-256:D0565F7FBF3BA422E042DAC39D8BE116F5D94B83C8CE3CA88A8947AE7987E2BA
    SHA-512:833ECC48AF64E01D8AF7F423556B73F610B6D1F86DA0AD4784365B0EC37BC2AEF8620D1CDEE10A2E052A8C31510A63C16080BEDEF559911B5A03EA88AD43C222
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.g..........." ..0..p.............. ........... ...............................X....`.....................................O....................|...)..............p............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............z..............@..B........................H........O..|w..................,.......................................V!.)1......s.........*...0..$........u......,...o....*.u......,...o....*.0..&........u......,....o ...*.u......,....o!...*...0..&........u......,....o"...*.u......,....o#...*B.(Y...-.(....*.*..{!...*"..}!...*>.{....o.......*.0..9........(*.....($.....(......,..o%...-..,..o&...-..,..o%...*.*.*....0...........s'...}.....((....(....-..s....+.(....}......{....o....(....}.....(!....{...........s)...o.....{....

    C:\Program Files\ScreenBeam\Conference\app\Hardcodet.NotifyIcon.Wpf.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):130362
    Entropy (8bit):4.60579511535411
    Encrypted:false
    SSDEEP:1536:9rmrlEFROJHshjRXELhwgUgVJDcqpFEnzPTE9ab2ATsoJcYbOQDfrP7:lmjJy
    MD5:92ACD7769E2EDA756AFB18746CA7F875
    SHA1:801DE8CCB30816A499EEB307B2077614C54FEB2C
    SHA-256:CFD36E262B2F28FC37088965CDC82E58F2D18CBF469242451B1CE7811929AA62
    SHA-512:A96D6249A5B6C23381012E88AA6DB5390FD180FE03E8F3D45C1AC17292EB2CC7135244A6AF474BFC63253A258F622739FF4203A3E0E020D2090077A425B52F6B
    Malicious:false
    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Hardcodet.NotifyIcon.Wpf</name>.. </assembly>.. <members>.. <member name="T:Hardcodet.Wpf.TaskbarNotification.BalloonIcon">.. <summary>.. Supported icons for the tray's balloon messages... </summary>.. </member>.. <member name="F:Hardcodet.Wpf.TaskbarNotification.BalloonIcon.None">.. <summary>.. The balloon message is displayed without an icon... </summary>.. </member>.. <member name="F:Hardcodet.Wpf.TaskbarNotification.BalloonIcon.Info">.. <summary>.. An information is displayed... </summary>.. </member>.. <member name="F:Hardcodet.Wpf.TaskbarNotification.BalloonIcon.Warning">.. <summary>.. A warning is displayed... </summary>.. </member>.. <member name="F:Hardcodet.Wpf.TaskbarNotification.BalloonIcon.Error">.. <summ

    C:\Program Files\ScreenBeam\Conference\app\HtmlToXamlConverter.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):85272
    Entropy (8bit):5.826146012225483
    Encrypted:false
    SSDEEP:1536:RtshsMzA488PhOOUtUeOQiUDMM7o+fxrexgyn7ehoYfypP5JlV+ZkTjjuK4M0En/:RWhs4A48AhWUehougjf4M0EnGlS/MC
    MD5:DB732573E954CC1ECF49E19AE41667F6
    SHA1:D14D5E97A92065D9A2B447D0732A47F25BD69960
    SHA-256:8EECB288B9F3205C6559C8367ED4E2FB0D74D26476F5F008078398F3D6956C5B
    SHA-512:6B914730ABD48B42857E835759FD8AD5C0B47B0A863DD93AFE9C8D18C45820E66DC504DF99B5AC87FF06E84BED12E5B926EBAAF40167DA5FA442379AE998AC10
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....U.........." ..0..............9... ...@....... ..............................;Y....`..................................9..O....@..,............$...)...`.......8............................................... ............... ..H............text........ ...................... ..`.rsrc...,....@......................@..@.reloc.......`......."..............@..B.................9......H.......D................................................................0..'...........o".....r...p(g.....-..+....,..,..r...p.(....+....9.......%...%..;.o........8..........%...%..:.o.........i.@........o....o..........o....(h...o...........(........ YD..B...... Xb~=B...... ..N'5[.. ....5).. ...;...... .#..;...... ....;y...8...... 72R.;...... ?.. ;0..... ..N';....8...... .p.05).. S{:,;>..... ....;...... .p.0;....8...... .O.45... E..1;z..... .O.4;....8...... ..m8;...... Xb~=

    C:\Program Files\ScreenBeam\Conference\app\Images\Camera 01.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 270 x 141, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):3792
    Entropy (8bit):7.887872121533211
    Encrypted:false
    SSDEEP:96:K/ezW07/wGkJ1K2sSc6ajjoEvfeKDIsqz4Td3bY:K/ezW0rwGkLK2sSczoEnTqCBbY
    MD5:C0EB03BD8E13870C565F248DBE9ED151
    SHA1:0FA4A9C75226C7B2518ABDE64DD86A7AC763275D
    SHA-256:BD5B34736676BDAE09096204173C7AB70DCED1E2B34BF7B9FDBD1335FB27AEE5
    SHA-512:C7D15675F272DB28BFFDBEFAB6F8B701855865EF7FBEDC1F44AAF7A56227A9D5279D59AB00FDD30BDCD050C9D3C03AC0FC98E26D24C6F58FE3E628B6B400C2EA
    Malicious:false
    Preview:.PNG........IHDR.............F.g....pHYs...........~.....IDATx...u.L...+...0..x..PA.....*.T.......R.v..;..._.l.pl..Is........x..9.g...I...Y/I.>.B....B......j8HWM.Tc.1.g.I.\@$..ySBH..!".. .6..c6.^$Ir..)..D...$I..p...:.J.A. ..lD<....p.H2.`.r....l.0j...C..-..B..or...>T.1.g}..+^/..-Kqph.0F.hd<...........>/.O..!.C.z.....;..q-(..t..y...<N.....i..q.../..!.-.Sx.@.75>..kw..c.c6.......XL..tR.......@.'F5D..p.^....p..(.]..X..).K.......g.|w]...U.\.O.Az.......3Y..-.....^...xUf...R46P#..!-.k......<...........!-...x.....*P...o....]....r.yn......o..A.5..;=...0....).XJ......7....v...c.[,=... ..d....A.b......'.@...n9.......)d...v...k.. r...g......7..\{..C..D8.N$n,.,...t..G...y.!.._.M.A.HP..m#.b..q;....W.4....8...Hq%..."...c...........=....}.5.......w ..[.O.^.phC.7.Az.UG<......[>._ 4.G.l..Rz..O,.).iD.......... ?b.q.."n...........wR....# .e...Z.r...au./.... u...}..3....J8.p;...W.5j.n..F..@h.......=l6......5n#.$.5.7..G.<.....%..\W.:y.B..F..).9J.....h.#k.."XO>......

    C:\Program Files\ScreenBeam\Conference\app\Images\Camera 01b.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 270 x 142, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):3849
    Entropy (8bit):7.913354664814746
    Encrypted:false
    SSDEEP:96:MwOPIaDxEIwm+R0wss6Vdxv53GW0etLNlUwgCLkz:M4wZwmu0g6jB5350epDUQkz
    MD5:D588CD052DDEF0FBE7445AF3DDA6460C
    SHA1:22A72DE52921597B37F39116F6DE38BD9B31E0BE
    SHA-256:4E9EBA27AB7A940105559D2E6C2C75F81D13DB14868E17FA510255AB90EE04CB
    SHA-512:8560B3BDF3CD428AFB9E23D734CF2609110DC1DB0FF9DA9D087AACB6C54F45EAB2DFA706806B192EFA0077F10B47FE44D34895A06DC07DD9963C40959C7E6EF7
    Malicious:false
    Preview:.PNG........IHDR..............v......pHYs...........~.....IDATx..r.V...=.i_...+.=.n.........6M.+.t....LUL........C]A.......v..B.(..;........D..y^|...eY.\...K..@)..%..a..z._g...WlL8 .Gxh..o....:.+..x\5%$..#I..Rj..z....B.r....F.y...,.I.i.bB..V.-....b-.I..(..J......zn w6...._N.l...E...@.............B..r......Q8 .z.t...!;.Rjh....E......k.+[...AHg1..^..4$..k{..!.-.x..`.B.N6.p.....O._p.p.t6.-*...R.$g.a..+...7Y..3.@....-.P.W...{....Qe]...<6....s.$...!.......of....'.4._,.z>....a!..$i...G.}WLO_..<...8.h....fO-O..6<Z....Z.;..i[.[QI...hu....4.z6...s.>....1D.%..-....H_..I.8..i>...p.i.U.d.e=.#.....rC.m..1..4...T.....m....nm.z..+.+...{...5.k}.../..X.6...{.W...e..*.D.x}..m..$.....N.L,>3.j..(.G.o~|hs3I.).....F.}...B.0.ID`M_..h.........i..P.0lc.9......}..........xH.....m...s...@".2.>.C%...F.8...,y...o...>C<.{^.'..?W/m..ol`..&.,.e!.C....\.....y.H..y.y9...5.C.s'..AY?.u(..h...=.`...@`. 8+.4..t..b.7.>t.:n_.!^.6.A.P....b1q..Wa`..."bk......$,V..._....Dc....=........

    C:\Program Files\ScreenBeam\Conference\app\Images\Conf 01.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 222 x 178, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):3091
    Entropy (8bit):7.748757104260975
    Encrypted:false
    SSDEEP:96:Ozr3tf7ZmN+YsCUvG6Xe0JP1nTcHxzcdDyk:Of3tf76RsFNP1TcHdcH
    MD5:762CB6652C46433C45923C206A084D36
    SHA1:17C7535D398938AC7ECE0B282F7DC2546671F88C
    SHA-256:2C2296A114FD628439AABF48407F8CD8E004EF050AD80738FF2153174826D839
    SHA-512:CF939CC195BC551719FA9908826EF8E9E5E5B594BFB2801FD96DD7C9FC1FE78438AAE101B4267B311268FE1E21140D61906EA7A94B8DDEA2AF5300F55159AED8
    Malicious:false
    Preview:.PNG........IHDR.............-Qq.....pHYs...........~.....IDATx....q.F...'..T`..1.....A...T`..K...z}8.. b..+.X.nV.@.Q...v......C ~...7...f..(3cL&.....HS)g].Y9.7p.^^.sc.1..7.....s...^...mi.y..Z...S..v.//.w.8J8..[..C.'Z...........YK..>..<..-.O...`......W.....sO../l.&.i..~...G^.:....../......s.5..:.l={.jJ..;.....Y/..\o ..=.x2^.....F:c..M..3..?..Z..._._......^n.....iV....L.....U.\'9......A..y^.K...)xU..%xkB...da.p9...Vz3]..........'.O.x.....].....4[....&M3W..s.4s.k..x@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P@.....P...==yQN.1.1?f..._......Eyj..4.d.....Ei.....4.f....W..jF,/.wyQ^.c..c...]..........[..^...+%p}..c..E...=.k.3......K.....s*USD../N..U..j*"D."#m..........!x.Yx>#..../"yQ.=T1.}..%>./..:C.d....K......<@.....<@..

    C:\Program Files\ScreenBeam\Conference\app\Images\Conf 01b.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 222 x 178, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):3352
    Entropy (8bit):7.781478018163998
    Encrypted:false
    SSDEEP:48:Hybzkz9CNucIWyG2QWoolFbISVkcarNQrFdQWr2LuU8NSuNyGwTCBPP:SPkXc/0tlFK/6rfQWr2K3N2GwGNP
    MD5:E1DC2FDCC0BEBDA25870370810AEC056
    SHA1:449DD99E8E57DAB2B3F7BDA5A526D9438216DDEA
    SHA-256:0FC418DF00D31D577D5118F7E99C521D3E9B34E3E2B018ADF6BF196E2CFC6BF6
    SHA-512:89D3B1549C0FCC051BF8D742E3878CDEEC41B40C9605C1E24787C7033F56579A33F5FA9F22BB9B480F0D5D2DCC3C325B45F7D5B565120E87BDFAD096588EEE85
    Malicious:false
    Preview:.PNG........IHDR.............-Qq.....pHYs...........~.....IDATx...Oh.....gBon.{.oVh.)`..B.K.u..i......P..|J.-UJ.-=D....".....J....w..Kq.u.O.Hr.WyF].gf....~`...h.......>..y.]$Y~ND..u..F.0=........U.,_..5.Y....4.....q..is4...nCDn..@.m..&.|a..$Y......3..<......=...J{...[..{...i.v...zq..+e.{..I.....j.N(..."t.`.j.N8..$..E..m...f...=.^..0.Y.....,..{.W.uB...f.......n_.c:M...sNgn]..i......s...k.....4.v9r.h.,_......7.8.*...-..x>A..._.,..~...o../.T=....f`E3..Q....p}.-~..R...|...._..t..:...X..:a..m..j.....0.... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..... x..........$..'".".|sb..E..K../..N. x......7*....~.d..".....]MO%Y~!..D...Ms..s..[..v! x.r......+...F.....G.....|...I..;...:..$.o...M.I....v.........D...0..y$...Hi.

    C:\Program Files\ScreenBeam\Conference\app\Images\Conf 02.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 222 x 148, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):2663
    Entropy (8bit):7.8546722798230695
    Encrypted:false
    SSDEEP:48:bloa1dM5gHSWa2YbzMdWPT9AVVgDgbgpHUE527KO2l/+Gv7xM+kqWiAVs8GD:bloaXMqyVFbzLPT9ajbREc7KO29JM+kM
    MD5:595E7237E9B0781E215FF9AC84277812
    SHA1:3892A426B859C01F72AE5896D0EABB8EA880D2FC
    SHA-256:E55EC67772DD38BD805FBEF833D89E9D59AB60C5A6FF5C5D3681FB18B57CF254
    SHA-512:A727B47A9D82FC188E337B7B6B431542001E018282DE835B15EEE0B039D5F68E35FE8E99D50CCC2B22D3F26D09706A3EC36B1D62141F44186BF9551BC9DA75D3
    Malicious:false
    Preview:.PNG........IHDR.....................pHYs...........~.....IDATx...MN.H...h.{.....iV..h.N.j6p...9...*9.p.....}.INP.....".q.1..a..a..IH..$3..t..<??.Wi...c..1.~.~...@..,.1...cL>.%.m^.S..,?3..c..`...1....p.a..)p......F.6'M..5xi..+....@#O..b..o.^..Kyc.........|>K..~.6x.Z^.^........T.............iLW...Z9N..rk......H.<)?...i\w......,g..{.....@.....J...'..-..L.>NZ.m..s(..4..Zl...Ba.:.0e...h.~.;[..f...W}........gI....._.m-...2.y5.%,9..S.s..>.....Y.zb...i>K.....:o....^......2......K.B.='........ x@.........< ....@.......... x@.........< ....@.......... x@.....W.t.%..=..k6...X:Pk9.....z.f..NNN.8..pi..s\..CgXN...W......jz..z.Y.R....?0......*.p.s.E[ ..H../..q>.2......[.(jj..W..ll- ..hM..........r..1 xpfg'.,...."y..X.Z.i....hI...N#|.N..>..W..e..b...lF..X...tU.4..-..F..lS../.4..2^m.....U.]N.......W*....i]..?..p>K...].}..}=......y..u..P.Sl.*.<.{....R.z...kkv.....,W....,Y.Y~RY.8).k.1.|..I.-.......-ke..'..x..*............m.~(...............z.@..-U...Z..;...^....V...

    C:\Program Files\ScreenBeam\Conference\app\Images\Conf 02b.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 221 x 148, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):3184
    Entropy (8bit):7.8630900763236635
    Encrypted:false
    SSDEEP:48:drWWpxOzppKlElCWBUd1ag5x1FgtWOrfZDGvNXGVruN5P19aLRFzsIMaXB8cbjbw:5WWiq0IqgrgtRRulGxY5P1Ozs8xVbjM
    MD5:F9D12845496D41C905CDFE83184D5FE0
    SHA1:C944C50F5F18733EE9B14AF920B82C520BEF7413
    SHA-256:4ACF83EB735FE18D1F966B6C041E1F21645CA49E98688AD7DD3B62E75B8C159F
    SHA-512:74177A75F62ABCD2A4180DC548BE047C5B48A647D4256F9C8CAC747B4F6C6B9FCFA35F88AE5A3CE954D92A06A992FD573761409F989EBA1BD4A0A145C4734518
    Malicious:false
    Preview:.PNG........IHDR...............,.....pHYs...........~...."IDATx...}..g....\.I%.D.....)\..sA.B.^.8.V<..L.......%T.E.5..Bs...R.....S....W.......PmK.D.z......<......<..<.......^fw..~..<..R...........o3q.L.z....5.`......CB..4....q..6).\........Q.....].....8.^\.h..].(]......L...D......c.v.a.$......T....n..V.5Q!...n......Gd......5.}.E.c...i...KB.%j..#.j...,X...j.i.7Q)..a0.LM7..&*.....o.r...9/..DM6.C....\2./?.+..q...d/<Q.Hm5".}..Y:g....D..&xZ. f.I..*J.n .k.....%.Gd(..}.x..a.2lx.(.G.@_2.dP.C:tk..x..|".........'-2y1pD.M...F......8.Lr1.n.%....#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r..#r...N....]..2\s.v.:*....U...*...f:,.5.`.J.....@/..'...E....*CGVI..z.o........^.`P........r{..#u. CGVD..5...-.DW..m....x.........0t.....a.W;j.k}fo.(Q..p.N5.[/..(Q..{..~...8'5m-0tdL.@F..K........D}.sY.CGF.....[S.Z>...(Q?...(CG......R...$...b...}..{^b:x.|..c.(.......}...<5...;Q p.d.....s.^..f....8/...k....%.c.`.j(J.@...(Q;\...2.4<L.e].....J.V.8...a.^.?o..

    C:\Program Files\ScreenBeam\Conference\app\Images\Connect 01.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 253 x 179, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):2772
    Entropy (8bit):7.851913113424136
    Encrypted:false
    SSDEEP:48:G+UxoQP8H/vKEr5eICimez65udPQcAAWraa1laOfe+aAbJjPvtuJRXXvjkkDP2Fk:GH+RH/3eICimezGudPQDraawD+aAdNuB
    MD5:74A7E29DFA61300BE1EFD9F16511C472
    SHA1:D4D077D4F160C4BC1F8A783A41BF73C3C90CF473
    SHA-256:70301841B123395675665F7B9A4A95ED658E6E499655C9B9F9123B11B6C59271
    SHA-512:A6A661850B4CD0D71543B38D87F0B65C8F6D76CA0F497267927B9D5740A415816C94EF3AA5062545570F9988503C0A2CFF9BF6978D0C3268E32F034F7034D5DB
    Malicious:false
    Preview:.PNG........IHDR.............Bg......pHYs...........~.....IDATx....q.....F.R.. J..1x7SA....LW`..H.\...@... b.b......-S......~f8...$...v......bR.M{i...sc.U.....I^.UY,..}D.^B>1...:...|<.cZc.b.7....Mk.~c....U.y{4.........zi....>.U....`U..!}_...M;3.|>....so..Ve.<.+.7.u.K.NW.p...d...;C/....?..aZ......?.x ...j..z....K....ql...xf...M.t...B..,}{..i.%.6@g~.q:.t......a_.....(...".C..~n..kK/..?.?.N..FU....{.S.D.i.?.V..y..F.....,...cU..SU.3i..#..Mn.......<.|$.x.R7.m...|...7.\>....~E...F....>.....qC..T..}.f.W'..k5..E@......P.$p..A...z...e.$.$...(=.......~.....=.B.`H.=.....!.2..P.....z@.B.(C..e.=.....!.2..P.........k..%{..F..Jv1..z....2.M.GU..... ..!-w..J9....i....gL.>.}.S.T......!.8.B.....=..-.w.ze.}&$.#.. ........qF<B.$u.K..?.%0....?..i'rZP..|,{......"..$..........{.S.^.o.c.B. 2...`D....n^L.!..?..i......Jn..UYp. ..........;.:.tt....n....;.l......D....M.;.D.{......i4..w.n...{.<k..../..wHF.?.../UY..c.i.....#2.?..i.;.S..m.o..C.;.Ui.SVk._0.cac.n..

    C:\Program Files\ScreenBeam\Conference\app\Images\Connect 01b.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 253 x 179, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):2861
    Entropy (8bit):7.836636045012349
    Encrypted:false
    SSDEEP:48:G+z4CjGMOWHLHvpYObJBFm2V3qgnUcfyGXqyvZYRjKiMWmj/iIklqF7:G69OyLSeDhqwUc5Z7WzqV
    MD5:925415B41EE4AC0784F3303E037ABC1A
    SHA1:F2D643686EC728B8362FEC0CABB9A2F3D815CC1B
    SHA-256:0B048F9F820EE144C174A80E36D8628778C2332D625DFE6F73E42BADA6772DA4
    SHA-512:961E67F904ECE58E0A65D9F7035DD3F892087940AF33713D8E1BAC99F30853B472272295A1C9D6FFF92D404E048CFA9BC74A8D2AD5BA6BC5C2C17EB58F00A4D5
    Malicious:false
    Preview:.PNG........IHDR.............Bg......pHYs...........~.....IDATx...?o$I...WN.vy.h.!!......Q....aG../.9.2.}...o.q.!.aG.'$B.'A.Z.....D.:=..w....y.....S......fu]K.EU?...(?....e...k.....'"2.?.^2`<....D......W.6...LD..Z2`..EdQ..U..S..a?.J..4\..0.G....U..K.y..R.iy]..Y*%......"..VK...........}Q.v?.z..t........H.. G.w_..F..k....a....?.;..N;..~.........$.b....y.g......>...[.q..;........[.k-.>p,.ZD.tz...S.]....@}..A.,.l5..q].....j.y.g..........t..B;.|..g..#o.Y.[..$.0A..]..z../..>..g.H..s.Z..gw..5.L'.....sz...pF.a......'...2.F;..l.vX.{.......U...C>Y..&3.....B`[.6.....7.$.M.....H....!.1..0.....z..B..C..c.=`....!.1..0.....z..B..C..c.......u..'....7.c..'Y..].>!z...+t.5wT..wzK.gg&?H.....JS..=V.!sw..n..C.....}.O..>...1.~$.V.k.9...!.;...<...>8.. B.CEU..$.m..y..M.~...v...c.c..!;z.".[VT......z.......u..p.(.....*.f.4...J.T.:!.[.......o....Y.}...ig.....Z;............v.q48.#.........C".....k....>.......CiIz.b..}D.K.N.\..t.%(....D..}..h.c'.}<+...*.l../....y..U=..iG.S..

    C:\Program Files\ScreenBeam\Conference\app\Images\Connect 02.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 270 x 180, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):4883
    Entropy (8bit):7.914101756064351
    Encrypted:false
    SSDEEP:96:b6A83M4XnLKWlUDfwHhm5n3/eDsdVqDXVkaEcqVsvTywA2RTt9I/X:2gVUUDfUm5veDCyCXc+svlAuD4
    MD5:DA5EB66ECA9B3E5F4F445D3B619632D3
    SHA1:86937DB672C9C0EBA708E7AF84973766328B69D6
    SHA-256:810918B484FBDE0576A12C3C69B15EB429038241D7A73608C2A3C276859EEA12
    SHA-512:FE884FD67472D7C3D59280CBBB4923939407707F7A91022B9EBA3F817744793F948D435543F23B89398E94CBE16394FD2B24E0232A869351A2F892C6F03850C9
    Malicious:false
    Preview:.PNG........IHDR.............e.......pHYs...........~.....IDATx..Mn.H.......@..n.A..Z..`F.>..X^.:..".... ..Z^...O0......]..~..2..".....B.n[")....W...lH.l.E.z.VoD..<FQ..M......#I.I.E.(..Q......q.m.E.Q..g..~._.H8.4Sb..X....0T....$..6d.E.I/GE.?(...M..!}g..........!..S[..4^....$..DQ... D.O.i....*....!....".....?P4...,I.e...p..J.5..4..|..mUp.........0...my.8.E.>.....#X.A.dq`_...$...!$..R....CL..).am\.....z=..\..H.T..S..\.<#(...R..OL...).d(`....Hx......8..`%.1E....4...e'<..",.p|.....1..|B.?.cc...O8...0...B....\.Ih..5<..p...:.Pkpm(..1..?B.V.S^0....Ag(!?...........(...1..B....!D...."..A..C. ...p.B.P8.!b(...1..B....!D...."..A..C. ........4.........M...(.../..$.3(.G.B..^..9.....I...u..Ykv.'mC......]...C....$...I.!.@...L.[......*...".,..l.s\'1....hN..ua...%...j....(.-S..3..U.D.Q@.......d.`....-.m..B.a.G.$i.....D....l.4..7$........*.D...q.0.f\.....|.....2.Z.....!I.)....[=`B..1d6sy.].#7..){..c!.XF...C.r1.-......,O..5^.,....J..I.}.Mcn_.3(.....[..'...........$.c..

    C:\Program Files\ScreenBeam\Conference\app\Images\Connect 02b.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 270 x 181, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):4970
    Entropy (8bit):7.918801585601483
    Encrypted:false
    SSDEEP:96:2r4vQ7uUlkbxDAzBD0YjfvoJUCHbE80PClwBTwxcZWty:64v1UODmBD0QvoJUCHQ89lwBTwKOy
    MD5:806C821E92A332E9027999A80CA6951E
    SHA1:5365566E77705238BAC426A2E396B83C54976049
    SHA-256:384A13D89ADD5A0144C9722D3ABA7893E45B4495E800DF557BDE5C7E84C8B792
    SHA-512:75D771C510758D7F4B2A75980040ED74326B63F2CE4BE8524EC4CA10E3C083FFF176A95E909A812A122043461F3EF1F5DE98027A704021B7C06D8D71241794B0
    Malicious:false
    Preview:.PNG........IHDR.....................pHYs...........~.....IDATx..?..X.._...A......]r.....i......&+(.........i......$+$..MJh6..]....FP.........~..g.~.~$k....v......E."...... .N.RCl...y..(.6J..Rj1.......[.A.M.R....(ZH.J..|..t.$.....\)u\.^.....R.....k.W.p.a4..J....l..u>..tzr..V.>!G...!..^.w..... ..J.......r...]..{....A..}.}............!v.....;.p..B...a..}..8...%..O.0..z*o..K..aw........a..L...R....HwH.ULK<T..G.K.N.N8.0.+.~g...H..\....Xv\Z<\W.Q.%K,.:....}[$.,*.7B.....Z..|.k.}...P...E`Yk..Zx.c.N.=.......*....x.T...@..-*d..,Xv\....s..C....#....H.wi...j...%.$.z.T8..A.._.K.!yP8.!b(...1..B....!D...."..A..C. ...p.B.P8.!b(...1..B....!D....".=...h.80h..ku.....^(..."1.H.,...}...F)...,....E....f.b..m.x..1.].. .n ".6.&..p.@J,..(.E.To....h..$)...B0BP...4`..........B.....Q...s<..z..a...I.!R(..i.`.y..z......K.b..8..}.A..9...H4..}^.a.a[..Z.%..h.+....M.,.....s........%.P8,..........-..... q...".$..:.&....Q.........V.+.HK..s.....Q, .."r.A.s.'IC...|......U9....f..'...mMm.

    C:\Program Files\ScreenBeam\Conference\app\Images\Devices 01.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 567 x 129, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):6725
    Entropy (8bit):7.937534717511396
    Encrypted:false
    SSDEEP:192:2+EjDf5Uv6WEYBKP/Biu5os+SCxOUOKUWpo:X8DfBOKPJhUxZG
    MD5:48EBA9C316231F11C1998893BE69BF0C
    SHA1:90A3A211DCC79071BF2578B141741249A04949EB
    SHA-256:25C37F6ED819BB05A22FA1846618C7D54C78CBAD856E03E71FB1CB5939FC3B19
    SHA-512:3C12AA33D1701FD3CF809B26DA8F64D776C23C2C9EF5E91E63E2C922B558407DA71629E9BB5BFF58777A3220E16A91BCFB0CFC10D52E3F86D598A74738E03FBE
    Malicious:false
    Preview:.PNG........IHDR...7.........<$......pHYs...........~.....IDATx..n.J....pN...V.m.v. ...J...z.(W`.."_..j.....C_....]....D.. .........p.|~.. ._J.>..y.W?~.HB%.7I..I.......I.<..q..."..B.S..7.43.N..f.$.:I.%..!..2,..7Y^..$Y$Irn....y'.....B...B.+..q.=.......BD..M.d...@...9.).o.<....MH.@..u.}..m.HX..;.7Y^.B.j.~.e'..8]{z=B.....7Yh.x...E.....;.<'.y.$_j...d..>l...,/../;Z..&.t.......dq9..D|WLk.....KG....t"n ln...s.P...p .L...=2X.).4.,..8.uy....@.M.......(j...{dP.|DJ9.u>.d....8.... ."l.s.-B...........c........;/t.M.W..3...JX+4n .....oX(.$.|E.'!...._c].^{|.U..i..ZB:........R.Lm.>.5h..s.+^jn.....)J.a....u..0..l)g......=....#........|_....`mP..t.Zv.......+..X3b.-.8$jP.QX.t*n... 8L..v$..25..9....7.;Y^,-.......D8.~..o.miN...%.3...}..<rc..mm.d.B;..'...._.?..5:b4....9...."..n..]..?.oZ...?5.f.....w.}.x....#.....vZK.R..dn..K}.)...:...;.7.[.u. .lZ6c'{...N{...0.......E.>rL.....?..!........wD..Z..........C(n...Y.]\.p5...G~Kn..(.+....x...XwL.|......u.`.......B....9.A.gf

    C:\Program Files\ScreenBeam\Conference\app\Images\Devices 01b.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 568 x 129, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):7061
    Entropy (8bit):7.941053016684348
    Encrypted:false
    SSDEEP:192:66peFSyCa4BGXRW1KccnFMF+0okbJMElBFIn19Bwsg:66pq/XRW1KluvlB21fwsg
    MD5:8D0FC1A1FCEB9CCE3A3BFE72EFEA4472
    SHA1:23EC34BDEA36CD6DDEB3E1C01B64BFA116E8E3F2
    SHA-256:22409C98257A8C94F09200884ABAEB688948F1F5381E493D39A06802432805F8
    SHA-512:FA31F204952C8EFF34F4F2AEB913926577DB49FC15DBB9A1D7A65D4E8F6E7DC485DD231ED65FECBE6DAFC8373902780605CC5D370A1B0FF6F8D024D3534F07E1
    Malicious:false
    Preview:.PNG........IHDR...8........../.b....pHYs...........~....GIDATx..O.$Y^._....P...U..A.P5x.d...C.,v...8U..EA...".T.,. lg/...Ja.=.T..1@.,\."L..eA..x.Ng.Q....~.;:;3..^....@.P..."2....M.<W1.f..R...>....(...B.!..V.Y>RJ.K.....R"t.......!...(A..4.w.R..6......#....KC$..BH..!pJ....).(t.!..;.."...Rj&..<'...4..!n.Zl.X@.L....o 6m..f....K]c....{[^3n..YM.........&2.e..&pp.N.Rw=..B)5...g..K.. j.!lvxW.p...b.....gV.....~...V..... x.6.x.(rHL.Y>..ik...qqO..I......d:L..]..N..".DA..b..P..c.H/I.\....>.....W....)..!...rl....0...&.$.a..}.>..|...B.0&B....+......i..c.'.. .y.B..5...dK.x..bl...|.3.....e3.QB:Ei...[...J..B......I.,|..D}.NZ.0.....nn. .N`k...E...<M..\..5W...T,E..kr.....5.HHc(n.d......=i..:,......Xo......jf...@..1.E+.i..n...G...H.T..E_,8ur./Q..x..A..a./.V...l...8.(..d:......h..{.........</CK...S..T.{.r:L.,.i...E.b:L..A.R.wZ.@}.....,..{..r......h..4..c.e.....6.....d...7'by.j..7....t....-X.M9.H"$h......\..S.`.G..e.r..!^(..3A.6.P..BG6h..O...Z$t.L.......].M..u.1Mv

    C:\Program Files\ScreenBeam\Conference\app\Images\Display 01.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 563 x 325, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):2540
    Entropy (8bit):6.029624423166828
    Encrypted:false
    SSDEEP:24:3JQDjGsqI+5N/34s0edxb3Q2CjQRc0Yp2TsooCHasqh8nqbEDlOK:3ls65h34sHxbQ2at0Y1ooCH5iIpOK
    MD5:5D31BEF0D0FB9881CC6B132DE1101745
    SHA1:DF96187E5237134AA9DCC93CFAFA66627357A287
    SHA-256:49E3EE10632BBD9A521AC129B83A6EB212AB2A3113F0C8FD1F8956E3B4436231
    SHA-512:635B7A45065F9CBB97FA1A5FB12C1825DB39CD2E92B84F432D61259F92B68A33168A81A52C9564EA8E5461F9449451494C6583D734ED7F8AC5DA5CC899A6789D
    Malicious:false
    Preview:.PNG........IHDR...3...E.......l.....pHYs...........~.....IDATx....Q.....*..D.".....8....#0..E m....7....2...:.g.0......<U.T.hP7.o..t._.....@....}...^)e.>.J)...7~:...{).r^J.f....'.{2...}...;..~TW...R..t2.......b.S..R.{?j....kO../....1.&15b>.j..Hj..m3.yV....a...R^.r..7.[.....z././n)...A...n.P..i....{.....&ki^=..B..xA..../.`....`.<.4.Mf.....j.L..>..b8.2...9k..N...C...%...a....i.dN]:.`.../.........!...v./k.i.......;.u...._......V.vok........%..m..c......-..1..5.#}..1.cl.....Zk..x.....d..w.3.e4.G8..trga..@.3j...z.(...d...j....g.........;9=.0Z...:..i......Z......r.....o..D..x.6.9.<i.y..M.'w.....-..81.J.....\zj....5.........>.....:...2f..rCb...Z[...d.....\>..SOO...h.Yf....zum{..3../M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M........M....

    C:\Program Files\ScreenBeam\Conference\app\Images\Display 01b.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 564 x 324, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):2534
    Entropy (8bit):6.187458781872805
    Encrypted:false
    SSDEEP:48:nPbQUi5pmkex74IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIU:nPbQUN5+IIIIIIIIIIIIIIIIIIIIIIIu
    MD5:C50A9E7C951E3A00869A77173F05C5CC
    SHA1:C308112B2685F993BC89D0FD242566C09C902A1E
    SHA-256:3937FF6FD2AB14A64E1E71D209BBA6D6CD26314BE2A0A048F181F06FAA435C8A
    SHA-512:B94FE6BB48F097D8CBC4EF6AA24F3F9B04629807FD826D0CF77F25FA1792ADF9D391D5738F8A346D13E768EBCB96BCE5FACEF4868382A1F847008F3F845801B9
    Malicious:false
    Preview:.PNG........IHDR...4...D.....0A._....pHYs...........~.....IDATx...?V.G...j=...4>....lR9.L..{.s..7.F...;2:...............3..~...^..C.t.|_uuU7.C...f...z....|...q>..yw1.U.,h...2.G........}....RN...t...)h...r\Jy+b..=.q..~9.......4.~8.1......].9..4;....jI.....6..]..]..b..\Ge~.3..#..........:Wf...ow....|._8z..{....8.s......?.7..;.9.......rV.d.........&.jk.,........&.m.CSW...;..<3?mZ].V..gT.......q....I..9..3..3.......E?..c..........|.-.p.{=..{..............O.V.c_.:B..Y)...}....r.m....|_..0...[(...w..94S...w,11..\W..............?.ywk....u.~.c...y9..'L_Fh.d...U....Q......6..GNG.'...wSO(...a..>5..W.3U.|....x4....4.....3wn....Im..Q....4nB.m&..EKK\5..wS.[.D...%^....uyss(..].....-..h......0...h....''h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'h..x....'

    C:\Program Files\ScreenBeam\Conference\app\Images\Display 02.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 418 x 41, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):1018
    Entropy (8bit):7.592402450098522
    Encrypted:false
    SSDEEP:24:MAaGMBkeGB0mVARASA51bFEgiPBQ4XRUoo2NKh/WN:hXMke05yA7bugIQ4XvooY/Y
    MD5:7374E2A43CB40C3A927B5F9959149901
    SHA1:111FB872A39B6C082CA43CE575178461BB594530
    SHA-256:9E3493FC9CF003474CC8E2E65814F3BC1FF8821C9E18F975B2B62C696D12FFE9
    SHA-512:3BB01E810E49DC70008CFDC4471F72BFBD81E924B652A096235F2105965B22397DCA8C55EA9326FD6DFBD9DAB216D9D020E36AE1E96D8990E83B6AE86F013520
    Malicious:false
    Preview:.PNG........IHDR.......).....w.-.....pHYs...........~.....IDATx....M.P.....=l.L@:Ao-....0A...LP:.a..e....`.d.T...N|.}mB+5......'.~...=Z.V.W..."r......B......9......O".Dd.?!.......M....D.Q..."2.....h.(".Rk.ey...).....AD...-Bom..,/4..Py..+,u9'M....o..T.....<.`O...Mw.u.x6!...[[..R."..#...oa..... ..bM...V...nc.D..T....`.......3B...hd..Z..h......4qG......,"w.U.@3..h....mk.sK.FQ'.+.H.SN..<M...{..H...I..q.... .n.QV ..s......B..F...5..)-...*.6).~w....V..........A..&.[W.U../m.n...^GFY^LX3.....?..w..:....N........77...." .6%...M.......7,..5PG..~..)6......0.mn .......]s.e.o'j.b0......^..^X..1.3...x.D..{{.....L....)FD@...'[?.BI......A;.W....b.).J.N.e...u..=...v$..B.-...@.I.F4.f@..._L.G....Y.D.....2k)G....Q.A..0p.....z........ .{S.)..%xP.r.Y...2...#..8.G.&L.J..,/\....-.../..*_.b...C....-..... .;....#...V...v..n...M.......GEz(..E.......j \.5.&N[.\S}....}.x......F..=..r...kSsUv......4..=.L.7......[L.0.P}.@G:....B.6"....uW.]u....~j{.ZE.Q...s6Z:.?.'.8<:..u..A..o.(HD~...

    C:\Program Files\ScreenBeam\Conference\app\Images\Display 02b.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 418 x 41, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):992
    Entropy (8bit):7.535009718254115
    Encrypted:false
    SSDEEP:24:z8BxQe0TePO+8NiLc0Q3BvRbFsEFZ3DmyUaO6qtV5:z8B0J1Ocf3BHsUDm4Cd
    MD5:14FB74503A226AD44EE05F6B3ACFCD48
    SHA1:A6A941D05179649E59A009D62F27CFD795B3198B
    SHA-256:F25EB99C02CBF3FCEAA3A5A6CB246BBFE26FB2662936CAFEBD9F8CDDE005151F
    SHA-512:14F19438DCB85E157C6C43B2F19B76E172C0BCAB6D3B4EF26B55FD696B8E4B27197C6854718C9DB9F9B7D4AE1A62DDA03EDD8CAFCF869AEF0BE3F9DFD84A2B22
    Malicious:false
    Preview:.PNG........IHDR.......).....w.-.....pHYs...........~.....IDATx...An.@...7.....'.7.w..W.....'(7(...^...N.p....j..=....R..$......>f<..J.Ya."...PDnE.S.....7k.y..G.Y.Yv....(+.XD.D..!.@.JD.yjf1...DYa..g......)...,B.v.z1+.TD..!...\v<i.4......Z.=#..8.g.. O.k.R. ..Zp/..pb..QR.#.........f.. ...v..}....4kvvKsYa. ..............G.3..!.....5sJ.HgC..} ..*]....c..: Z..z..1...r..&...w......w@..]..2^@.<O.mL..}.....R ......o../.5..tv........6....!$.#fF@...t.P...5Z.x..E.mC.5.w|.......$X...p._]...3-.<.z....v@.1......D..oIN.&T}d..F3..... ......r\L......vM.......|..v.#..k...w...4x..j...+..~.~....h...#s.....`i...O.D.....H..p.g...z..{G}}.@G..2......lD.._n..V.@'.+...,T%...@7.mc...`.q.....B...h.v.U...8..D..^.......)..D.UX..1...2..F+=S.8.YakU..9o...5s..).......Z.x.....8. *..~-.d.Fn..W...pF....v....l.h.....8...9<_e.!%K..g..H....5N.#....LI|........t....7.....Ue...^o*/...X.#.yj.E.Z.H6at..#......Z.6L.fA...h...m...:..h..WD{.6....D>...........9....W..X.`Y:....IEND.B`.

    C:\Program Files\ScreenBeam\Conference\app\Images\Go2Meeting.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 403 x 849, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):85416
    Entropy (8bit):7.9853531268658555
    Encrypted:false
    SSDEEP:1536:wAvvK0847tDGOXl9CCdAB8C8uzhkKM+010k4lzyUOAManqZtq0IKJLf7+92:RK0NtyOuWA/2S2UGaxozm2
    MD5:6428081514C762235484B78DE4D3FB53
    SHA1:5D2D5F71B6433BB46704D795BF49815EDD8A0223
    SHA-256:5C21456B22595F128A2C6303D966E9A8AA9ADF0D34C2B5C578559EFF15DEFDC9
    SHA-512:49EC94B13B2CC0E7BAF12D737CAC3CADD7AA83A9CEAD2858E5A8E2E9FD0D6C0783FBAF46BF7E64DF375970A1A4B434BDACDA046CFECBBC19954B9668E67A3C88
    Malicious:false
    Preview:.PNG........IHDR.......Q.....&.Q.....pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:17-05:00" xmp:ModifyDate="2021-04-30T18:38:34-05:00" xmp:MetadataDate="2021-04-30T18:38:34-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:6352cb88-8d2a-e149-8d10-7cffae4a6cae" xmpMM:DocumentID="xmp.did:6352cb88-8d2a-e149-8d10-7cffae4a6cae" xmpMM:Original

    C:\Program Files\ScreenBeam\Conference\app\Images\GoogleMeet_audio.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 1000 x 813, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):42674
    Entropy (8bit):7.840543790213694
    Encrypted:false
    SSDEEP:768:U26KcWAxdOTO5c83tmMuc6Ewb9rrRLO+Pn3SDMyYdevWDXCF6xLF6+Svm/GdFa/5:UxnWAPOq51ki8g+PniDMTdevQSF6xLFt
    MD5:6945E1DF586C00BA686661631EA1CB04
    SHA1:9CF569943F5A14DCF9E7EF19782943A4E92A080E
    SHA-256:60570553A0DAA7FF5A0D913A35A80CC56EB902DE30A6B9167915E996382B1601
    SHA-512:DCC29BE2CB686FA00B68CA2449A693CB6DF4B7E15B6C8EB2B79A84044DEC9243614480381FB7E5238780E9E98293286293C8632AEB1D1F77BC705E1C5E4FFC2D
    Malicious:false
    Preview:.PNG........IHDR.......-............pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:17-05:00" xmp:ModifyDate="2021-04-30T21:23:22-05:00" xmp:MetadataDate="2021-04-30T21:23:22-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:6f655927-aa5d-0948-a8ff-3c5aaaecc992" xmpMM:DocumentID="adobe:docid:photoshop:aafcfe97-a717-7d4a-bfba-859cc33b877d"

    C:\Program Files\ScreenBeam\Conference\app\Images\GoogleMeet_video.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 1000 x 813, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):49327
    Entropy (8bit):7.888483310268996
    Encrypted:false
    SSDEEP:768:HKKfW1CdIvk8YKDoAOA+MkG0VVHi8q7Fixi4xgBd56CR1ek8UFJiAEb:Hu1ebfAOA+HG0VtqEuj58k8qiAC
    MD5:204887D32D0D728E2E72961501142C68
    SHA1:3331B0FC1D18CD8C3CAD8AD69F8D1DD9CAA8B8A4
    SHA-256:044AFB54D6FDD785AD82B34E4D8391FB58A1BD231EAF18CB5B3D2952F123DCDC
    SHA-512:FA769DA9C79726E64B0EC58CF8B717BFC34A4F392FC9974369200448CBC266440BBDA4898BE3E9BE3FFB5BA16FBF47600E910C587A6CDDC25CD971CC60FB8D7C
    Malicious:false
    Preview:.PNG........IHDR.......-............pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:17-05:00" xmp:ModifyDate="2021-04-30T21:19:08-05:00" xmp:MetadataDate="2021-04-30T21:19:08-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:e16fd676-4704-dc4b-8de9-f5a093460ec6" xmpMM:DocumentID="adobe:docid:photoshop:8f014ea2-b541-b44b-a065-a8feef2455ce"

    C:\Program Files\ScreenBeam\Conference\app\Images\Hamburger 01.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 128 x 75, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):476
    Entropy (8bit):6.572841577492603
    Encrypted:false
    SSDEEP:12:6v/7+/3UNBHPKNU+ZlZlZFpGOK+uf81ZlZlZFyHrK1ZAm8:6Nctbb7pGcufubb7yH2Lg
    MD5:0EE2D0A6EA0FF374B16A61691601C046
    SHA1:9267376FBFCD392CE6E45CBF33C814F4B22E9651
    SHA-256:C75D0A805DABE8DA0C642883DA48509B0DA1A1ADA39472A77271A5BC5BA046AB
    SHA-512:B3926CEE6A6713FA4F5897FFDDE188A01A2EA98CF19CE1E1337EC17E1AC6BF951F63CC2BF3951664EDA0630131142BB57017094D72945F31527CBC5767CFB752
    Malicious:false
    Preview:.PNG........IHDR.......K.............pHYs...........~.....IDATx....M.P.....G8%.@..==..t..@..A:.....KH:..$.8Z...0.u..8.d.=..!.b.."b.Bhk..w~..X.....G.DD9...y....:....}..>.....3.8..3.8..3.8..3.8.`.g.[......%.x.O.h...........@.I...~.....p..g.p..g.p..g.p..g.p..g.p..w.........#.w[.|....S.T..&o..v0..k.....3.8..3.8..3.8..3.8.`s9....C....W.>..h../.....p..g.p..g.p..g.p..g.p..g.p..7...~/.z7.#.C.q9t.kB......r(..t..g.p..g.p..g.p..g.l.....P0.......Zv...b...9.....IEND.B`.

    C:\Program Files\ScreenBeam\Conference\app\Images\Hamburger 01b.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 128 x 75, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):491
    Entropy (8bit):6.790559557465972
    Encrypted:false
    SSDEEP:12:6v/7+/EOJqXZdqBqyQ85+BNFaFIAhRMQS/uMlZlZl7Jc:XqXfqV4BNFShjSFlbb7K
    MD5:A7F065CC49B62671D1F7A0C559E805C3
    SHA1:DE343398B2C64DEFBFCCF09747D4925F79509439
    SHA-256:10B9791E40694B30A4645B8841A31F7F16DFF84D38C31F5423A4250E1EAEFE49
    SHA-512:6DBEBF11B04E5FF8C9C5F7A3B3B4F1572211E12A1FF499C0851E7D25F572C22C53A176FF685D7956E14ECC7ACAD6BA27CC5C951F7FBB19C2A53E5911F7131623
    Malicious:false
    Preview:.PNG........IHDR.......K.............pHYs...........~.....IDATx....Q.@.F./....-..r.#...K....<.7.a.P.t.. ...P...:..1.3.?[.}.b...I..A.d.6U7.....$..z......,...P.u..}...k............................5...g_.MU.x6.......(.B3..@tmS.... &7.p..g.p..g.p..g.p..g.p..g.p7....3'...............dJ_....8x.=O.Bn.+....o.|.L.n....g.p..g.p..g.p..g.p..6.........n....}5`.mS.8...................................n....CWI....Q..X.......:........P:..3.8..3.8..3.8..3.6o....P0o....94....\{..l.....IEND.B`.

    C:\Program Files\ScreenBeam\Conference\app\Images\ScreenBeamLogo.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 601 x 74, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):6635
    Entropy (8bit):7.956737759715022
    Encrypted:false
    SSDEEP:192:rTOgkGBqPdihCpS1zTXA+x8vEIJ+7kXo3maupCIa:rnkAqPdmCIJXALa0P5a
    MD5:64EFA7DC6B94CE461FD8B8E348A28B05
    SHA1:7867140BB930F7ABE83EBB66D731141C4ABAC20A
    SHA-256:EF69AD54F09D3223FEA10E0A8BBB71E31100078A87E095EB0CC9748906B3819D
    SHA-512:AB9D0ACC714A212F20A7B97C6F798C507C42098B9A65FB03BE0A3D197F72D06762A892DDFB1375D456D16EE2BB58FD81E2EB19F257403EFBEEC7A273EE2D428E
    Malicious:false
    Preview:.PNG........IHDR...Y...J......%A[....pHYs...#...#.x.?v....IDATx..Or.I..{&.G/..^..>..........fN0..F'0...........gN./J~J......n...x...].UYOeee.....H..p2......(.......~j.E.........h......0EQ.EQ....Y.....).....q..2.k.]..H...Y`7v....#.(..%....,.......1......*.3..(...'........c............Z.l....bk..MQ.....4L...6P.]..8.D.\.f._$..#.f.O...d..Ph..r.5.].[........pb<G...X..h....?...S.(..f;.?.L.N+J...,#`...:...7......-EQN.^.E_...*J..,...N.J....*..E9a.Uh)Jx.,.:!..."Th).r.\.P..(..).L.S..B/ ..EQN.%..*....".....o....p2..(...Cz.EQ. !...l..Y.jNQ...Z........&.=......kx.:..[.v5......"..,........^.=D..G$.+.(..=..$.V.P(...3..1c.X.Y........W.E...'k* .>=?=T^A!k.K...T...Puf...(.'..B..4F..R.r..^Q:E<&..9.."...;.a..A3!+..4.O.F..Z..^....^.z!..Ei.....n..H.J.........U..-.....;.K....0.".b..U(.-.....X..jNQ.V...0Cl+.]`*J..,..y....o*..Ei#\."KQ...|..H_..e.?...'.k54..8sRSX~8'..]9..S..X{.....F.7#.-.Dkk.q...3n..vr.....'G..H....ks....Yn=....i.2.l.9.K..>?.9.zkg.....U.Z xM..&wN./.0..Y.17...

    C:\Program Files\ScreenBeam\Conference\app\Images\Settings 01.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 227 x 180, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):7228
    Entropy (8bit):7.96362266301775
    Encrypted:false
    SSDEEP:96:kOt9w5kl1xpeQHWHAE5041RSdw5E4aee6AARfYIflh9M4Hzfaa+rstb1YpjT6s:k89wql/QaWpRSdc8e5/j9LaLrsMpjT6s
    MD5:04EF5899D53A2AF4D87EB161DDDAE312
    SHA1:EF05428FC27D5DA6EA9DE6B4E4FB0CFF0F7157E8
    SHA-256:B8CCBC29B65B34C4BB7CE5E28FB0AE48CF499D45BCAA39BF7DA25C01D840378A
    SHA-512:4341AE9AE239CC27EECFFA6117137F702D741A2A6DA6D1A89EC80813FC3ADD7C6D7F54751160786ABA657E7E84B67ABB25336A1821CCD615484AC22C2994254C
    Malicious:false
    Preview:.PNG........IHDR.............f.......pHYs...........~.....IDATx..].q.I..u}...@...F`...i#..@R.F..E`........"X.`E..UkO.m...o?..T..a..aN.......U.O.'.qUUW.9.....M..{...YUU/....r..\.2:.O...UU.Ez.).:.8... S.2..I=...:.%......b5....y........Y&.S...O..6........B...C..p.s..Y..^WA@.4...SU.I....g.I....B..-.U....__."......a....m.:..3....O.n.W..C'...........6.....F.P._l.U.{....y.7.k.VUu...c.3.?.D..)h.."#\.....d..I.h..<;U8...pH.......l20.......qS...N,5.....)N...]|......,.8......kg .4..!c!OAp$wS=.BM..}<../..N...S.Q...x..u.q.Qi.......@.A..\.;F...M51.g...*..s.o.....<..9.W.."..."....p[.$....M5.a<.G..J8'.0r..=.D'.CD..<..5gM..n...c[....s;xn.6.$@T2.$.@D.0q.&kN.6.._....{e...^....2.A..FF...8%.u.).2^.4..\.o..&.4..eb$>....5u...s..l.......e./........q....B.y........[.'....y-.2...-..;.e.7.gcE..A.."r...V...x....0....n..E.t.(.......`.8."Os.3-...a.y2.yq...d.'u....q..3..o....... .Q..]..Gy..(...9u....~M.{...q'].xP%#.z#O"NA.w.4..].w.!.......)mkA.......FF...#..tq..HD

    C:\Program Files\ScreenBeam\Conference\app\Images\Settings 01b.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 227 x 181, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):7176
    Entropy (8bit):7.958435392585551
    Encrypted:false
    SSDEEP:192:1d39ffDdaSaHiWIKhJdof02esUeFEOTqzMBu7xDRs5:ThRGH4KadlXqcqRG
    MD5:3381A6F3CF452721366507045E0A9DCE
    SHA1:BC91156986104AE4794CCA4F63D68396668B4DCB
    SHA-256:387D53BBD452C6CA18D0333D1D754CA8049621A6C9CB71ED82AA053DD95D1663
    SHA-512:DDCB94DB1CC063CBB04B030F726F87C778182A6CFB76322E263C3D53635CE3F2B45B13A635AA6BB9684E84459B651AEB20FB70E777E0442DAAD39A9436437B33
    Malicious:false
    Preview:.PNG........IHDR..............YH.....pHYs...........~.....IDATx..]Kr...m...o..W ..,.4.<d$....H^....#..CF.+0....kV...K..+?U].u"./.>C..S......z]d.Dg.n.EqU......S.........e.)..].dt../....Eq..R+...==\......82...d./..k..0/...p...x..5"..?"..Eq....L...p.....dD.....c.........7......K...q..5.p.'#......}.....c?.....2....m.;.99..H..2...6N`Jg.....MX.......x..K.L.g.....UF.!....H...y..y.....82$.M..M....)...e./..)..p.jI..\.sD ..V...e$c.....".8.w&...6...N..y...9]...I..3YwqJQ..OfQ.....e%LFp..3..?..?.!.......2.<.M(.E|a}......,.K...Q.R..?;.....,rm2R.ODF......<n.o...s.W...L.L...%.G..~.9.O..'.y..FY.=....O..J....E2...pp....4...M.v&.+....?.......!*.qj=!.......d.2...'....M.M...OA..L......).!.f...L.....2..Q!|3<.Li...ex.....a.....;|S{.gX.....Hj%`..M.;15T.I.(.......O....kjr6. 5.......p.z.).7..|.+t.HzC:..=..X$D4..KQ...[9......U........a.M.|7%B.!@..Q../.we|_?...z.l.Y.0-)..%.3..1M..'.....D,..z.pB,u...).4N.N...{.g=mx.....f.n..S...........v9w.a..P%#~,I2.C{..1...[..~...zW.. ..8

    C:\Program Files\ScreenBeam\Conference\app\Images\Source 01.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 272 x 202, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):2605
    Entropy (8bit):7.7402023981882175
    Encrypted:false
    SSDEEP:48:E+1u99QkCU8QSObjAzrOZzzx1EJ++YwO7sdcXvfpmR3akAkAkAkAkAkAkAkAkAkO:E+1u9sU1jAzrUzQJewOW0nUapppppppj
    MD5:9E53C56B516DD54749FC05768098FFA9
    SHA1:917DE4A8D10A862016D223859F9624465C45737B
    SHA-256:E07E38B0B90360D8FC316E37436E94D7692A02E500C60A0064C3DB22AF3DE49D
    SHA-512:AFE46AD70BBF82188C85717EC581077C1667361181C99E03A176CD54761D629B188712A29BD88FA8AD796CA5CE5EB4E314D78146E1E6AFBFEDA59DCB5AEF2870
    Malicious:false
    Preview:.PNG........IHDR.............m.......pHYs...........~.....IDATx....q.W....h#@....fj..6...,G`9.......?5n"X..E.(...:..B.{..|.y.(Se4jF.[...s....K..Xv.M..O.......-. P.b..5Ms.4...^.}.4......5....|.N. P.b..A.|.^G....w..(..*Z,..i~..........}.K?/...U.}<.&..r>k?l.g'@.......c.$1.........6. +7.$.....7..........i~m..?.ew..@.!@...-....z....D...@e.e.o......9.r.F......r`!.&..j.S.....HL!N........&G).B.Y....-.u^..@......Z/&@`.,.].ar:QQZ.S......a1B..5<.....2..U......Yl..p.#.t....31*9.Q..O?*D....#.I....=.#...;8... p ...4.$;.).q...D....8..<z..f...hd).o.Y{1....8P.e...I..^.../@...X....N.Z.. 0..;.*....4u..x...".... PY.g.+.V}...n.K.......;.. PQ.G7.....U.0I..|.....O.P.y...O...e.)>...gm....u.......U...?...V...../.....j.._.....E.8.i....... ._.......)..3.Pl..^.@].....;`._<......,jJ.B.@]..u...d..)....G.@E...v.....p+.E\./.u.7..*...~....1^.......T.d0..1.=.8Z....../..Q..&.....6.. .ek...*......X,......0.e..j?r...M..k...Oe...u........!...|.F..|.W.-=.G.B..\..;(vHN....

    C:\Program Files\ScreenBeam\Conference\app\Images\Source 01b.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 272 x 201, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):2609
    Entropy (8bit):7.751935570594546
    Encrypted:false
    SSDEEP:48:rWJfP2n18fIq36wA1Y3S0XCi+OsmgV7iQKeApLzuVcaaWhq0OIsHZc:l8gq36wYYNr+OsvxiR5Zgc1vIsHy
    MD5:8BB5D9194F9AE840C1EF54C02C43FE99
    SHA1:96EFAC9879BBEA22C1EA2FFF18B1F2BC3E4594E1
    SHA-256:D07F812BD5236CCBFD9217C6AC267DE941D006641ABB3531BB5149DEA9E17743
    SHA-512:F22625D9C3FEB679DEF5E0AB3C92A5EBBB255CC7F7AF419C69C323F85B8203776F4A1530927FD8B6BDC9824328510F20DB752B2EBC3F862756A5BE707CC1E15D
    Malicious:false
    Preview:.PNG........IHDR..............LmF....pHYs...........~.....IDATx...KR[I...T..P+0......i..F.WP.T+h..S#M.P#..`..+h...q.).L!q.(.^|_...........A.4..o4m..N.y..|.:..nw... P.h..q.R:....9P.SJm..N...].\..T4.6.9.....9P...d8........F.f.R.......j...u"@.......xI.&...2. P.h../.m.lj0V.@E.......x2.\..E.Z..+.yC..w)./.is=.6..zQ-..(.y.l.{.H...p. P.h....m...1wmz.l. .\.z......rk.......=..8...?....>..........\.z...4.....!9... .e...}..n.<..Y.vD.....)...1..\..$..vDn.....+..~.........A.i...R..CD.....$... ..r...6..,.X. .'.;.=U<;#@`.XJ_T'b5..\m.!.(J..VL'Z ..r..:X;.iPU...[!D....K.....A...U..>.......}.[..."7..`..D..*._.....&..k...!..rw.....}.5+.y?..Z+g.!.2.^.Y..........G..r4m.V}..).....h.@E=..Se{.6.RJ..xH.:z.u.@..>.0l......U..IW..Z!Z P...i..:..F...?.......u.L.........%.z.... @...5....H`@.o.. PQ...a..i8Dr..%...... PY^C....3.s.....?...ATX..[..Q.5jGB..N.>L...5)...@....;..Rz.]`F...e.0.../.d8h...o.?.{y..K.Cr...|....."m..d8...M..../Q2{.}....l....6K^Xz.H^k.W.k..>...l...)..^Xz.

    C:\Program Files\ScreenBeam\Conference\app\Images\Teams_03.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 1000 x 1000, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):69554
    Entropy (8bit):7.876398312717814
    Encrypted:false
    SSDEEP:1536:EoeNeq0IAahqMnkW45preYA7eVyQud3ce/XjG+7/p:w/DHnF6FcJJJB/j9zp
    MD5:C6A33864468BF8E7F43B4BBB8DBCF83E
    SHA1:99F18AB1F88249E2D184E2ED09111E6DF849BA57
    SHA-256:BFD7126FBA79119B208374700733B636EBDE1E03A20F0D07757181D59E8DBB9B
    SHA-512:BD4CA6DF1BE8046AAC755F9790AB0E02A7692D18C6F9341227CF1A2E013C54BEB1DFA66F5F5C31D46E18D3CBAE077950C0034B88860D593ADD0FC7B0DE8C9493
    Malicious:false
    Preview:.PNG........IHDR...............C.....pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:18-05:00" xmp:ModifyDate="2021-04-30T18:45:01-05:00" xmp:MetadataDate="2021-04-30T18:45:01-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:c433aeb0-0a69-0043-ad67-aefd8a1b2e97" xmpMM:DocumentID="xmp.did:c433aeb0-0a69-0043-ad67-aefd8a1b2e97" xmpMM:Original

    C:\Program Files\ScreenBeam\Conference\app\Images\Warning_blk.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 155 x 136, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):2340
    Entropy (8bit):7.846633957982799
    Encrypted:false
    SSDEEP:48:EtDfZuMXtRcFH05EWPCLp60Q1/cb/oem1aHUPaGc4e4mwm:EtD48bcIcp60Qh+/oeCC7Sm
    MD5:6050EDE0EDF86C0CB1E93000FFCB627C
    SHA1:A28E3B8C5344F1D5DD145B9BD80F2E3655798350
    SHA-256:020E19B7DC88FDE6473BF002ED65622808C5B77D50B273A81AEF7E287FC950DB
    SHA-512:371283937CC3606ED899C1FDC8817E43B9DBF0263D430B83D87153D3844985F9F5AD1471AD240748BC227A420BD11CDE75A1FACFD8E8E0EB2615E8B507D5A074
    Malicious:false
    Preview:.PNG........IHDR..............#......pHYs...........~.....IDATx...q.7.......N.V*.SA...T`v.....H.P.. r..*.U.2..6%..pG|......XG.....`..>...yx...>..6..$.l/.....k..W.}|:....M<?.'3.S.......s.-..;........(.W....G....M..f...4.....u.^7*.36...p..>..^{.W.nR.6."x.o..4.8...!|.u.\1e..{........7(.S.'d,.n.sQ..$..W[,<..9k...C.q..n.........J....}T.........F....?B..B......G..;....vo..._i.0....3.Kl...NlA.]!.X.L.....c.T.+.....S..CY!..Yg.....Xx`xe+9.Z2...S....\..ZaP..^.66..........!D....~.?...z.z.M.{....&9,;.NF],..l.2.../14....E~.&.gXe.. .F.@....d.T6p....H.).Q!.)[bN..6.K..-....h9.#*...(=...7...el....:.J+M.+d..O4C..5\....\!.0..*...Z.Cs..`.e.u....A..0..Q....X5....0Q!..B.o.9.d.w.{. .(.]!#..._W.....8.z.Md._.V...aC.[.....q...b..j.-....K$....Q.l...=...l+j...0E.t..S.%Y.......g8..SYV..^.Y.....i9b......b...!..n..G.k.4}?..l....*.....C.kX.L..T.\..%..7.}WC...06x../...-PVk...G.3.G..Q...8I......ol..c..vR...j..9...yE.A..^.....3S.W7..V+......v...X..l..s'u...."...e...*,(..".......

    C:\Program Files\ScreenBeam\Conference\app\Images\Warning_red.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 154 x 136, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):2267
    Entropy (8bit):7.8636669830835295
    Encrypted:false
    SSDEEP:48:7I1s/0OuyGJQmNgm5xazmEtY3r3JIS2aS1LvYX7BIG1Ayejzj:7IK0Ouye/azxoIkS5AX7BIa/Azj
    MD5:11BAFFF191DA71749104B9CCBF5FBAD8
    SHA1:BA6CB42E95FD177C5DB06A74B93CD0FD5AEFBD49
    SHA-256:1012143CE9B9009DE27EC83417BCB290998EC1D47642226755FE5BEAF018573D
    SHA-512:427D6CD7F71AD26C07590641BB9F31240C71FE7415BB256D1EB882AFFB13EC34D30835C8DB27924D5A44AD97677004FB2960B93BB206E3FC484E8A4196A47831
    Malicious:false
    Preview:.PNG........IHDR....................pHYs...........~.....IDATx...Y.9..e...W.\.!..U...H...n......H..*8. ..[.....ifg.G..{..0.2,...k.r.{0.p.....p.........V../..i,.p........x.Y.f.r... ..d.....w..S4.0\.........[..`....5.|..U..p..?..Q....s.....Ba....a..s..n..Q....,L.^...T.....q.0Z!...h.8w......S..O..s..G........).K.D.\....o...F~~..Vea..%... Wo...7......8...l....N....cP...(.m.=W;.;1...-...,.. ...=...C.;..h.....D+._...S4..H.A...;.Q.....nE.....d.....`.G..]...1.....Ao.....r.f...y...=..:sN.S,..C..9....o.V....v.T...P..;^.O.[.v.2.F...pu).mg.........m.V........3.gbA.3...a..;....(Z....J.-..X.}-..Tow..h\.........X........-.gc..]..X..gq..Y..:..X..v...3....t..q.h.v...6._I...hS..j......08l5A.=E...q9.gjy.PZT4..<ev.\(..9UkK......g...#..VD:....x...h..y.#.>.iV.".....><..6.E..1C.)...E.i..+..;g+&.m(Z.j.i.W..;.+Z.y..y....j~)>..E...%e.R.*^.d.Z.3.js9.@..}E..I.r.=t.J&,1t..]...U.......;...'W.Jf@.R.....!S..U..9.C....).h.^..DE[%><o......C.d.Z8<.{...7..s......h...i.+BM

    C:\Program Files\ScreenBeam\Conference\app\Images\Webex_audio.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 720 x 788, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):66299
    Entropy (8bit):7.961523068971229
    Encrypted:false
    SSDEEP:1536:yaDvYOVbQEQjKJXDVCf7P/2qzYzpsL6/ET7B1d51pDKx4vnE:xDgCbQoJXq2wYzKzBnBGanE
    MD5:C63418D64D9F55FAE8983BB8E3390F22
    SHA1:EFB964CC281188199E67377EEF79915A2F47CA4D
    SHA-256:C7600F818D52DA2291188622BB31F89FD7C6CA5BB724BB75562AB80F8B380DA6
    SHA-512:593B13021E2F772299B48E5183ABF832237AE083124F34FDE0AB3B2FC90C163FD0886142AC4271455917713D92002F0249F6415DFE4056581500C648C2E665D4
    Malicious:false
    Preview:.PNG........IHDR..............;......pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:18-05:00" xmp:ModifyDate="2021-05-01T12:58:43-05:00" xmp:MetadataDate="2021-05-01T12:58:43-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:4fcf30c5-2837-6d49-9228-8aaf4ce449fe" xmpMM:DocumentID="adobe:docid:photoshop:1e58d27a-8eb5-7043-9c25-a23e0fa28b76"

    C:\Program Files\ScreenBeam\Conference\app\Images\Webex_video.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 720 x 788, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):225205
    Entropy (8bit):7.988659019849531
    Encrypted:false
    SSDEEP:6144:YzOPygYSjCzPltsEGUW1k+/5C8fBRNxPg3otp1xUxGQ:Y69azP49UGk+/bZRNZ4DGQ
    MD5:0B24AF962EFB65CF9D84D32F1051CB7F
    SHA1:AF93286939B3ED2FB8B4281E80A0616C2FD850AD
    SHA-256:A5C3F258AA8BC1B5113F9EE3EE68C0B494C0396DF89E64BA397809E5BAB98127
    SHA-512:29F3A99E33467CF3E92AE55E1CBBA5A0F8985F159F0A5583266CBA7AB66CB78F91D95D0AC97329835939290464CA2696EE339D65B79635D00481A4358BE88B61
    Malicious:false
    Preview:.PNG........IHDR..............;......pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:18-05:00" xmp:ModifyDate="2021-05-01T12:53:49-05:00" xmp:MetadataDate="2021-05-01T12:53:49-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:ee909eb4-bcc6-cf4b-b832-a231bec47261" xmpMM:DocumentID="adobe:docid:photoshop:57ed1941-e4ee-a143-aaa6-82c889b5b586"

    C:\Program Files\ScreenBeam\Conference\app\Images\Zoom_audio.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 996 x 822, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):62003
    Entropy (8bit):7.882536706934873
    Encrypted:false
    SSDEEP:768:DmQg8L4uOc2ALn9mKqYFrUjGE3ztVfasP+tbrpPS+plZ8qHK8mUSGlxGt6uu1ibH:Dm64py9lqYFkJVSV/YqqL8lwtnuMahb4
    MD5:33DEF4334217F9817B543EFE2BD011A0
    SHA1:A856001007EFA1275E2564B86640A376837C41F9
    SHA-256:6122D3A1745C83B68B99C595EB0AE24FCD06C2E1FA74F3AA67CDB2088592C796
    SHA-512:FD78545900E479353304D07B46CB5DF55822324A38BA717715C9C84DFCFAB16761D21A337D0B1C9420FC79C1C0898DA425F8DBDFE3F3FC306F5550EB21D778BF
    Malicious:false
    Preview:.PNG........IHDR.......6........b....pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:18-05:00" xmp:ModifyDate="2021-04-30T21:10:30-05:00" xmp:MetadataDate="2021-04-30T21:10:30-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:13569480-ea61-a44e-b054-8352c2def7a0" xmpMM:DocumentID="adobe:docid:photoshop:766ddbae-3d8a-1743-bad8-2c7d64d35992"

    C:\Program Files\ScreenBeam\Conference\app\Images\Zoom_video.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 996 x 822, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):260289
    Entropy (8bit):7.986983765173423
    Encrypted:false
    SSDEEP:6144:Mituzb/ztF2V+J5d1/05VU2I7V96Kfka4L1+Q1833P:uv5QV0t0k1V968a1+QuHP
    MD5:28CA09E17FA6D684172BE70F5E88D5DD
    SHA1:562FEAAD833907F1ED1F0BE6AD54B3AE7A5A1E01
    SHA-256:54F0D37EED8C9CF43C71E168FA31CE0E58579C40B08C594B1C19F044FBC460E7
    SHA-512:B4CDFB8CB2BCFA19258C118C839947CAC2582A9201A29DA2C7E5E14B8CCA8D5BB49B035AF505CCD145FA8926C79B7CCF042D2948A21A76AA84890C64FE12E049
    Malicious:false
    Preview:.PNG........IHDR.......6........b....pHYs...t...t..f.x....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c005 79.164590, 2020/12/09-11:57:44 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop 22.1 (Windows)" xmp:CreateDate="2021-04-30T18:27:18-05:00" xmp:ModifyDate="2021-04-30T21:16:24-05:00" xmp:MetadataDate="2021-04-30T21:16:24-05:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:9cba2451-d985-764b-93b9-d14c63061ffb" xmpMM:DocumentID="adobe:docid:photoshop:5d86836f-d0be-2a49-a299-386e92516686"

    C:\Program Files\ScreenBeam\Conference\app\Images\ham_menu.svg

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:SVG Scalable Vector Graphics image
    Category:dropped
    Size (bytes):330
    Entropy (8bit):5.119426182542363
    Encrypted:false
    SSDEEP:6:tccGS3mc4slZKYnic4sFvQoEGlBMfqGqR3laF4SK3lNkADT/HD38:tcFS3/KYh93Mfq93ladK3lNbDzHD38
    MD5:0C7F014CE9B23358D00BA953D9C44CCB
    SHA1:DF1752C78BC6BD78615783C512AA81302FC14D13
    SHA-256:A0F75FFC5C685A770D776661D354422DBA9DC17AA84885F6F35DB82106A7DF67
    SHA-512:3DEE488FA25CBD4F2DC6CB789D4BF29E48C1CBD320D6DD7CFF92042923745D868C4C0580B9FB499BB4699D7FFC6AC2D9FA80EC4330F8C8B4B685E9E4AE21373B
    Malicious:false
    Preview:<svg viewBox="0 0 96 96" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" id="Icons_HamburgerMenuIcon" overflow="hidden"><path d="M11 30 48 30 85 30 85 18 11 18Z" fill="#FFFFFF"/><path d="M11 54 48 54 85 54 85 42 11 42Z" fill="#FFFFFF"/><path d="M11 78 48 78 85 78 85 66 11 66Z" fill="#FFFFFF"/></svg>

    C:\Program Files\ScreenBeam\Conference\app\Images\info-icon.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):8329
    Entropy (8bit):7.832751646585658
    Encrypted:false
    SSDEEP:192:nbj4rMvGOipjk7J9jjUkgTmdo9jU83jbZOwlVbDQMcYR9qH2Xo+c:nNe3k70adoNU8Tb7DbjR9E2Xo+c
    MD5:164EAD314AC3D2E989D23C9A2BF92509
    SHA1:01ABDBF23F0C579C8E7BEB94326EB0EC893DED2F
    SHA-256:188604E0436236A03272350C27A8E6EF96EDADD7E89F35975369F446A1D9DC82
    SHA-512:3FF029EE8321A2F333FB708FE5109CB86A97C5682C6FCBB558485E866400E5B5E9F901062E931CD37FF4AF5E6058FD8A9B72E9C7C59712541009E0278A068873
    Malicious:false
    Preview:.PNG........IHDR..............x......sRGB.........gAMA......a.....pHYs..........o.d.. .IDATx^..Oh.....z...4*....z..x..@/{v....7....:..`..o1xf..0<D .y..A.hF..L..2.A...%.I..G.u.}%]Iu..~..Hw.n.:u...I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$I.$.....W.G.6......9.U{...??:......X.$."5..[g..i.............a8..........U.I.3%I....~..l.o./..'q.._.L....pfa.......I.$.S..;.nw^....:N...vzp0..L...H\..$.........~:..........|.L...lA\.$]_.T....../{......[..p.ecr.Q.x$IZO.S....Ag.u.......%..{.\:.$...kr6..o........7..6..$.u..~8.<..y<n.E.9.....K.j+.".....g..S...j...?....'....;...{.. .?..?r.$..A.....3...Y....g.]...f..n"...6.s...v.6.`@.F.|B..|..6\..0Uq..%I...9.........I.?...Y.I....g....u..>.qV@..\x.{.>^.BV...P.Vh..|o.8.nx.D..%I...~..|Z^..)]...i.WJ.._..+\......&w.P........TS...Q|!Kj..5y.@@R...~x+....j>..^...>.Ar8K..>.._....3..~8.p............cv .?......B5......i..:~.$i.mL.>.~.<K.ui..a.......k.H......n|

    C:\Program Files\ScreenBeam\Conference\app\Images\panic_button.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 135 x 176, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):12500
    Entropy (8bit):7.963895025939282
    Encrypted:false
    SSDEEP:384:puDCg3GXRy+I3dfjFIK6Sdg9cA0g5LWqsjtT:vg3/trGn9cAXW
    MD5:DDC8FD60D7AC9B0F5B4A31F85941D910
    SHA1:D178CF17269863F9D66564BEDB0501B68B788D0C
    SHA-256:DDAF21F47792E18653DC4737562F0A50704D29C165FC6B0D79BACFFB52235032
    SHA-512:F2EC43E66913D43594326E08FC4D196561B6125B71E74A9158A1555458B09BA3B9B2633C53117FC65B614ED63CE5C16FC93713ABB10F29884271FB677245E5F1
    Malicious:false
    Preview:.PNG........IHDR.............%.}.....sRGB.........gAMA......a.....pHYs..........&.?..0iIDATx^...U......O..F%&&t...e.C.w..2. ..X.n4v.-...6, .X. ..P....L..{..=.n.R..#g=.........>wf.'..B.-..B.-..B.-..B.-..B.-..B.-..B.-..B.........B-:../..'M....I5?.>....73.O.0k../g....O..A..Z..un.uC+...4.._.6..Y3..z.../.05..Z..X...Y.Us...+.......x....^{.._}.._y........e..".....9...3f].... N..C..s..V5....E...J.....9"..o7.hv..f........}....=.....=..sO.s.}J.=.y.q.....7..fw.b...[...i....m>...f.)].X.q.D9.._.H;s.C.._.Z|.....y..po.....g.^Y`..5...2{g....._n..{f..o.....?.|..]....r...K..-~..W..<o6Wdz.a...3..N..n.T.x......-...f.D9x..!..L..!.&....q...*G. ..#.....?+.V}........V.... ......=.q...8.......6{C.xi....Hi.-....KY.~..KU2.9..u.w.L..r.......2'..".q.O.G$......%o.d .~ ...@-..*.C.....IM.....~.u...c..9.......Y.Q.....#...W)........2.:=u..).5....'$.~.[Y8.G..S....*..69..?Wu../(..../#..(/.~...+/j..3...0.H.a.{u.........j.../..u....R.Wu../E.M..D.....{r.).z..C.Q!....L...Q....

    C:\Program Files\ScreenBeam\Conference\app\Images\repair_icon.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 139 x 139, 8-bit colormap, non-interlaced
    Category:dropped
    Size (bytes):1175
    Entropy (8bit):7.6598667385130375
    Encrypted:false
    SSDEEP:24:IAh+4Jr4fJLlxuQNJzPaS7ABIijx++53yyqDb2BBqLjWN4:IA/JyLlxrzSGAFL53Vq/Q2jJ
    MD5:E9FB3CF8B34D6CFB76978312E8B1D0AA
    SHA1:69382962C0C236B16B4153FF66F81241B4EB0508
    SHA-256:38CBCF4277F5C062906535018C6D5BB9DB86C1B90C1090CDB39C0A4398C86D93
    SHA-512:CCBBC2B407D7742BD7960C48FAA1F299CA43E5CC83A6204EAC9FE0534B3EBCEB5E23EAE462252B325AE4CB3DEDB264ABC657C8960D4836EAEAAE4BA28F2465AD
    Malicious:false
    Preview:.PNG........IHDR.............f......sRGB.........gAMA......a....3PLTE...`..X..Z..X..Y..X..Y..X..Y..Z..Y..Y..Y..Y..Y..Y....%]....tRNS.. 0@P`p........#.......pHYs..........o.d....IDATx^... ..`.......................GDP'6555555k:.....u=|..7/...n..{.shaa*.].G.i.q.......Pl..J`.k...{...i..I..r..@...?.A...4/X.fR.47..0(M..B....{.`.9.....&.._XmNf.i......4wXq.{m/7..D.1.....X(...$....wF.\a.KdM...',..k..N......a...@./m..|....,cg..@...{..OU.y.C.a.B....O^@....,..0..X.g.~.}..]...aR<5.....c........... .L.X.g..72|...+.h......S.x.f..-....,.Y.S8...s.t.1.....:."..S....(.5MI1...;.3.;.f8.#,.Q].!Rx...>.H.\.p1T.h..a...%,.C......:.L...R1tJ.M..C..Gh..C.+...M.C......J1/.'*q..b.:..c..e..V3.c&...(......wj.9!L.R$8.+...%....e.lWe_..f.;.J.1..b1..bo........,...R.T..J.R)X(..|.P"$.A.Z.C.`.P.!S.c......,.I).aS.a..R....FH)..S.1..mL.E..I..P(....haH..q....../0dJy..R....0)%1lJ9..R.#....)%0b.>&.....b2)..l..F...Q..`.(..5J>F...Q..a.))L..&v.#.$0...-.{.~...&.0.7@.)qL.a....Cu..%....@....g.peQ..P-1......+..

    C:\Program Files\ScreenBeam\Conference\app\Images\teams_settings.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 755 x 396, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):51633
    Entropy (8bit):7.977056362115758
    Encrypted:false
    SSDEEP:1536:jnYsZO/yN01sa2DT8krc9ri/FVpQbSS8T7C8+GCM7bHacC0EIIA42xO:DYgO/p238bhiNfQeS78+GCQHjC0Dh0
    MD5:39728FCA44F75F4E8070E789ACA184D7
    SHA1:F4CAA9AC061752ED81720B03D5E56DBD322EC33C
    SHA-256:4A987D6FD5B338F3EDCBAF8C7C514076F44026DE4F11276C11335ECF3FDC3117
    SHA-512:363918CCA1424E2D0D927A1438C539BC38130936E893E42F9AAB370BB57FCDD4306BEB6B0B16E20A9E1B852A72051409BC1C54E052FF5C20E8CD5138271820DD
    Malicious:false
    Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs...t...t..f.x...FIDATx^..`....V.h<..G6..l.......B.......-..h)V(EK.......~...m..M.J.A............g'..qb... .. ... .. ... .. ... .. ... .. ... .. .G.H___O...(..Dr1.......9..A<.......2e\.t.._..0........^..........'....W.R..I~9.... ...\*...........'/&..0.3....(....2..!.!.....^..n..8......A...FF..0'9S`.8.....W..%.S/..,.........h.....31.4..?l.......#..P.....Dh....<......zg''.g....g&.bL...IJrrHp0N..B\l,.x.#....R......s..e...%..Zt... .^p....Y^Vfll.K@lLL}]...8.%...anl.....Uzz:.Djf....i/..==\.P....P,f...X.07G...8(...wfF.:b."...Yaa!4........."..*1!..".....c^N.!.B.........<...XD$3..Q!R(.DEF.#.B%..^.Cw.A.?.Z. .G.N....r.u.....eZh(..E+.s..y.$.n@n..m#..q.a.0r...........0.w77L.y........oii....rpP...OMuuPP.^.1.........{...D.GZZ......../...mmmc...M..5)*,D........$d`..f...mee......0........ OxXXLL..........d.-<...:9:.S\.0.h...G.X..../.5.f..................a.......N...A...^..\.Y....NXo//..`^l

    C:\Program Files\ScreenBeam\Conference\app\Images\warning-orange.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 95 x 95, 8-bit colormap, non-interlaced
    Category:dropped
    Size (bytes):855
    Entropy (8bit):7.436117043011675
    Encrypted:false
    SSDEEP:12:6v/7o4/fM/M6UG7NU/+04/0gira0+rfloGWVYSMlDhg9wFzPBziJuUQeJCctHu9:Ox6UyU/+jkra0ufllRm9wZP5fUNUctHg
    MD5:B2D1F94BB64D09B0A984994312A44326
    SHA1:D6E755583CF299DF6AB1131C9D94AA18ED5E7DBF
    SHA-256:B67CC2D62300EFC5D1AC008525E37269AD477BA57D0C6B0A6DEF5DD2EC5F8D72
    SHA-512:C28B92A2847AA5DD1D664B466C31837963121AA3B38615CF221AD9CAF81E5412F454EE0502C17042FED288B0984C5602F99D81BAADAC7876DF35A79E5ACEE57D
    Malicious:false
    Preview:.PNG........IHDR..._..._.............sRGB.........gAMA......a....3PLTE...................................................A......tRNS.. 0@P`p........#.......pHYs..........o.d....IDAThC...0.@........X...m >-...3;Q.C............@....R.aL./.t..L0.k..s........Q...[.;.v.t.`r...[..x.....P..'.....x...,n+......v.snn(;.,H......t.ssC.Q.......m.6.......j.......i....h8......8................q.a"7.2.v..b.....VN;..... ?...E.@7....tt....s....H&......$.mgs..m`...8.h....Y..........DS...t4q.B.GG..-..l_&j-pz.;Jw'2..#...K.<.....3..sQ.(..#..m%....Q..g.X.(?9..%.r....GG+.9l.l...>.....L.ZGq`.\.JGY.-cn.....ab#...Ql.9...k....|.....&.x,&....8wO.6!.G...Ud..y7..s..&&.(6...o...:.6.....T$.q.....\$.G.).o~....9..|...l*?....b..?......r..1.VY...l~,.9*..KD..w..2.......c`O...7E............ue..@..>&.."KR.ZM.u........R.$..3.....IEND.B`.

    C:\Program Files\ScreenBeam\Conference\app\Images\zoom_settings.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 590 x 589, 8-bit/color RGB, non-interlaced
    Category:dropped
    Size (bytes):137156
    Entropy (8bit):7.99115996925414
    Encrypted:true
    SSDEEP:3072:Yk7BUP0qkRwSPdlu+RCq1G0pmWS+iFmKLvlj+DWEZMJYRp:Yk7C8qkRHPdlucCOPpmyRKDd+DW1ap
    MD5:337565E283405CBA53EF817465D7582E
    SHA1:813C6E741BA1E430547E615006F53C415309CA8B
    SHA-256:E6A0F5E41B147D59AE1ED49FE8F805516AFFFCB544EB10377A58C8A0F86FE50D
    SHA-512:5A2BF0CCF1B6254C2A5B498D42D3B6111BFB7D01D55BC540B7C568D06B208BEC7737FA16C48A3813A64A6EE5980E53F8428A55C22E46D2C56FB8D6B40901815E
    Malicious:false
    Preview:.PNG........IHDR...N...M.....H.m.....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^..@.......}..p~.{......N $A.!!.......A.....C.S.TRw{u/........i..N....of....{.((((((.kP.CAAAA...J........T.PPPPP..R......7..:......9........A.......o.*u(((((.sP.CAAAA...J........T.PPPPP..R......7..:......9........A.......o.*u(((((.sP.CAAAA...J........T.PPPPP..R......7..:......9........A.......o.*u(((((.sP.CAAAA...J........T.PPPPP..R......7.+u......e....+.L..s.+....D..b^.P.....w..R.6."....%....%o+.P.l..q.Pgs;Q.t;Q..WF]..:._D.U.z...*u..].....sB..Q..mC.........8..U.-E..h.-T....sB...n.2..N.9.f........U.'..l...s.j..%h....m........]..G.&.y.Y..{s1nX.....Ne&.....u3......!T...WQ......F....uN..uf.#T^w9......'J...3....S7R..((((w'jW.D...u%K[...'....,.VS.......F.n..<..K9..T.T..^......Q.......@....uN(........R....R..s..s>..A.N...JT.0.C((.5(..uN((+.J.U.....?.g?........-.d....o........Q...:..."...6....p.J..........S...E.oT[W...>...k``.@AAAA.m.7+..9..p.......*.....I.j..|#@m

    C:\Program Files\ScreenBeam\Conference\app\Interop.NetFwTypeLib.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):29464
    Entropy (8bit):6.454797750930207
    Encrypted:false
    SSDEEP:768:sGpWg7g2TFOcTQwBy0SJYiQAEAMxkETkH:JpWN64eSJ7Qbx/c
    MD5:0780F636F57AFF22C74196B4C6036404
    SHA1:FE6D6D9A26B2C08427C09499846AAAA9EFD1BA82
    SHA-256:D413056F433BDE4C95E47899C1A6C2CE925E2E5288BD45DE9F201095C002E36F
    SHA-512:9A8F33C4830776D1A557F3D012DFE8FE18288B50FEB9CC1E8A19BA81CC3FA7125B0E343B41D6DC91096CFC4BB9F31E11CCA2E711E76C866969F2B7C8944B1B43
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B...........`... ........... ..............................,.....`.................................j`..O....................J...)..........._..8............................................ ............... ..H............text....@... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B.................`......H.......P ..t?..........................................................BSJB............v4.0.30319......l....&..#~...&......#Strings.....8......#US..8......#GUID....8......#Blob...........W?.........3................*...................!...x...r.......k.............................I...k.I...............E.................R...........7.....q.....1.*.....*...............\.*.....*...w.#.....*.....#.........#.......E.............P.................................................&.

    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\MultiOnvifServer.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):694040
    Entropy (8bit):6.798071198410618
    Encrypted:false
    SSDEEP:12288:WJkgHpHfl7unn983HkCSamwpx8dDgX9C0p6ozUe:WiYpL3HxSaHpudDG9C08ozj
    MD5:C4CA5CCA1C53FE7AA92E3BE4C93DE0AC
    SHA1:FC8EF729778F385E37819A87B7DCD01C0782B4AE
    SHA-256:E775701D881EF15A6AC979448C1A9475DCC6F6B12C4B7D8CD7CE694C979A38AF
    SHA-512:4336B8E0032F523FCF1FCC34CFE34842F73D08F706BAE5232EBCB2424BE5D9580B008DCD550799FD242D32075315F64A2246A0F7E2E1F3C8C572FB8EF52B1ACD
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*..D..D..D.......D.[.E..D.r.E..D.{"...D.[.A..D.[.@..D.[.G..D...E..D..E.u.D.|.L..D.|...D.|.F..D.Rich.D.........PE..L...-..e.................8...8.......=.......P....@.................................#.....@.....................................@....0...............n...)...@...p......p...............................@............P..L............................text...i6.......8.................. ..`.rdata.."....P.......<..............@..@.data...@...........................@....rsrc........0......................@..@.reloc...p...@...r..................@..B........................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\config1_base.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):2056
    Entropy (8bit):4.542339687773985
    Encrypted:false
    SSDEEP:24:2dRE//EkMruCF9JzN8PzdKfomWfZAfqRX6hpQ9793/0AbhXI4X89:cpdR8Pzk4QfMtzNM9
    MD5:6D9D46649B405988650753948C8E374C
    SHA1:D73D605051D538D4ED9D2E8367D8977600046049
    SHA-256:54067968411799D76813CD2D980AA26D04E3E78632E6CE2747A555E30BF32690
    SHA-512:E451B77D2968DC9E6728A7EAEC5851FD7C79415FB8D2B95FDCF15EFC75C4FD065D1FDE0A593B5C7D49EAAE817BC39EBCA1F00C561711CF5FC8F3C2C7BE93719C
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>..<config>.. <log_enable>0</log_enable>.. <log_level>0</log_level>.. <device>.. <server_ip>127.0.0.1</server_ip>.. <server_port>27182</server_port>.. <http_max_users>16</http_max_users>.. <https_enable>0</https_enable>.. <need_auth>0</need_auth>.. <information>.. <Manufacturer>ScreenBeam</Manufacturer>.. <Model>SB1100PLUS</Model>.. <FirmwareVersion>1.0</FirmwareVersion>.. <SerialNumber>123456</SerialNumber>.. <HardwareId>0.1</HardwareId>.. </information>.. <user>.. <username>admin</username>.. <password>admin</password>.. <userlevel>Administrator</userlevel>.. </user>.. <profile>.. <video_source>.. <width>[VideoWidth]</width>.. <height>[VideoHeight]</height>.. </video_source>.. <video_encoder>.. <width>[Vide

    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\config2_base.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4246
    Entropy (8bit):4.59391160498296
    Encrypted:false
    SSDEEP:48:cpdCtK8Pzk4QfMtzNMfdCQW/8PzkTCcMtexNM9:C1gZtzNktegJtYNW
    MD5:3907C753C5684A8E3E5F527D52BCC033
    SHA1:35C0132D2A728632439414DE9C00E450D4092E36
    SHA-256:83E20372AFDC7388F8310860908B0E1E5478C371AC97B28914C2FA176E52E2E9
    SHA-512:B31290F12774B1F85298D1A87C21B218FBF0C35A3797F4DA9B4841D448D46C54118F4D517AD5F01DFB2AEC6ED243C2FD65FD76902540DE19F1B5778056A5A5FB
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>..<config>.. <log_enable>0</log_enable>.. <log_level>0</log_level>.. <device>.. <server_ip>127.0.0.1</server_ip>.. <server_port>27182</server_port>.. <http_max_users>16</http_max_users>.. <https_enable>0</https_enable>.. <need_auth>0</need_auth>....<camera_name>In-Room Camera</camera_name>....<camera_uuid>[CameraUUID]</camera_uuid>.. <information>.. <Manufacturer>ScreenBeam</Manufacturer>.. <Model>SB1100PLUS</Model>.. <FirmwareVersion>1.0</FirmwareVersion>.. <SerialNumber>123456</SerialNumber>.. <HardwareId>0.1</HardwareId>.. </information>.. <user>.. <username>admin</username>.. <password>admin</password>.. <userlevel>Administrator</userlevel>.. </user>.. <profile>.. <video_source>.. <width>[VideoWidth]</width>.. <height>[VideoHeight]</height>

    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ipsee.txt

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:ASCII text, with very long lines (1519), with CRLF, CR line terminators
    Category:dropped
    Size (bytes):5127
    Entropy (8bit):5.331931775659372
    Encrypted:false
    SSDEEP:96:o/OpOWBHl18Pe6HGbpOWBHl18Pe6HcpOWBHZ83ehebpOWBHZ83ehn:7pOWBF1ke6mbpOWBF1ke68pOWB5UeYbD
    MD5:A87DDC5D8B7E5D761FB916AF29B40BC4
    SHA1:B92C2E94D8B4536129F4B1ABD6525F32C09CE4ED
    SHA-256:6867B93F2F7E603F8BD1ABE82A19905018FE0634176C442A08F8ED83E8EB257B
    SHA-512:7CF4EBEDBAC013927454C900E57CADC59843F565D571DF7E89E56AA0D2A16680BBD2825D944365DAB7C47DB664DCCB8476ED51BEB36CB408049A2CA7AB530EBD
    Malicious:false
    Preview:[2021-08-23 21:52:25] : [ERROR] http_srv_net_init, bind tcp socket fail,err[WSAE-10049]!!!..[2021-08-23 21:52:25] : [DEBUG] onvif_device_hello, p_buf = <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:enc="http://www.w3.org/2003/05/soap-encoding" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsa5="http://www.w3.org/2005/08/addressing" xmlns:d="http://schemas.xmlsoap.org/ws/2005/04/discovery" xmlns:dn="http://www.onvif.org/ver10/network/wsdl" xmlns:tt="http://www.onvif.org/ver10/schema" xmlns:tds="http://www.onvif.org/ver10/device/wsdl"><s:Header><wsa:MessageID>uuid:30991b2f-72c2-24fc-5d79-2b1312437e85</wsa:MessageID><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Hello</wsa:Action></s:Header><s:Body><d:Hello><wsa:EndpointReference><wsa:Address>urn:uuid:718a1fb9-27d6-3c95-6829-4ab318de4250</wsa

    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libcrypto-1_1.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):2434328
    Entropy (8bit):6.265996100267196
    Encrypted:false
    SSDEEP:49152:vQ1VVA2kTpvTDuW8VNd1CPwDv3uFh+0nU:vQ1Vu5DuW8fd1CPwDv3uFh+0
    MD5:631F1CAC68FDC420328C6EFD9952CF41
    SHA1:3DF6FB2971EBFC3FD2520B6ACB196AF3DBB85855
    SHA-256:29B54EB7E388A772EE501A8A33D39FCF5BD24732685924784BD90ED12DEF7F25
    SHA-512:B8A1DF8FFB24F2D15D9C0BF757B71B7C8CD27516273B505F53CAB5CADCA66F8B59829ED9B73DB424E733EC2601BEE855A14D6AEA149EDB5BF1773FB6C35D1DE9
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#..eg..6g..6g..6n.L6s..6\..7e..6\..7m..6\..7m..6\..7l..6...7l..6g..6...6g..6q..6..7...6..7f..6.. 6f..6..7f..6Richg..6................PE..L....o.^...........!................E.........................................%......8%...@...........................!.hg...U$.T.....$.|.............$..)....$..... g!.8...........................Xg!.@............P$..............................text.............................. ..`.rdata..............................@..@.data....Y....#.......#.............@....idata..J....P$.......#.............@..@.gfids..%....p$.......$.............@..@.00cfg........$.......$.............@..@.rsrc...|.....$.......$.............@..@.reloc..D.....$.......$.............@..B........................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\libssl-1_1.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):515352
    Entropy (8bit):5.814308251498547
    Encrypted:false
    SSDEEP:12288:hJ8sR6fYGsTRZ9vpHvG9ZiBgp/GidLzVaU2lvzXE5g:h/Xsf8WaU2lvzXE5g
    MD5:0B7853CB06FC1C142995367FF5B469C8
    SHA1:20DCC203F230429A8F0F6CBE8E073D423BA5544B
    SHA-256:D6C68F70B2EE3E1D23FAB5432092710A518824B01B83FAD25088CC2AE39BE46B
    SHA-512:501321F2358C81806DA0E8829954435DD5F6E2875EBAD17DBD2CD0351477D45672144295820B4446FEB98F5EAB0CEEADF93B1B853C7CAECAB06D3998E6DB6C58
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.7..xd..xd..xd.b.d..xd.Dye..xd.|ye..xd.D{e..xd.D}e..xd.D|e..xd9Dye..xd..ydL.xd9D|e..xd9Dxe..xd<D.d..xd9Dze..xdRich..xd........................PE..L....o.^...........!.........0............................................................@..............................N...Z..........s................).......3......8...............................@............P...............................text...y........................... ..`.rdata...i.......j..................@..@.data....;.......6..................@....idata..3A...P...B...*..............@..@.gfids..%............l..............@..@.00cfg...............n..............@..@.rsrc...s............p..............@..@.reloc...:.......<...x..............@..B................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\runconfig.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with CRLF, CR line terminators
    Category:dropped
    Size (bytes):28635
    Entropy (8bit):5.2012587313035885
    Encrypted:false
    SSDEEP:384:uJymAewyafBfBb3IyRcKjo8jmnCB8G289tn+Q8D/BOKJt28WH8mHmQn/rajAZxqg:Jj5B+xERuY7MIAIASkXS6XNQ
    MD5:612C974F0E3EA3B05914188CA96A0AA6
    SHA1:12D18BEBBDB5D03D21C2BE8E4F35CD4C8834FB7B
    SHA-256:9A37752D8A0B5E89DA83AFD9D65A22DA8781D1C74699B1FB78E324001D787A37
    SHA-512:5C4873A6A5FF06E07A06D5CF857E8E5929C7F8955900D2756F5D405C48A618B3A13DFFBF30FD2E26D49D4E9B15FA6B8AF3B9DDA2551052ED31F7F3364F2F9AC5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>...<config>...<log_enable>0</log_enable>...<log_level>0</log_level>...<device>...<server_ip>127.0.0.1</server_ip>...<server_port>10000</server_port>...<http_max_users>16</http_max_users>...<https_enable>0</https_enable>...<need_auth>0</need_auth>...<EndpointReference>f258763e-0959-4c30-b432-6729c72df070</EndpointReference>...<information>...<tds:Manufacturer>ScreenBeam</tds:Manufacturer>...<tds:Model>SB1100PLUS</tds:Model>...<tds:FirmwareVersion>1.0</tds:FirmwareVersion>...<tds:SerialNumber>123456</tds:SerialNumber>...<tds:HardwareId>0.1</tds:HardwareId>...</information>...<user>...<fixed>TRUE</fixed>...<username>admin</username>...<password>admin</password>...<userlevel>Administrator</userlevel>...</user>...<RemoteUser>...<Username></Username>...<Password></Password>...<UseDerivedPassword>FALSE</UseDerivedPassword>...</RemoteUser>...<SystemDateTime>...<tt:DateTimeType>NTP</tt:DateTimeType>...<tt:DaylightSavings>false</tt:DaylightSavings>...<tt:Tim

    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ssl.ca

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PEM certificate
    Category:dropped
    Size (bytes):1298
    Entropy (8bit):5.792853162111365
    Encrypted:false
    SSDEEP:24:LrDpMNpyvSq0pxpynh0YH0kcP0y7Fm8osGYeoeGOodxp1ha7K9A:LryjppnhkaL7FCsGYeoWipS
    MD5:CDAF1F178B74FDF227723E7516464254
    SHA1:85908E45E29EAAE60CE6D4EB90861B0C61DDDD89
    SHA-256:525CA5B085D6F9D4A4D7C4C7A2986E9E4E467EE1030E12EDF07C5E2812BD1C79
    SHA-512:44F7A7222075F63B7681B9C4C301D7F318B476E3518C4D3A76F21340BFC158AA5A01D7E523C5EC254D9E621D793F0D50C906063A3139717B6DA73B65F0406963
    Malicious:false
    Preview:-----BEGIN CERTIFICATE-----..MIIDgzCCAuygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBjjELMAkGA1UEBhMCVUEx..EjAQBgNVBAgTCUNhbGlmb25pYTEPMA0GA1UEBxMGSXJ2aW5lMREwDwYDVQQKEwhC..cm9hZGNvbTESMBAGA1UECxMJQnJvYWRiYW5kMQ8wDQYDVQQDEwZEYW5pZWwxIjAg..BgkqhkiG9w0BCQEWE2tpZGluZ0Bicm9hZGNvbS5jb20wHhcNMDYwODA3MjMzMTIx..WhcNMDYwOTA2MjMzMTIxWjCBjjELMAkGA1UEBhMCVUExEjAQBgNVBAgTCUNhbGlm..b25pYTEPMA0GA1UEBxMGSXJ2aW5lMREwDwYDVQQKEwhCcm9hZGNvbTESMBAGA1UE..CxMJQnJvYWRiYW5kMQ8wDQYDVQQDEwZEYW5pZWwxIjAgBgkqhkiG9w0BCQEWE2tp..ZGluZ0Bicm9hZGNvbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOoE..anmsp8b0bUKiI7KeSEK0r6jUvKmP/DoPw2bMH8ufU3NrMrUxiqTWYw1hf21T9oZ/..75V1N4KPHE8XXuMLgAaIhBS1ynj2hrzqrK7+uVp+tV7Txwg8w/XoMRacMRLVk94W..eCHwC574sIq54EX0Ah6GmO4D045J4xiT595wB7ztAgMBAAGjge4wgeswHQYDVR0O..BBYEFDTJsJlw8ckQu3dWh5SGlXAQ03ECMIG7BgNVHSMEgbMwgbCAFDTJsJlw8ckQ..u3dWh5SGlXAQ03ECoYGUpIGRMIGOMQswCQYDVQQGEwJVQTESMBAGA1UECBMJQ2Fs..aWZvbmlhMQ8wDQYDVQQHEwZJcnZpbmUxETAPBgNVBAoTCEJyb2FkY29tMRIwEAYD..VQQLEwlCcm9hZGJhbmQxDzANBgNVBAMTBkRhbmllbDEiMCA

    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\ssl.key

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PEM RSA private key
    Category:dropped
    Size (bytes):902
    Entropy (8bit):6.008844379962527
    Encrypted:false
    SSDEEP:24:Lr4Rt7PVG5ju0j71GT86Ohq3B9avOcyh1uMRESsH6:LrEtgPjxX23Uxyfurq
    MD5:022C48439BC463BA3EC82002B5845A3C
    SHA1:2CD2A36E397287481E46B7E85477A70072127922
    SHA-256:B95A00C0C85DBF880BC9010CDB9C073B1665D5B4A940E05109A667438984A529
    SHA-512:50C44A1667095CC9DAA02A4D7150D82211A69A5E59B8BEC8108B94F8A4A115BA8DEED05F886FB1A25065179FD5F474CAA8B00BC85F8849389C80920A32755C08
    Malicious:false
    Preview:-----BEGIN RSA PRIVATE KEY-----..MIICXAIBAAKBgQDqBGp5rKfG9G1CoiOynkhCtK+o1Lypj/w6D8NmzB/Ln1NzazK1..MYqk1mMNYX9tU/aGf++VdTeCjxxPF17jC4AGiIQUtcp49oa86qyu/rlafrVe08cI..PMP16DEWnDES1ZPeFngh8Aue+LCKueBF9AIehpjuA9OOSeMYk+fecAe87QIDAQAB..AoGAIZ9QzPqJgIRNzm0NQ/SJ3UuokVE/af1N9+mb4YEicFcL3mFgf7gGe3hx8tI3..RLXzjY+EFK0qtI9rOdHZyDU2x3MuqaxICq25GD8u5Sq5SEcqeIA3xgF2HcytkXoo..WRXjJF8hKypVTM6Q6ApYT0iSQylRYEk2FyRFXrmzSby5EgECQQD4QoWGwBOonO7y..Ar47ulgppx1uwOVW4tHP5gjTzr1+UKcyhNaWWkIKPm1MsDTB0K78SV06cfRpFWoX..k395zuq9AkEA8VA3qvhfDrwvL+7FN56S9X9dmMgyTpp5D+/Ay2EoXaw03wPDGUyu..0xpIL6AJV4+66op3DRGM+zdOX//i/DxV8QJAP5gqxD3ny0WIIA571KkDdIgOjhRz..qzInNO5kTH2lJPpcGiDVJ2avjBg5v29T1GI0sQPKEfKm/VQy/R8XhIhwsQJBANIl..6qTAsX+SkIFsrWE3foG/DlKMHYtoaP9g6oPzM4UH/+8rRo9UwXbkD3MyKpCPgdbZ..CL5fx2fLDTz7CcBiBvECQFTdSuvk4OaOgtw0aFn3JSsHGZI9uZLIcoRemOQNg1o2..0PXn+gNzVkz6mdTwdgLNoKWLZxAC9faG2HA3UlobZzE=..-----END RSA PRIVATE KEY-----..

    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\user manual.pdf

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PDF document, version 1.7, 25 pages
    Category:dropped
    Size (bytes):682431
    Entropy (8bit):7.869888364240819
    Encrypted:false
    SSDEEP:12288:A86ijIexjY7508+5xtPNWvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvK:A52Wu+cE33MO30BnHNT17
    MD5:A26BDC90611ED559EB76EB35EB8B5219
    SHA1:E739803561D958E6FBBEA50295C22218FFD3D23D
    SHA-256:0D9FA2A08AAE647FDD0014B4C0CF0951FF2A63BA4D7D2E5C0FF43769FA8BC8AA
    SHA-512:CD63F6D27DD2EEA26773A5D8B33322CEDA130510840B3AADFBF2D59CB3CE29F25EFD9CF0EFAA6ED51B78D937693BAFBB05A7B9431A53965A2D30FBFF5FBB7D98
    Malicious:false
    Preview:%PDF-1.7.%.....1 0 obj.<</Names <</Dests 4 0 R>> /Outlines 5 0 R /Pages 2 0 R /Type /Catalog>>.endobj.3 0 obj.<</Author (Happytimesoft) /Comments () /Company () /CreationDate (D:20210802110638+03'06') /Creator (...W.P.S. e.[W) /Keywords () /ModDate (D:20210802110638+03'06') /Producer () /SourceModified (D:20210802110639+03'06') /Subject () /Title (Onvif Server) /Trapped /False>>.endobj.8 0 obj.<</AIS false /BM /Normal /CA 1 /Type /ExtGState /ca 1>>.endobj.6 0 obj.<</Contents 7 0 R /MediaBox [0 0 595.3 841.9] /Parent 2 0 R /Resources <</ExtGState <</GS8 8 0 R>> /Font <</FT14 14 0 R /FT19 19 0 R /FT9 9 0 R>>>> /Type /Page>>.endobj.7 0 obj.<</Filter /FlateDecode /Length 444>>..stream..x....J.@.....;.Z0f2.t.D......S..D.AA.....k...S)e..L....W..u..$.....^..6...=.....=........]..TQ..+F l.?.p.n.!)|8..r_..i...eir..U.....a...\....I ."S......t.=A..}J..;/..^..1d.%J....J...+x....0...J..Mn..... L[!.arDV.>/ i.G....1n....5ww....Z.}.;....|.........DQ.,.W.d......f...0J^..z/. ..q....0.

    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\vcruntime140.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):74520
    Entropy (8bit):6.849594516513229
    Encrypted:false
    SSDEEP:1536:lN2886xv555et/MCsjw0BuRK3jteo3ecbA2W86e7QKxRxV:lN28V55At/zqw+Iq9ecbA2W8TMiT
    MD5:4F6A3E9A598BF87F858DA1648EC177D6
    SHA1:C71E2B1AD6A628CD5B8E1779E42D5841DFE6926C
    SHA-256:A457D1229BE267E90B2B6DDB67CCDC28681EDAE3983B5B32DBA8BF52173AC2D8
    SHA-512:9270676691F1E01C1AE614FAFE86FC586D44D65F29B970B02FC35F6BB669A828F60CCCFF9CBBC46AD9C2D1BEC3C08AB3BE74A7E0F265F1712A2CE398016B31EE
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0............@A.............................................................)... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\LocalOnvifWin32\zlibwapi.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):402200
    Entropy (8bit):6.7306591781040614
    Encrypted:false
    SSDEEP:6144:wLVeNa307jXrapwILWL9pMCsVohOn81Za7PGW698TB5vC0Tzh0:u36jALWL9OCmohOnqcGW698TPvC0O
    MD5:F00A33CC0821930C95AFDA9B1C6DBAE2
    SHA1:FAE9FE390DFBC4C62BD7D733078A22D902935D18
    SHA-256:CC940159B9111F05358AD18D4D20889C3F521A71DF1CA801EE4C39DF2B051678
    SHA-512:C2FDEB170D43D48EA00F46868AF51362998825EB10056B54D7D2C6EBB5A43AAD4CF48EB665D418E8D039DAB29C33AF6D9BAB2658365C7AF4FB16EA88879A28B0
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z.....T...T...T..yT...T..{T'..T..zT...T.E.U...T.E.U...T.E.U...Tq.CT...T...T...T>E.U...T;E.U...T;E.U...T>EwT...T;E.U...TRich...T................PE..L.....^...........!.........$...............................................P......6n..........................................(........................)... ...$.....p...........................P...@...............h............................text...)........................... ..`.rdata..............................@..@.data... ...........................@....gfids..d...........................@..@.rsrc...............................@..@.reloc...$... ...&..................@..B................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):3567896
    Entropy (8bit):6.162172914235471
    Encrypted:false
    SSDEEP:24576:IOkuRMk0mZk7qDL2PtBLhM7RU7R2/8QcVYtk:IOk4P4dmRU7R2/8QcV
    MD5:C581ED53CBA066395E8D12E0FB318938
    SHA1:44FA5E8018B969B5BFFC0E9903402537219C5F22
    SHA-256:55CF426ADBFDC2F245E5BDDBEDB6C54F77E339847658166ECB494BAACF1A5FFB
    SHA-512:3F4816258E949B663053D226501D5A411C6B38F9DC019F7AD467590FD4B2BA5781668F3F331878F7C6EA4EB6123DEE2000356CC0E2F75DEE280EDF4618D934EC
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..>6..........]6.. ...`6...... ........................6.....n.6...`.................................1]6.O....`6.P............H6..)....6......\6.8............................................ ............... ..H............text....=6.. ...>6................. ..`.rsrc...P....`6......@6.............@..@.reloc........6......F6.............@..B................e]6.....H........^...............g..X.,.(\6.......................................(F...*..(F...*..(G...*..(H...*"..(I...*&...(J...*&...(K...*>.-.~....*~....*^......................*"..(L...*...0...........r...p.oM........ ...oN...oO....r5..p.oP........ ...oN...oO....ra..p.oQ........ ...oN...oO....r...p.oR........ ...oN...oO....r...p.oS........ ...oN...oO....r...p.oT........ ...oN...oO....r...p.oU........ ...oN...oO...*.s.........*..(V...*"..(W...*..(G...*..0..-.......~....- r[..p....

    C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MSVC program database ver 7.00, 512*3675 bytes
    Category:dropped
    Size (bytes):1881600
    Entropy (8bit):4.153189992522293
    Encrypted:false
    SSDEEP:12288:joj++vd7wRRaHmTp4dg5uSdV0uRlqV9CNxoF4dj9j:+nRXH/g5ndV0yNZt
    MD5:94C8740D63B37C684DE2161DAB3F12A0
    SHA1:0D9D0A83BAA3A88DF4C81244215E310E0BA4FD94
    SHA-256:7D118A9927106081E6861212729B50B9954CDC156BEA7553D76A2E137D97A048
    SHA-512:3C97A442758325B8262015A47AF1BFB47F838C70557AC95AE8BCE9D5D87696344F46D928D1A99999CB8924A343EFCFD717F167030F6B2930A3B9CB3524D2CEBF
    Malicious:false
    Preview:Microsoft C/C++ MSF 7.00...DS...........[....5......Z...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\MahApps.Metro.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):599672
    Entropy (8bit):4.694314470643874
    Encrypted:false
    SSDEEP:6144:NktMqadrRUnvQFqnhpcROFutFeBiR5b7TVjEqqpFL:3UCA
    MD5:3DEB13968C22CDE75D6F614DFA25758E
    SHA1:177E9B52A72AE157F70EA16D16F3E917BEBE3B79
    SHA-256:90AACC1B9F0325A081C1DC5BABC580D693A3D5CAB61905BE8D3E9BC2496F4ACB
    SHA-512:8269F6900AB3AE726D6D79C9135F1D46A8AE9192C88C7EE82CA6038CD25CC5CC30D7F5215D049CB17DEC8EA18F02511315E79C16F17A0148DEF46580B746F314
    Malicious:false
    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>MahApps.Metro</name>.. </assembly>.. <members>.. <member name="P:MahApps.Metro.Accessibility.AccessibilitySwitches.UseNetFx472CompatibleAccessibilityFeatures">.. <summary>.. Switch to force accessibility to only use features compatible with .NET 472.. When true, all accessibility features are compatible with .NET 472.. When false, accessibility features added in .NET versions greater than 472 can be enabled... </summary>.. </member>.. <member name="T:MahApps.Metro.Actions.CommandTriggerAction">.. <summary>.. This CommandTriggerAction can be used to bind any event on any FrameworkElement to an <see cref="T:System.Windows.Input.ICommand" />... This trigger can only be attached to a FrameworkElement or a class deriving from FrameworkElement... .. This class is inspired from Laurent Bugnion and h

    C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):102168
    Entropy (8bit):6.120185608929333
    Encrypted:false
    SSDEEP:1536:yrf5GttgxHXEuRmG5rtkGY4CEmWAxXSSYhhS98ca2Wvsd65FJDlGWwkEy/7QRxb:65GttWHXEUx5r65LxXshk8JDIWP/Mr
    MD5:AC1BDB8762329D0C344D874C2931EEFF
    SHA1:1CFE984D651724129134C1BF63336BAC0318C150
    SHA-256:6D11948CB1BB867DE28FD4D5C82E0E811AC19DDB66C6D579F959CC45CB48BC8A
    SHA-512:0C121C1FF74AA67374CFD9F9F2640EFE93603D37C41ED38662A7504AD10FCADB481CBF881CE80EDE55B6DE1FA2A0E15985C8FAF01A4200F50D28A6EC8414EDD9
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...eu.K...........!.....\...........z... ........@.. ..............................h.....@..................................y..K....................f...)...........x............................................... ............... ..H............text...$Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................z......H...........L...........x...1...P ........................................z...y.k.....bdd I..`..).PsR@... .aL...%:...y.....XDgM.X}..~)2.v-..4..........EAZZ...,..[..H...o5*C.o...5/I.m.!2...#.:.(......}....*:.(......}....*...0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*"..(....*"..(....*..*..{....,..{.....o....*.{....o....*2.~....(....*6.~.....(....*F.~....(....td...*6.~.....(....*J.(.....s ...}....*F.(...

    C:\Program Files\ScreenBeam\Conference\app\Microsoft.Expression.Interactions.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with very long lines (409), with CRLF line terminators
    Category:dropped
    Size (bytes):76763
    Entropy (8bit):4.535821308884759
    Encrypted:false
    SSDEEP:1536:+hRBEEny5f5YFsUxLvgLTGzJxKG4E+pZ1aI8a2GKvEGKGlMEYHDPrMp3hIr4Poqm:qvyFrMp3hc7oTi
    MD5:6183C17BCC82E2A2885A14B35FA50B1C
    SHA1:CE4E6A7BA118FA52DCD3C5E448F1FA26040E85E3
    SHA-256:6208068DD16A2C1C79FAA2E29CA029B59DE06CD66F16D9DC27EDABB8FFEBAD48
    SHA-512:B5140BECB6F72075BDFFB40DCCADD77A83B8836BE87FE2B3AB7AF18EAD85F6F9171B3E97640352BEB1DB64393CA67033EC09F7B2F95C85ADE795ECE866B39DF3
    Malicious:false
    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Microsoft.Expression.Interactions</name>.. </assembly>.. <members>.. <member name="T:Microsoft.Expression.Interactivity.Core.ActionCommand">.. <summary>.. A basic implementation of ICommand that wraps a method that takes no parameters or a method that takes one parameter... </summary>.. </member>.. <member name="M:Microsoft.Expression.Interactivity.Core.ActionCommand.#ctor(System.Action)">.. <summary>.. Initializes a new instance of the <see cref="T:Microsoft.Expression.Interactivity.Core.ActionCommand"/> class... </summary>.. <param name="action">The action.</param>.. <remarks>Use this constructor to provide an action that ignores the ICommand parameter.</remarks>.. </member>.. <member name="M:Microsoft.Expression.Interactivity.Core.ActionCommand.#ctor(System.Action{System.Object})">.. <s

    C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):146200
    Entropy (8bit):6.131518825014733
    Encrypted:false
    SSDEEP:3072:dCPmFPD950+dzR1decbMn5TX55r4j2cM:cPmVDz0+d05T
    MD5:29114DCB4B7CE701E92293692C905309
    SHA1:9381570DDF16C3483E7E8BA78514D04B0EBEF535
    SHA-256:A9811AEF6A46E23A1D03CDD0BA9BB32CFDD78A2C2A3A64F666EF9545C8690917
    SHA-512:FA2A63737A82CCE739C5869D9E1CE732E5C31FCF4879102EE22621D7DE726DB12C7124B8CDAD6B7C266F5F8DB43E43E18A54C73283203E2F08BEF77F871CD4A8
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g............" ..0..............'... ...@....... ..............................?w....`..................................'..O....@...................)...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......X....@..............8...4&........................................(-...*6.(.....{/...*..(0.......1...s2...o3....s4...}5...*..0..F........(6....{5...o7.....,0..+#..(8.........{5....o9........3...X...(6...2.*...0..J........{5....o:...,;(;...(v.........%......(<...o=....%..(>...o=....(?...s@...z*...0...........oA.....E............].......Y...*.oB...o#....+0.o!...........(C.....oD......{5.....(E....oF.....o....-......u#.....,..o......oG...o#....+#.o!.............oH....{5

    C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Microsoft Roslyn C# debugging symbols version 1.0
    Category:dropped
    Size (bytes):52032
    Entropy (8bit):5.334600855320652
    Encrypted:false
    SSDEEP:768:Ho05puXM/mr0or4TKzkhq5WGneTfAp+A5cgWpORyUtAOHpZfDvdorxU5HMRI0xgm:1JWL4w2WtAOJFl4nkrvq3
    MD5:5C23C6B85B1BF45EB8B2B36014C24D87
    SHA1:EBFF7B739F015EB024A7FA3F947A39E02DC70E31
    SHA-256:FB216DDB86BD1E6053BF8BAD8E67557E2922D56D83B913197142C872907BC79A
    SHA-512:5BCE36466755B173512D9EBA3172B5194F9FE548E11718850DD4C239134729344CB00976A70E398AA5BA048AEAC64331E4A23F0E48272455C93530B95987D11B
    Malicious:false
    Preview:BSJB............PDB v1.0........|.......#Pdb........dW..#~..hX..H...#Strings.....e......#US..e..@...#GUID....e..Le..#Blob....fQ....N.A.|9..C.......W_.......... ...j...4...................'.......................@...............P.......................................................<...............1...................................................................................c...u...........$...6...m.......................................<...N............ ... ...!...!..B#..T#...#...#..[$..m$..#%..5%...&...&...'...'...(...(...)...)...*...*...2...2..a6..u6...8...8...;...;..^<..r<..G>..[>...A...B...B...B...C...C..MD..cD..iF...F...G...H...T...T...U...U..OV..eV...W..1W...Z..2Z...[..-[..,\..@\..na...a..[b..ob...b...b...b...c..Kc..ac...c...c...c...c..,d..@d..od...d...d...d...e..*e....................................,...>...5...=...m...............................0...7...>...J...[...b...............;...\...m...~......._...0...7...B.......o...........<...C...J...Q...]...............@.....

    C:\Program Files\ScreenBeam\Conference\app\Microsoft.Xaml.Behaviors.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with very long lines (389), with CRLF line terminators
    Category:dropped
    Size (bytes):139226
    Entropy (8bit):4.53900325821367
    Encrypted:false
    SSDEEP:1536:+ZyjUyXsNaimE+YRwUxLvgLTGztxKG4E+pJ1as8a2G6vEG+GlGgLPgJRBy8nm0lr:F9gk/BUB0fYSt3Bl
    MD5:83A73589D5705D3A890253A6F8C140EB
    SHA1:27C092DBB481D0207FB160098BB4B43FB0D6E126
    SHA-256:0672969B6ADF9FC6D56873FF17FC8F45E9FEBC2FD6E997B19D5CB7EF2546DB70
    SHA-512:A18A29FDF055E2507A6BD2837FF1D9B6E9A0486B315C786FC86B49DC2229B8B167A7D103FB16EF342916324A08DF0EDCAEEAA2BFD0F4FF8862C63572C9AD371B
    Malicious:false
    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Microsoft.Xaml.Behaviors</name>.. </assembly>.. <members>.. <member name="T:Microsoft.Xaml.Behaviors.AttachableCollection`1">.. <summary>.. Represents a collection of IAttachedObject with a shared AssociatedObject and provides change notifications to its contents when that AssociatedObject changes... </summary>.. </member>.. <member name="P:Microsoft.Xaml.Behaviors.AttachableCollection`1.AssociatedObject">.. <summary>.. The object on which the collection is hosted... </summary>.. </member>.. <member name="M:Microsoft.Xaml.Behaviors.AttachableCollection`1.#ctor">.. <summary>.. Initializes a new instance of the <see cref="T:Microsoft.Xaml.Behaviors.AttachableCollection`1"/> class... </summary>.. <remarks>Internal, because this should not be inherited outside this assembly.</remark

    C:\Program Files\ScreenBeam\Conference\app\NLog.config

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
    Category:dropped
    Size (bytes):1434
    Entropy (8bit):4.900941090644329
    Encrypted:false
    SSDEEP:24:JdNQjY8jsLoKaQe1W04pyaMMW04FzMSMpbP3KabFx2ldnD2cc/Or:3b8jbgpXMzFzMSMdvClJ7r
    MD5:5DD8A1A04E3B8E2CF8D8D0CA563A08F5
    SHA1:DD79976E4FB6D7799B83EF26569C0FF433662FF3
    SHA-256:8687718C6EB351CEFFBE09395A5F565790E4F784DA2A4464DC411960FD3BC99A
    SHA-512:8B472C76E9D4DD97775B72211D4C54A5A552CF60055B6A4F139EE224E6B483898D3607646FA285850DC2A990DDCCF84F71E6DCCF0B33D70F6E13009B0BEA233C
    Malicious:false
    Preview:.<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. autoReload="true".. throwExceptions="false">.... <variable name="appName" value="ScreenBeam Conference" />.... <targets async="true">.. <target xsi:type="File".. name="default".. layout="${longdate} - ${level:uppercase=true}: ${message}${onexception:${newline}EXCEPTION\: ${exception:format=ToString}}".. fileName="${specialfolder:LocalApplicationData}\${appName}\Logs\${appName}_${shortdate}.log".. keepFileOpen="false".. archiveFileName="${specialfolder:LocalApplicationData}\${appName}\Logs\${appName}_${shortdate}.{##}.log".. archiveNumbering="Sequence".. archiveEvery="Day".. maxArchiveFiles="30".. />.... <target name="debugger".. xsi:type="Debugger".. layout="${longdate} - ${level:upperc

    C:\Program Files\ScreenBeam\Conference\app\NLog.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):888600
    Entropy (8bit):6.070850754311288
    Encrypted:false
    SSDEEP:12288:Z1g1a9wdGNA9qQmDocTrP5rs3ekNuquwKUYaDyUsQ:Z1g1a9wdGNA9qQco+rh0uqvKUYamUsQ
    MD5:E19679258DE1321C8435FE3D377307F5
    SHA1:01798C4C40161B14265D8D1C4785528C24373225
    SHA-256:178132DBAF7BEEC8FC3EFD709E50F19091A57E50581F5DF2267867F125BB9CE3
    SHA-512:6A57F4A26C743694D4AC64FF021776563AD2591D9B4812B25460B268AE9F534C791198AFE4C8C4EF9E76B52FFD6094A9E8A42CE2CC38C7E5541DC232F4F0FA22
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..X...........v... ........... ...................................`.................................<v..O....................f...)..........tu..T............................................ ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............d..............@..B................pv......H........,...=..........Dj.......t......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

    C:\Program Files\ScreenBeam\Conference\app\NLog.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with very long lines (385), with CRLF line terminators
    Category:dropped
    Size (bytes):1661000
    Entropy (8bit):4.576713883814205
    Encrypted:false
    SSDEEP:6144:3bDXjSkDsv6ZrgFOG3We13QixCx8ZaRIHp8TEKcQonqDhIrMBc+6z+beoX:PH15e8EKH
    MD5:CA532230EDE750DC11C7E26C521F382F
    SHA1:F8DB7F7BF3C5A7B68CAA072D79064EFC52F66ABC
    SHA-256:0840395F0EF1BFF0746895255C19AF38E7775D3C316892E94C6514E834E3BFB5
    SHA-512:5025B6EE3E9C56D902435D209C75A3A6A873B489656B0E42BDBCCEEE8F3B083A1F06B74AE436552E00CCEE0C1D0D6726408FECF2A68091B442E44EBC79B80929
    Malicious:false
    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>NLog</name>.. </assembly>.. <members>.. <member name="T:JetBrains.Annotations.CanBeNullAttribute">.. <summary>.. Indicates that the value of the marked element could be <c>null</c> sometimes,.. so the check for <c>null</c> is necessary before its usage... </summary>.. <example><code>.. [CanBeNull] object Test() => null;.. .. void UseTest() {.. var p = Test();.. var s = p.ToString(); // Warning: Possible 'System.NullReferenceException'.. }.. </code></example>.. </member>.. <member name="T:JetBrains.Annotations.NotNullAttribute">.. <summary>.. Indicates that the value of the marked element could never be <c>null</c>... </summary>.. <example><code>.. [NotNull] object Foo() {.. return null; // Warning: P

    C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):704792
    Entropy (8bit):5.954725735274191
    Encrypted:false
    SSDEEP:12288:r9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3k:r8m657w6ZBLmkitKqBCjC0PDgM50
    MD5:A7E548426DDBE511492436FA499B8154
    SHA1:6E59F4FBCD028236F65331F72430594F8F7BA196
    SHA-256:5C8F0A663E0E5CC9E9A6F96A23A571BF475631C7C3F013BF52C4466A07DBE8B0
    SHA-512:602DAAB09D6B57023DF575873C2EDCF3021A465CD5961C6AAF4496F2310F5F16C81AD46F7FE72C4607979BCA13E7018844A1F687046826F597BB8EFBA915DF8B
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................h|....`.....................................O........................).............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Program Files\ScreenBeam\Conference\app\Newtonsoft.Json.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):710224
    Entropy (8bit):4.632813781023419
    Encrypted:false
    SSDEEP:6144:XqqUmk/RikeaG0rH3jGHdl0/InHHpgVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QA:DUq
    MD5:F414B3F68FE7C4F094B8FE8382F858C9
    SHA1:66EE1B3266FCEDDE433B392156AB4A24262B2F34
    SHA-256:2D46B37B086D6848AF5F021D2D7A40581CE78AADD8EE39D309AEE4771A0EECCF
    SHA-512:19B2FEB40C2E9D4D20D9A21F88F6ECEA773060C056B8CBBD21A6EEC41486DC5FC101E6C31129B0D53466D04709BCD4ED777058DDFB02532242B43E253A7B24BD
    Malicious:false
    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

    C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):56088
    Entropy (8bit):6.3238854712246395
    Encrypted:false
    SSDEEP:1536:4kCPMBRD49uC70Ky9xbLwLJ7ElKntB7QRxk:YPMz4s9xbLwN7ElKntBM0
    MD5:3C987DEB985A958F676A8FD87BF6D6D2
    SHA1:80ACF82C7FFFDB049F30BC44472C978AF5884F80
    SHA-256:7C8422C2276B683CF7D0DDC6509B33D63D45D84F87DB9376779AFA7E6A2EBD3E
    SHA-512:5C1AF30B04DE015470257A0B642C8C209F893A44A622B530D2A5133CD9B744863DE4C8ADFC005BF9B2E9A896A217EDD539884B33A8258D6A61805B2A3B68EB71
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m............"...0.................. ........@.. ....................... ......&.....`.................................=...O........................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................q.......H........F..pr..........................................................>. 4......("...*2......o#...*:........o$...*.0..,........o%...r...p $...........%...%....o&...t....*&...o'...*..((...*...0............r!..p..s)...}.....-.(2....(*...*(+...s....o,...(+....o-...(+...o....o/...(+...o....s0.....o1...&..o2...(3...}.....{...........s4...o5...*..0.._........~....39(+...%-.&+.(....%-.&+.(/...(+...%-.&++(....%-.&+ (6...&+..~....3.(+...%-.&+.(*...~7...*..0..S........{....,..{....o8

    C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.exe.config

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
    Category:dropped
    Size (bytes):189
    Entropy (8bit):4.986033023891149
    Encrypted:false
    SSDEEP:3:JLWMNHU8LdgCzMvHcIMOofMuQVQDURAmIRMNHjFHr0lUfEyhTRGOGFvREBAW4QIT:JiMVBdTMkIGMfVJ7VJdfEyFRzSJuAW4p
    MD5:9DBAD5517B46F41DBB0D8780B20AB87E
    SHA1:EF6AEF0B1EA5D01B6E088A8BF2F429773C04BA5E
    SHA-256:47E5A0F101AF4151D7F13D2D6BFA9B847D5B5E4A98D1F4674B7C015772746CDF
    SHA-512:43825F5C26C54E1FC5BFFCCE30CAAD1449A28C0C9A9432E9CE17D255F8BF6057C1A1002D9471E5B654AB1DE08FB6EABF96302CDB3E0FB4B63BA0FF186E903BE8
    Malicious:false
    Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />.. </startup>..</configuration>

    C:\Program Files\ScreenBeam\Conference\app\SBConfDiag.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MSVC program database ver 7.00, 512*259 bytes
    Category:dropped
    Size (bytes):132608
    Entropy (8bit):3.7367234561117266
    Encrypted:false
    SSDEEP:768:L+Z2ZTTM1ldA+TnAGrpqOF052IeUfQV5kGgv1s5zM6265QCuhdgl9gKfU0dSsJfA:ZfQ7Eds5zM6F5cfg8EU0dSsxNfQ8IsY
    MD5:5DAAA783F426B37DB9254F6063054D6F
    SHA1:7756681B5C157B1503EE8E576DF7B94B0C5D30A5
    SHA-256:5B78D9816A463FBDFF8F0B7E6D0F8AB206C0EE5437049DB88BBE09CEFA648CE7
    SHA-512:389C3F11A8A0FC4178EB99BC3DA0BCFCD75B2540688C50434B396FA34F043D3FFB91B63D8B997ABC9F8AA309D7387ED58A3C3046447DCBABB76384D1D53D1E15
    Malicious:false
    Preview:Microsoft C/C++ MSF 7.00...DS........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................8..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):55576
    Entropy (8bit):6.4704149301143055
    Encrypted:false
    SSDEEP:1536:SfH1V5+DvjVPf+d8fk8RDn73zW/pq5RWcHPzbZY2n7Qkx1:SfH1V5IjVPfs8fnDPWc5RVPxY2nM0
    MD5:3ED2CC6C98D3A74C3E57A0E4F9C2D582
    SHA1:37EE24D754894A0C1DB191D5C6FB8E118EF5CFD0
    SHA-256:8EFA698B86AC93581BEE125AD3794BBFD91A4256962438FFE08B8275533EFCAD
    SHA-512:33E54D2FB758BB70423C318FB94DFC4C54064BAF0FDE08B8769BA0ABDB794510485F1381C09492D6D950F6128C2D81DBA405CDCE8210110A8C7729F505483A7A
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.........." ..0.................. ........... ....................... .......g....`.....................................S........................)........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........8..............h............................................0..........(A...*.*.0..o....... 7g..(&....~.....o.....(....,..+..+.-..(1....(1...(.....o...... .g..(&....o......o.....,..+..+.-..(1...*.(1...*..0..........~.... .g..(&....(1...o...... .f..(&... .f..(&...(....o....o.... .f..(&...(.....(1...o.......,..+..+.-..o.....~.... .f..(&....(1...o...... .f..(&...~.....(1...o.......,..+..+.-..o.....*........@[...................0..........~.... .f..(&....(1...o......

    C:\Program Files\ScreenBeam\Conference\app\SBConference.Common.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MSVC program database ver 7.00, 512*75 bytes
    Category:dropped
    Size (bytes):38400
    Entropy (8bit):3.0989320881772695
    Encrypted:false
    SSDEEP:384:CiFyFr8oKKFDulNsBtd7q0dh8oKHFDuw02:CiFyFr8oKgDuLsg038oKlDuw0
    MD5:CC198790FFCD01466AAD8FFF352FA1F6
    SHA1:475893D85B36D36F245DAF1529FF2C7B78681F0A
    SHA-256:B170681CD9C652B55CF570D2F3138E6C40D9365F227875EE13F2F57635DBC873
    SHA-512:81E59420B4CE2E0A21759309B7748BA27C7FB6E8B311408C56DA19F1D014B30B75B7C6FD7F671709C040852F07109649B09CC53B00B1116B995469E1467C6EBB
    Malicious:false
    Preview:Microsoft C/C++ MSF 7.00...DS...........K...........G...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):151832
    Entropy (8bit):6.350097128841805
    Encrypted:false
    SSDEEP:3072:Qk6ELHC5M5IWhXB1npb/tlrerT5ZWQI8YoBuRWMo:Qk6uiO51dLkZWDUI2
    MD5:7F2D9166F212B56C9A601BEBF63F9D50
    SHA1:CBEE7F6A9B5CC7A2C7C8D488085BD0C8DF5C703F
    SHA-256:9E6203072BBEEFA3A8FDEE704602DDF3904CFD6154B497FA8AE7C4F9B0E5DD2A
    SHA-512:14498A1D4D55EECE8F50894F8C30A98AD4C06B82B53F292CEDB917EA09FBA7E7209FA93942739A348337711F61F2A2506522BC5B7A53B15944F0B30E4D7356BB
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.........." ..0.. ...........?... ........... ..............................r.....`..................................?..O....@...............(...)...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......&..............@..B.................?......H........]..............dJ..X............................................0..........(&...*.*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0.._.........~....,..+..+.-F~......(........(......~....,..+..+.-.s .............,..+..+.-..(.......~....*.........'E......&........*...0...........{.......8......D(....a.+W...E(....a..+"....(....a......XE........'...6....%(......+....$YE........8...G.......+...(..........+.

    C:\Program Files\ScreenBeam\Conference\app\SBConference.Model.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MSVC program database ver 7.00, 512*607 bytes
    Category:dropped
    Size (bytes):310784
    Entropy (8bit):3.8420007386791966
    Encrypted:false
    SSDEEP:3072:NW3KyfwHcPzYze8be9ebIQVWrPKGPWQebIQCKG6:NWbfw8EzrbaecQwGGPWQecQDG6
    MD5:30FEE8F952335EFF6240A58F2EABC04D
    SHA1:9A9C27842F7E70B358D73C3E62EB2E639BD487D0
    SHA-256:42752A3D930F9D433DA8D79E847F93597EA5C909C39D73D315E954ED9F2B3320
    SHA-512:0C1A5152603D713A7CF6F0AD439BA1043850BCDAC55E8136FC95D2EE0A188260DAF7CBD70CF9311F9333F1FD9CA649D668F4BFD8C307809CD38343B2AAB9D2CB
    Malicious:false
    Preview:Microsoft C/C++ MSF 7.00...DS..........._...........].......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................?............................_..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):48408
    Entropy (8bit):6.122937107072226
    Encrypted:false
    SSDEEP:768:+kl47xzmJaNf82GiHR/IvWc6T9kTm10kq3vgYiQVAMxkEzY:2t+Q8yH2+ykAvg7Qtxo
    MD5:4DFF4E46DC25E7588F6282D4B6C5B782
    SHA1:DCE60C4560EA4FE45C0E76F518A1079E7FDCBEE8
    SHA-256:5B7C4008E708015A76AECC8702F7BD9CEE00227B0AD0008F42A147A7503ACC63
    SHA-512:F1DDCAA457BD02D5EFEA6F6D3D7ED39F02F2A3D1525A5BFF496B5D0C80AFD9B06AA8CC49200ACB118F8BDF752B05B3524D5B5BDAECAB3D2CE2729605FFD810E1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u]............" ..0.............N.... ........... ....................................`.....................................O........................)..........(...8............................................ ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................-.......H........A..`g...........................................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*..{....%-.&+...s....o....s....%r...po....&*..{....*"..}....*....0..J........q...............(....-0........{....%-.&+...s....o.....(....,...o.....*.*.*:..}.....(....*..{....*"..}....*..(....*..{....*"..}....*..{....*..{....*..{....*....0..^........(............s....s4...}............s....s4...}....

    C:\Program Files\ScreenBeam\Conference\app\SBConference.ViewModel.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MSVC program database ver 7.00, 512*287 bytes
    Category:dropped
    Size (bytes):146944
    Entropy (8bit):3.761241859788167
    Encrypted:false
    SSDEEP:1536:qOMQsv+YJ0m8HKnApBtcGOVh/jRaPJ98YEpRTNQNzyifQftcGOVhuQNzy:HY5bnApdOVhMErGNzRqdOVhpNz
    MD5:F2C4E938B01CCF80B2AEB4D1D60CC923
    SHA1:B294536DDB36A955F32CFC2D858AE594C2EC272A
    SHA-256:0A1BBE8512EBE9C572393A67D5767DE5EE76DF69153F9B75BAD8C8A970DE346B
    SHA-512:845D0499A9DB60CADE4B1EE4903BD9C9AC77B66A1A15A550A6B91BD2740F023B0EF08649AE5A6C23324B7F96E148C70A86D43C75FCFD40C6DA2695DC5E28E394
    Malicious:false
    Preview:Microsoft C/C++ MSF 7.00...DS..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................?............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):4066584
    Entropy (8bit):7.989837301850693
    Encrypted:false
    SSDEEP:98304:ae1wzglNYK0bIZ54x3iNLlNAjtmKTIXtU29k9X46/1KH3ZqtwX:Ogo/bwA3iFrAjg6IXtULXjwH3s
    MD5:49EDE238CD1592A59C8ECB8F5F8197D1
    SHA1:DAFAA7C7E102D32BA6EE7D568CD654EAF08F886D
    SHA-256:EFA9AC4B8AE816C6F0FA7850D5F6E509E6CCFFA7F379A7579E59BFE4327477F8
    SHA-512:CE4A646BD29EE222E252385211E05F1CD5EBEFD4013EFAA2415716F40D81FCE4DD90EC664629D2562860302B291E73925B802E6E547F013B06BA8A34C952CFE7
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.........."...0...<...........<.. ........@.. .......................@>.....d.>...`.................................P.<.K.....=...............=..)... >...................................................... ............... ..H............text.....<.. ....<................. ..`.rsrc.........=.......<.............@..@.reloc....... >.......=.............@..B..................<.....H.........<..U..........4.....;..........................................0..........(y...*.*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*.0..S.........(.....(....+h...(h...a.+4...(h...a.+....(h...a....YE............/....(h....+...(h.......+....YE............=.....+.+..(h......+....YE........ ...4...G...a.............8m...8\.....o....(.......8H....s.......(h....84....(....o.......8!...........s....(.......8.....(...........s....o.......8.....s....%.(k...

    C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.exe.config

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
    Category:dropped
    Size (bytes):933
    Entropy (8bit):5.0355202174457405
    Encrypted:false
    SSDEEP:24:JdErnJM9zsfFgCJsPuAHGPF7NruH2/+Y9y:3ErnJM9zs6Gyumu7Yg+Yw
    MD5:552EC6CC1F2349624ED0015E3B765A98
    SHA1:B95938B153783194DBC664D4AB4C60FF5C350B7D
    SHA-256:A793490AC3AF49279521B305B3C5C9B9A2A8EF6D1A684BA228E4B68E9A7B5C5F
    SHA-512:6567E66701E5CA16897D40C53BE5E3415A021E70D75D8593AE9D6AB5BD265A09DE8973DFCA3AEEE7BAD0E09275732BA835B7D87A84EE7DA0C8EA4522A989418E
    Malicious:false
    Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />.. </startup>.. <system.serviceModel>.. <client>.... <endpoint name="NetTcpEndpoint" address="net.tcp://localhost:16669/Service" binding="netTcpBinding" contract="SBConference.Common.IService" />.... </client>.... <diagnostics>.. <messageLogging logEntireMessage="true".. logMessagesAtTransportLevel="true" />.. </diagnostics>-->.... </system.serviceModel>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.1.3.0" newVersion="4.1.3.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

    C:\Program Files\ScreenBeam\Conference\app\ScreenBeam Conference.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MSVC program database ver 7.00, 512*251 bytes
    Category:dropped
    Size (bytes):128512
    Entropy (8bit):3.9442434007114078
    Encrypted:false
    SSDEEP:768:bdEbE0VTUK18AzjLCierdAiYWgi421cLld2SBcOntizg4J1WnETvTrXA9VTUK18i:X2iHfWYTrX7ni
    MD5:CA263B7A835CE742177A5A0CE42A6B32
    SHA1:FBDC608F9FCA02CC4C6D91E194944C9CDB672D06
    SHA-256:C2F8C99BC50B7398A58BEBE5591C2F7C41AC5B267D6505FFB8482CEEE75DA2B2
    SHA-512:7189CC03B355375BA63949F85443894C6B7CF745DD5EE13032C9BD87F15F31EE5A9E57B02A09ACD7DD901A046BE21D53A27D1721A3C600F1F70DA97445BE3838
    Malicious:false
    Preview:Microsoft C/C++ MSF 7.00...DS...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\SharpDX.DXGI.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):160536
    Entropy (8bit):6.280993018521582
    Encrypted:false
    SSDEEP:1536:MK9VX2/egy/giIRVFmXeMlGEs94P6MLrUPBBuOpKUsnj80T+EaDnsPPxbTp8fnTn:MKDXEeFc7KeMlGEsBPsUWq/jFYelgZM
    MD5:D4FBF3E62B0537A2748F5FE7720DA6A0
    SHA1:0872214111D9DDCA1F6FD7AEAEDE4466DEE1D952
    SHA-256:CAEF4E6F5F60738A7278C6B2B078AF7531A2BAC0532CB620555325BC91D5282F
    SHA-512:E1BD3413CE79651AEA044028C10F60CBA1B03708A3A99539EBB921284E3727B8C7D96567337D9366EFBF58E8429D65B4863B457DD4324C9020904D84CFB1E4D2
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x4.............!.....@..........>_... ........@.. ..............................w.....`..................................^..O....`...............J...)...........^..8............................................ ............... ..H............text...D?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................ _......H.......x................................................................(....*..(....*..0..8.......s.......o......(....~....(....(....-..,...o....+..o....*.0..............(....*...0................(......(....*J......(.....(....*...0............(.....(.......(....*...0..............(.......(.....*..0..-.............(....~....(....(....-..,..o......X.+..*"..(5...*Z.~....(....-..s....*.*....0.............(.....*...0..F.......~......{.........{....M........ZXM)....(.....~....(.

    C:\Program Files\ScreenBeam\Conference\app\SharpDX.Direct3D9.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):349464
    Entropy (8bit):5.894971805919038
    Encrypted:false
    SSDEEP:6144:EjqoeIm08rQRRaTPNKr6hwAdQ7qKCJdj55:EjqoeImLrH9hJ5
    MD5:28A16A3E4E8132891563FCF824612D7E
    SHA1:A3B85EB950AD66C42D2609F04EC316DCB36FDB8A
    SHA-256:9DDED55C29AAEBEFFF38D0D2C5BCC05995BB2F0960CA551F33914E70E086B09D
    SHA-512:A9EF3C31F5AA7BB65425B0F2E74887DAD6D70DD9C3B9B6E097A0D7A1D645E6C525B047483DDFA47C3C4D3E474B976B148E0037FA12D567170D46AE187B890D80
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.............!....."...........@... ........@.. ...............................-....`.................................4@..W....`...............,...)...........?..8............................................ ............... ..H............text.... ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................p@......H........................................................................(x...*..(....*b(.....3...(....*..(....*j(.....3....(....*...(....*:..-..+..(....*...0../........s....(......+..(......s$...o......X...o....2.**.{-......*...0..C........{'....0ci ...._.{'.... ci ...._.{'.....ci ...._.{'...i ...._s....*..0..L........{-...,>.{-...../ .....{-.....cX.{-... ...._.c.{-... ...._s....*~....*~....*..("...*.0...........|..........(.... ....(....}$.......|..........(.... ....(....}%

    C:\Program Files\ScreenBeam\Conference\app\SharpDX.Mathematics.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):226072
    Entropy (8bit):5.654764163313933
    Encrypted:false
    SSDEEP:3072:YRpzojglcletW1yZLJ80UOEgS8DOnL6dCZrGxamas0Ank/uy1WWZjUjY1xC/BytW:m1BE5L6xy1WWZjUj467
    MD5:EC9715E46C96C011B1FAEF40BB9F4F01
    SHA1:7C82358F09F86ABAB8EA57D1C05B7CCA8AE0E422
    SHA-256:046A9DC18A3358EA78353374165D2F26F2808ABC283528210E9C0BD06DF77649
    SHA-512:BF876C7FB6583726FB491C9239C34366F51E6534EF2D389C7AC5553683C172B9ED028C837771D0C106A47683956F07FC084290C424BBE79373BA655DACF06AA5
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.....@..........._... ........@.. ....................................`.................................._..S....`...............J...).......... _..8............................................ ............... ..H............text....?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................._......H.......x....?............................................................(....*.0..Z.........}.....E................$...+/..(....}....*..(....}....*..}....*..(....}....*."....}....*F..}.......[}....*.0..A........{....l#...`.!.@(....k.."..I.5.."...@X.+.."..I@6.."...@Y...}....*....0..*........{...."...@]..l#........4.."...@X...}....*2.{....(....*6..(....}....*2.{....(....*6..(....}....*.0..:........{....(......"....4..l(....k...Y"..pBZ*.l(....k...Y"..pBZ*...0..*........{....(.

    C:\Program Files\ScreenBeam\Conference\app\SharpDX.MediaFoundation.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):567064
    Entropy (8bit):5.786726343190093
    Encrypted:false
    SSDEEP:6144:Y6gB96kgNEh+jVLm7SVTZ+YS5dXnuqhciIgluGvSfTaDuGN:YSDEhum+F45dXEiDuw
    MD5:166713637D8CC2BCB44871FEB383AE28
    SHA1:B0AD11A2E522E13EE25DF9DB9F83D5973F4B610D
    SHA-256:9589A133E9E08F37FC0746569EC50379BDFED0AEAE4854855A46A40B7322F298
    SHA-512:3FC7C3490FAB5FBA909E8E9B2DA8A18D81BB29260B3E6ACFB9DA31C7B03AE52987AD1081A4B0E7DD9340C6C7E3FAEEE0534A9B1EE4747D4A04CA54F85D033FAB
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q..............!.....t..........N.... ........@.. ..............................O.....`.....................................S....................~...)..............8............................................ ............... ..H............text...Tr... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B................0.......H.........................................................................(....*.0..'.........(...........(....(......(......(....*..0..............(.....(...+*.0..%............(....(....o.........(.....(...+*"..(....*Z.~....(....-..s....*.*....0..8.............{.........{....M.!.......ZXM)....(..........(....*.0..,........{.....{....M.".......ZXM)....(.......(....*.0..,........{.....{....M.#.......ZXM)....(.......(....*..*.~....*..(....*..(...+*.~....*..(....*.s.........*...

    C:\Program Files\ScreenBeam\Conference\app\SharpDX.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):281880
    Entropy (8bit):6.178943988986239
    Encrypted:false
    SSDEEP:3072:DNGAHSuAfn0xDI+enjgpjgAvZgDlq514bA383R5QAfSgaZoqej16x3aG37B6Hy7Q:wAyOEkfBgDlq/M3rQMSN2d1Wqo/I
    MD5:DE9A28C37E9FB5BA6CF0CFC93034D390
    SHA1:FC5F4EBC4E6A7E006D1927A029616BE82DF2A63B
    SHA-256:B52CD6C1A40AF43B33E6E38FC9AAE296072436AE674C1CECD607AD9FB80A8F73
    SHA-512:31426FFD40A8C75892BF83D9AF64B34C1D07C2889E5D9522478DCE7F1E3AA3562BE97CE7E0A370157749D5EA64B59116C25FD1413B313B93D175324B2D317C75
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K..............!.................;... ........@.. ..............................A.....`.................................L;..O....@...............$...)...`.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................;......H.......L................................................................(....(....*..(....*..,..(....&*.0..1........{......-.r...ps....z.|......X.(.......3...X*..+.....0..9........{......|......Y.(.......3...3..%o....o.....o......Y*..+.....0..9........o....t/.......q....oh.....M~....(....,.~I...(Q...*~B...*..{....*"..}....*:..}.....(....*....0..[........(......}.....~....}.....{....,:..i........}......(...+Z..(....}......+......(......X...2.*..(...........}......(...+Z..(...

    C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):64280
    Entropy (8bit):6.290503586278377
    Encrypted:false
    SSDEEP:1536:aYe5uO+LcqmQWE1EwULYFaue+7nF107QnxL:al5u7A5EeUaunJ10M
    MD5:FDBD2474A2CFEC4C102DABB10416C961
    SHA1:F53B3F48F5E5E54F2BA41806A38364DFD88FC33F
    SHA-256:9FE3782EDC32628535476EBB39D0F2F8384509E249F5ECE33984940511C90B93
    SHA-512:1AF8E6E7BBC1C28DFC563441F20F8620D20C16DB8F441E78BC96ED5BFBC20A16150BE50C2134EA2C696BCD0745B0768DD36ED7791CD04887E6373E53BDC7C948
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Bwl..........."...0.................. ........@.. .......................@............`.................................q...O........................)... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......4Y..d............................................................0..D........(....(...........s ...o!...("..........s#...o$..........s%...(&...*.0..;.......(....r...po'...,.(B....((...*..r...p..s)...}.....-..((...**..0.._.......(...........s ...o*...("..........s#...o+..........s%...(,....{....,..{....o-.....}......(....*zs....%.}l.........s/....(....*R..o0...(......o1...*..0...........(.......(....*N..o2...(.....o3...*..o4...u....%-.&ru..p.o4...(5...s6...*J.r...p.s7.

    C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.exe.config

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
    Category:dropped
    Size (bytes):189
    Entropy (8bit):4.986033023891149
    Encrypted:false
    SSDEEP:3:JLWMNHU8LdgCzMvHcIMOofMuQVQDURAmIRMNHjFHr0lUfEyhTRGOGFvREBAW4QIT:JiMVBdTMkIGMfVJ7VJdfEyFRzSJuAW4p
    MD5:9DBAD5517B46F41DBB0D8780B20AB87E
    SHA1:EF6AEF0B1EA5D01B6E088A8BF2F429773C04BA5E
    SHA-256:47E5A0F101AF4151D7F13D2D6BFA9B847D5B5E4A98D1F4674B7C015772746CDF
    SHA-512:43825F5C26C54E1FC5BFFCCE30CAAD1449A28C0C9A9432E9CE17D255F8BF6057C1A1002D9471E5B654AB1DE08FB6EABF96302CDB3E0FB4B63BA0FF186E903BE8
    Malicious:false
    Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />.. </startup>..</configuration>

    C:\Program Files\ScreenBeam\Conference\app\StreamPlayback.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MSVC program database ver 7.00, 512*295 bytes
    Category:dropped
    Size (bytes):151040
    Entropy (8bit):3.7625146843055375
    Encrypted:false
    SSDEEP:1536:pFQdS3gVUDit2w2eflHwUr3MiyjCdG7GVV4kDA6Ziy0lYkDA:pFQdAitn2qwUr3p7VV4kDAZLlYkDA
    MD5:3ADD5FDC896B38683C251DA1AD6128BC
    SHA1:588FD99903588E38A11AC532754DB1946AFA76E3
    SHA-256:696334D3707F55432B4BEC3A43DC23D9BEB9E994D4D1D9B40CAACEBFF8B68FE3
    SHA-512:A1405D66AD8AFB2946800D7573EF601C86B3FDC50DD0879693AADF1ABDC465962B066B3AE6B8E3319A78643B685D2FE94A86B5C368DEA6646878407D2818912D
    Malicious:false
    Preview:Microsoft C/C++ MSF 7.00...DS...........'...|.......$...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\app\Svg.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):759576
    Entropy (8bit):6.352472365888328
    Encrypted:false
    SSDEEP:12288:SjyerCn3SG4tGFGU+NzJHomqU6V1jnQxZdlCG3pFb6KtXX2nrfSNT6v2q6w0:yrCn3S0GfNzP76V1jnQxZdlCG3pFb6KV
    MD5:6EE059C35544D0BE65DB1F006A837529
    SHA1:F9A315C70E27717369F78533B5CF8A4418146F85
    SHA-256:368899A819A090CD53239D808D742D8627D5609C22E7A06BFFBDB186F5B7CF93
    SHA-512:27DFD3780B78F36A7D4A8CAF1ACE98B511134C200683EC8B22910C4963221C44ECEADCB6E74C874ACEC2A3678864DA6C54A3A5F12B45033E2F29E63C84C98F38
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`............." ..0..f..........J.... ........... ....................................`.....................................O....................n...)..........8...T............................................ ............... ..H............text....e... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................,.......H............q...........w................................................(6...*..(6...*..(6...*V!.'.......s7........*J.o.....o....s>...*..{....*...}.....o_...r...p..L...o......o....*..{....*...}.....o_...r...p..L...o......o....*..{....*...}.....o_...r...p..L...o......o....*..0...........{....,..o....9.....(....(Q..."...@[..,.".......o.....s8...}.....{....o9....(.........(9.....o...........(H....X..{......(:....Y..(;....Y"...@.Z"...@.Zo<....{....o=....{....*...0...........o..

    C:\Program Files\ScreenBeam\Conference\app\Svg.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (621), with CRLF line terminators
    Category:dropped
    Size (bytes):168793
    Entropy (8bit):4.530149376990327
    Encrypted:false
    SSDEEP:1536:ReWZtlVd41Oqi0H1Oqi02Vx5cnJ1OqinzP48Y4Q26ga68xFdJLyuipkyhg1+e1pl:AWHZ5QZ8T6gsJLyuiyyhwTpCN/24K
    MD5:7AEE18F5FD135B525FEEC66BB2AED5D3
    SHA1:2B6C577F4AD8C5BFD704394AEB7F2C056E3FB21F
    SHA-256:882E2B07E327779A7C917ACA4B2B22D8F8D1F55B79BD8576418F980FB9770179
    SHA-512:F4DFE5DCA00A9504F0EE9ABCEC03AC334901400BED6411C9FEA7891DBCA2EA7F7E92B43620C83A36984B4A2CDDBBB77170CD23BF2149B2B842E7D7BAC76359C5
    Malicious:false
    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Svg</name>.. </assembly>.. <members>.. <member name="T:Svg.SvgCircle">.. <summary>.. An SVG element to render circles to the document... </summary>.. </member>.. <member name="P:Svg.SvgCircle.Center">.. <summary>.. Gets the center point of the circle... </summary>.. <value>The center.</value>.. </member>.. <member name="M:Svg.SvgCircle.Path(Svg.ISvgRenderer)">.. <summary>.. Gets the <see cref="T:System.Drawing.Drawing2D.GraphicsPath"/> representing this element... </summary>.. </member>.. <member name="M:Svg.SvgCircle.Render(Svg.ISvgRenderer)">.. <summary>.. Renders the circle using the specified <see cref="T:Svg.ISvgRenderer"/> object... </summary>.. <param name="renderer">The renderer object.</param>.. </member>.

    C:\Program Files\ScreenBeam\Conference\app\System.Buffers.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):22296
    Entropy (8bit):6.661508875389691
    Encrypted:false
    SSDEEP:384:SICREYcfpyXOT9Z7a6WmYWXyIYiQ325fAM+o/8E9VF0NyCMKzE:SIiE9QXM11YiQ4fAMxkEWg
    MD5:7AF2BB5BFB7341639A3CA6A699CAE7B2
    SHA1:E9D6F07F47A1F442C2368F516144F64F5362B9CB
    SHA-256:4A2CFCA5EB6A5754DAF900FB46A759231F17328BA7966E60AF239037F6FF2EFD
    SHA-512:2C4574D103111BB237E6E3C4049F26B97BEBAE1311755B8C71215D8E1B86B22ACA8384F19E39FB40295C4380962011C27D5851D7AC4FDCE5F67B8D51ACF77FFE
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oY.........." ..0..$..........:C... ...`....... ....................................@..................................B..O....`...................)...........A............................................... ............... ..H............text...@#... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................C......H.......h'..p............?..X...0A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..(....*R. ...(...+%-.&("...*^. ...(#....(...+&~ ...*.s%...*"..s&...*..('...*.*....0........................((

    C:\Program Files\ScreenBeam\Conference\app\System.Buffers.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (634), with CRLF line terminators
    Category:dropped
    Size (bytes):3195
    Entropy (8bit):4.750160458439205
    Encrypted:false
    SSDEEP:48:3iRtamCGLiVMgLGTKLG0LG8hLGRpWG79NmGM9TLGoA96cmgKxnGu7gMcXFFfYK8L:ySm9iVHAKv3hQt9Y9TXAixbewKXHSH
    MD5:0C727C6CF7E10FB85310C46EC17AC47F
    SHA1:F7C922B32655DA2732CDF9E980DAD7337EA87D5E
    SHA-256:5047E342F6E3860E8B37B77207D5E10C5007E07692777EB504D0CED628DA022C
    SHA-512:32D95683A8AE55E0EAA6A6C401B01E1ED50389C2382EDBDD05A59A39AFE78FB8BB10E49FF4696AAF702B98AEE0A2AC4857EA330AE133AAFEAAC3B514EFBE2EA4
    Malicious:false
    Preview:.<?xml version="1.0" encoding="utf-8"?><span>..<doc>.. <assembly>.. <name>System.Buffers</name>.. </assembly>.. <members>.. <member name="T:System.Buffers.ArrayPool`1">.. <summary>Provides a resource pool that enables reusing instances of type <see cref="T[]"></see>.</summary>.. <typeparam name="T">The type of the objects that are in the resource pool.</typeparam>.. </member>.. <member name="M:System.Buffers.ArrayPool`1.#ctor">.. <summary>Initializes a new instance of the <see cref="ArrayPool{T}"></see> class.</summary>.. </member>.. <member name="M:System.Buffers.ArrayPool`1.Create">.. <summary>Creates a new instance of the <see cref="ArrayPool{T}"></see> class.</summary>.. <returns>A new instance of the <see cref="ArrayPool{T}"></see> class.</returns>.. </member>.. <member name="M:System.Buffers.ArrayPool`1.Create(System.Int32,System.Int32)">.. <summary>Creates a new instance of the <see cref="ArrayPool{T}"></see> class using

    C:\Program Files\ScreenBeam\Conference\app\System.Memory.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):143128
    Entropy (8bit):6.161834548460209
    Encrypted:false
    SSDEEP:1536:uxi8ae06y7Q0kSutmvEmFk0pBa/+h8k/6kY2F8xB0dhqABtx5yoG9QI7Q3xYB:a0vDkSutmhFpYqtDqAhjMQIMM
    MD5:1BB4F097684332EAAF0E3EC2F7827ED0
    SHA1:F3FEA7009EBDC178F651D397BF0FDDD159623644
    SHA-256:1D5E43163031E8F1CE57C52E47EF88E8AABB97768634D578BFE4B5C7BE249DC4
    SHA-512:C5FA7222F663F68FE3647477B76B1D1C0DEBAF5F3D0181E96F37AAE7339CF49D1E919F9CF6AB4CAB983440EA7BB3E90FC6CB93CA1D2E757ACA4B100C7ACE5F2F
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U..\.........." ..0.............b.... ... ....... .......................`...........@.....................................O.... ..8................)...@..........8............................................ ............... ..H............text...8.... ...................... ..`.rsrc...8.... ......................@..@.reloc.......@......................@..B................C.......H........,..L...........,.................................................((...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....()...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o*....{....(a...*..(....zN........o+...s,...*.(....z.s-...*..(....zF(U....(O...s....*.(....z.(V...s....*.(....z.s/...*.(....z.s0...*..(....zN........o+...s1...*.(....zrr...p(\....c.M...(O...s2...*.(....zBr...p(Y...s2...*.(....z.s3...*.(....z.(X...s4...*.(!...z.(_...s4...*.(#...z

    C:\Program Files\ScreenBeam\Conference\app\System.Memory.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
    Category:dropped
    Size (bytes):13950
    Entropy (8bit):4.749162715500682
    Encrypted:false
    SSDEEP:192:19SSrAVfjSE0wxiMiLiLiXdCjticiciAiJiziPNjNei5i9zhi+ipOUTJ:1gbXKKXppPmcPi6LmJ
    MD5:ADD19745A43B2515280CE24671863114
    SHA1:CF44E6557FDE93288FF2567A002A69279965CABA
    SHA-256:D5714C96607EB1A9D0F90F57CA194D8A9C3EDE0656A1D1F461E78B209F054813
    SHA-512:8D7E564FA61411B5C28F29B07855DD112687EDCB39B991803C7C7DE67B6894B309102AC9B52409B56B7BB5C9101EB4CDFB21FCFBF5D835E4A153E188CB97CC87
    Malicious:false
    Preview:.<?xml version="1.0" encoding="utf-8"?><doc>.. <assembly>.. <name>System.Memory</name>.. </assembly>.. <members>.. <member name="T:System.Span`1">.. <typeparam name="T"></typeparam>.. </member>.. <member name="M:System.Span`1.#ctor(`0[])">.. <param name="array"></param>.. </member>.. <member name="M:System.Span`1.#ctor(System.Void*,System.Int32)">.. <param name="pointer"></param>.. <param name="length"></param>.. </member>.. <member name="M:System.Span`1.#ctor(`0[],System.Int32)">.. <param name="array"></param>.. <param name="start"></param>.. </member>.. <member name="M:System.Span`1.#ctor(`0[],System.Int32,System.Int32)">.. <param name="array"></param>.. <param name="start"></param>.. <param name="length"></param>.. </member>.. <member name="M:System.Span`1.Clear">.. .. </member>.. <member name="M:System.Span`1.CopyTo(System.Span{`0})">.. <param name="destination"></param>.. </mem

    C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):110360
    Entropy (8bit):5.472126869612753
    Encrypted:false
    SSDEEP:1536:opKSyD3hoE3PQU9xb1iPKHKWU//6hE2rkQQP7QRxK:DSyLhZ/X9xb1YKqn/unQPM6
    MD5:3B996E0EA6AC14699DF670C0DD2F73BF
    SHA1:A5CB7B078C68C0DCE9421EECC1E3B574B38705A4
    SHA-256:62AB86754E7F29E3E0D33D93A1D7DC8642EA02D5D1D764C163FD91A48361C0ED
    SHA-512:BCD1728D409134FE80363DDD48DA997A66790CDC99C2ABDB1E6B1F20133FF9ABCC64DB4115FA02A649F55188141D1FD435C89FC93FCC347BBD23E153DD792597
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oY.........." ..0..v..........j.... ........... ....................................@.....................................O........................)..........t................................................ ............... ..H............text...pu... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B................K.......H.......,S..0>..........\.................................................(....*&.l(....k*&.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(....*......(....*...

    C:\Program Files\ScreenBeam\Conference\app\System.Numerics.Vectors.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (640), with CRLF line terminators
    Category:dropped
    Size (bytes):183543
    Entropy (8bit):4.784775080568946
    Encrypted:false
    SSDEEP:1536:9zlgmfTCpKdUqMGFYBlF8Yza2HbyJtJZJ9JaGN4AscoqrbuCeBqaiaIacasa7c12:9zhfTD227fX1HKg1agk
    MD5:A556041FB2F0F8ACFB89FCE08A9DE8F0
    SHA1:E2A3B3ACB380A4EB626B44FF6EE04A37110A3389
    SHA-256:996E11F72E5BB4F58B080CCAF94C325F8CABB175070DDE109516A5069ED17708
    SHA-512:116D6C3C98E0CC70718A7B0CE38826FDE8EF00CFE9A8D00C721BC1BF2297F39A5B256143BA6568A87BC6D0506D53A3BAE12B7899655454536DEC13AC455B2A17
    Malicious:false
    Preview:.<?xml version="1.0" encoding="utf-8"?><span>..<doc>.. <assembly>.. <name>System.Numerics.Vectors</name>.. </assembly>.. <members>.. <member name="T:System.Numerics.Matrix3x2">.. <summary>Represents a 3x2 matrix.</summary>.. </member>.. <member name="M:System.Numerics.Matrix3x2.#ctor(System.Single,System.Single,System.Single,System.Single,System.Single,System.Single)">.. <summary>Creates a 3x2 matrix from the specified components.</summary>.. <param name="m11">The value to assign to the first element in the first row.</param>.. <param name="m12">The value to assign to the second element in the first row.</param>.. <param name="m21">The value to assign to the first element in the second row.</param>.. <param name="m22">The value to assign to the second element in the second row.</param>.. <param name="m31">The value to assign to the first element in the third row.</param>.. <param name="m32">The value to assign to the second eleme

    C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):18200
    Entropy (8bit):6.647256534345748
    Encrypted:false
    SSDEEP:384:BqTO1PdhW1YWxvZIYiQ3JWipAM+o/8E9VF0NyJ:Bq6PSzmYiQppAMxkE
    MD5:521D8FBE51F173BA797E24BDE4F360E8
    SHA1:5763C85FBD5F8329AAE074ED4E3626B9A1CA6950
    SHA-256:266865175253A0B5E3359E7302306C855B2B396AE131469C74D0FD2DA26CE3B2
    SHA-512:DD453E27705E18DFE8FEFA171CA91CDBD11523885379FDDA1D18B7FA54803982DFB9969A8F635CD41259CE66A2A292DDF5F5415BABE0B0665EB499EDD7711D3F
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..[...........!.................1... ...@....@.. ...............................&....@..................................1..K....@...................)...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ........................................|......<...rp....O..Ih.VvI..a,...%...(..@...7.v..v..N..x.6.._.....H^c~s_...]..Q@.,n.H(..CN..Q..<...%N`H..MV}%'x;.A.1..E..^.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

    C:\Program Files\ScreenBeam\Conference\app\System.Runtime.CompilerServices.Unsafe.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
    Category:dropped
    Size (bytes):14080
    Entropy (8bit):4.739717678047703
    Encrypted:false
    SSDEEP:384:1/uXuAB8fmAc26yQew6griJriurt8rtTpkE+EDJOgOha/MU:1/A3WfmAc2rQew6griJriurt8rtTpkEX
    MD5:26CD9E7E8A62BB97CACE4E4AC16987A0
    SHA1:E705414BE72B4866BC3AD02B9529656014C63CB1
    SHA-256:63E32EBB4B26C25F65DDF26B5FA9D7147A9C8B45DF355DB90AC706AFEC980036
    SHA-512:AEF9CF14E85D954E86B7C9A3AB35398DE0E1EE97A6CE383F82BCE789DCB2355C8AB781007F88B2D5E8F94D2E4CF940319FE0BF746E937F600F8425CA885973CD
    Malicious:false
    Preview:.<?xml version="1.0" encoding="utf-8"?><doc>.. <assembly>.. <name>System.Runtime.CompilerServices.Unsafe</name>.. </assembly>.. <members>.. <member name="T:System.Runtime.CompilerServices.Unsafe">.. <summary>Contains generic, low-level functionality for manipulating pointers.</summary>.. </member>.. <member name="M:System.Runtime.CompilerServices.Unsafe.Add``1(``0@,System.Int32)">.. <summary>Adds an element offset to the given reference.</summary>.. <param name="source">The reference to add the offset to.</param>.. <param name="elementOffset">The offset to add.</param>.. <typeparam name="T">The type of reference.</typeparam>.. <returns>A new reference that reflects the addition of offset to pointer.</returns>.. </member>.. <member name="M:System.Runtime.CompilerServices.Unsafe.Add``1(``0@,System.IntPtr)">.. <summary>Adds an element offset to the given reference.</summary>.. <param name="source">The reference to add the offs

    C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):22808
    Entropy (8bit):6.595569001676994
    Encrypted:false
    SSDEEP:384:BB9g5l+A3VVdCRdtOfd7TCUBQ4BX8JZa6Si5HsOgrE2WGCWLIYiQ3I4ERAAM+o/R:39g5HVVX12fsOgrE+QYiQRECAMxkEq4
    MD5:D4574B2CA72B54510BD91F6AB532A549
    SHA1:E2B43351D7A8100D7553F2B1AEEAD24EBC7434AE
    SHA-256:D4B22A50D7551E7D4FDD1CF24D7258868062F894AE504F32D2CD024C0F1C1C5F
    SHA-512:43BA1A1853673AA7125460D275FD8E057AF64410715C3A1DF98AAF7195AB6AFC45A1F3B8B77BBE7F99A59B2EB4458B234462ABD690BD657B9FFB1135616BB293
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP...........!.....&...........E... ...`....... ....................................`..................................E..S....`...............0...)........................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H.......<#..\"..................P ......................................'o...Ab]+.^nz..w..fBw..W.r..D..0...|..fc.x.@.J.S......_..t....&].. ~.8...t..j.j.W...g...d %..:/`b..X.q~....s.[G!]otwD..m...*..*..*..*..*..*..*..*..*..*..*..*..*..*...0...................*...0...................*...0...................*...0...................*..*..*..*..*..*..*..*..*..*..*..*..*..*..*..*..*..(....*..*..*..*..*..*..*.*.*.*.*.*.*..*..*..*..*..*..*.s....z*#........*.**#........*.*..*..

    C:\Program Files\ScreenBeam\Conference\app\System.Runtime.WindowsRuntime.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (541), with CRLF line terminators
    Category:dropped
    Size (bytes):76981
    Entropy (8bit):4.819464476297391
    Encrypted:false
    SSDEEP:384:YNa7Vx5ughg2y1eEics/2cLtU+61hYg45bmZiNjcAjdKvj59znKSe5+YjTjljcKZ:YHeEUZtgsccITKSFYjxcKSskiKS1
    MD5:3A4E05CD88971CC7988F3179977192CA
    SHA1:C0F796775FB852E6F9F75AB70846EE49619D9988
    SHA-256:576D49F78CEDFC37A7F7452EA7519EBF690642EBB87D01AC777605FFDBC648B0
    SHA-512:4E649FE654160B8D2595927CB215F078E1D97EE5B1D366D0651743E143DD990867FFB3E6C69AC19AFEF0D75C9B8B28E36977AAA4D64C5FFD24B0037B04828479
    Malicious:false
    Preview:.<?xml version="1.0" encoding="utf-8"?>..<doc>.. <assembly>.. <name>System.Runtime.WindowsRuntime</name>.. </assembly>.. <members>.. <member name="T:System.WindowsRuntimeSystemExtensions">.. <summary>Provides extension methods for converting between tasks and Windows Runtime asynchronous actions and operations. </summary>.. </member>.. <member name="M:System.WindowsRuntimeSystemExtensions.AsAsyncAction(System.Threading.Tasks.Task)">.. <summary>Returns a Windows Runtime asynchronous action that represents a started task. </summary>.. <returns>A Windows.Foundation.IAsyncAction instance that represents the started task. </returns>.. <param name="source">The started task. </param>.. <exception cref="T:System.ArgumentNullException">.. <paramref name="source" /> is null. </exception>.. <exception cref="T:System.InvalidOperationException">.. <paramref name="source" /> is an unstarted task. </exception>.. </member>.. <member na

    C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):19736
    Entropy (8bit):6.537343777286511
    Encrypted:false
    SSDEEP:384:ayPa16oAL4D+wW9IWmDIW4IWYDfIYiQ3fhcgAM+o/8E9VF0NyyPu:aWs6oqDjADKeDgYiQpcgAMxkE+
    MD5:34F3EB69BF032DFB180493B629B04B55
    SHA1:29A22F64D5849A7C622EF547544AF9794E492918
    SHA-256:A8C1F844B5792B99056B06D6CDDC5F1FCFD516E002C3B4D76FA983F2EFE666EE
    SHA-512:4014DAF36491288FF7CF0C95219FC7196BAA56A7D15B317ED30ADD038DE48FBD76D86FF26DDA8758C4575D23ED102392204F0FA9C2CD766F53D3D853B711164C
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ....................................@..................................2..O....@...............$...)...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

    C:\Program Files\ScreenBeam\Conference\app\System.ValueTuple.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):142
    Entropy (8bit):4.391770241438592
    Encrypted:false
    SSDEEP:3:vFWWMNHUz6GbC/0tFFNu7WRtLz3hAbS9/FFNrGMH/xtgGM8Xby:TMV06GbSWVVR+SXNffgp8Xby
    MD5:B6E60687AE5DB6D011E21E6993620745
    SHA1:B117C6BBDDC72E7F4B590173992EE17BFDDE4BE1
    SHA-256:C37E163FA76629C196460C7B4D54E95B1A46A4C66AB7B6F3311959C8137DC5F1
    SHA-512:709212B6CB36F57B92A82DEF810F9C075A91B3E6A5FD330DCFB563D94A320783509441347D63BDE97F530C6B10CE6AA769CA11F7FC39ACF1B25D5C8F9DCBB389
    Malicious:false
    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>System.ValueTuple</name>.. </assembly>.. <members>.. </members>..</doc>..

    C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):50456
    Entropy (8bit):6.2119772067294035
    Encrypted:false
    SSDEEP:1536:g3wBccZdxuB8mQen6JxKjrlMZgR0EoO7QJxMu:OcHmQPUkOMN
    MD5:7AE13CBAAAD0B8B994E76A37CEF24353
    SHA1:BA094A6223B8AFA4863C0C770BABE09AF3ED06DD
    SHA-256:EF050B004528D762CB7A70FAE8095DE216B6CBB69E6F396033E458BF19AEA07D
    SHA-512:00DF0A4F9E32328773BA921B01C9A11B5CE0E9953188F735077DD56789BCDFB13C84115E2316A0BAF1EB02B56174E4908748E1CA7A2389B578986474D3BD273F
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...du.K...........!..................... ........ ;. ....................................@.................................\...O........................)........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......4O..X`..........xD......P ......................................{c...2......q..Z,.C.....3.n.Z..7....R.....T.{yF")i.$JMv...,a.....U...M:,...Z.Q:..c..N.{....<....h%.....:s..T...Z.gSI.....6.(.....{....*...0..&........(..............s....o.....s....}....*...0..K........(.....{....o........,3..+&..( .........{.....o!............*..X...(....2.*..0..L........{.....o"...,=(#...(..................($...o%.......(&...o%.....('...s(...z*.0...........o).......E............d

    C:\Program Files\ScreenBeam\Conference\app\System.Windows.Interactivity.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):62128
    Entropy (8bit):4.529932548825407
    Encrypted:false
    SSDEEP:1536:2y80yatyXMOX0lrNyzEYIFu8cKy5BYAeu:MsY
    MD5:F70AEFF5A0E73BBA854A66ED6F0F5340
    SHA1:5669C580408931021A39CFE0563771CBED623670
    SHA-256:9608C07302EFF914A866DC5D416A8816FE9B28DF62EDF6D9C28F79A0236824F4
    SHA-512:95B076A38E3F320CC16F4AE31FB76CFE3FC378A7EB33ECE9F1FA83D7281CBA72D8BBCBADE2C1476793351B0C19CE8851A192FD42E3E3554402011E9FDC024BE7
    Malicious:false
    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>System.Windows.Interactivity</name>.. </assembly>.. <members>.. <member name="T:System.Windows.Interactivity.AttachableCollection`1">.. <summary>.. Represents a collection of IAttachedObject with a shared AssociatedObject and provides change notifications to its contents when that AssociatedObject changes... </summary>.. </member>.. <member name="T:System.Windows.Interactivity.IAttachedObject">.. <summary>.. An interface for an object that can be attached to another object... </summary>.. </member>.. <member name="M:System.Windows.Interactivity.IAttachedObject.Attach(System.Windows.DependencyObject)">.. <summary>.. Attaches to the specified object... </summary>.. <param name="dependencyObject">The object to attach to.</param>.. </member>.. <member name="M:System.Wi

    C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.FoundationContract.winmd

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):24064
    Entropy (8bit):5.436377150873873
    Encrypted:false
    SSDEEP:384:nOeNiCPJ8d//4CMSKtmVbFhFMTuzO3zoVOgvevU3+uARkArvLU8Wyt:/x8d/i49z7cgWvwARkwvLU8
    MD5:D0854E8DB0D1AFBDAB9CEDB8464561A7
    SHA1:7550E1257E2D243AC0A12439D2A55C74718753D4
    SHA-256:363DC1FDC0C50618C9049F87BF6E2C6EB9D9CE4AC08960373BF778EF854D78AD
    SHA-512:CAF5CB38121FE12A560CEBE4E1AC3266AEFB3C7AB0635EFF26D1AB7DE8CD349F52CB8F9FD4F8E05CF6E496FF07083961881517298FF80A07691B22EF2B317A3D
    Malicious:false
    Preview:MZ......................@...................................@...PE..L......\...........!..............................@..................................o....@..........................................p..`...............................................................................................H............text....V.......X.................. ..@.rsrc...`....p.......Z..............@..@........................................................................................................................H.......P...hV..................................................................BSJB............WindowsRuntime 1.4......t...x3..#~...3......#Strings.....G......#US..G......#GUID....H..`...#Blob...........W.........%3........h...a...m...9...........)...S.......................,... ...............!.....0.........l.e...~.............................5.....b.e...g.....s...........................................................&.....>.....L.....V.....o.e...v.........................e.....

    C:\Program Files\ScreenBeam\Conference\app\Windows.Foundation.UniversalApiContract.winmd

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):5773312
    Entropy (8bit):5.68640191645299
    Encrypted:false
    SSDEEP:49152:OVINVwJzGKybK12T5yb9ksyZWPsADcn0XjOTQVm8fGwoAIMHFqG:/NVwJzVSs+Wp4xyD
    MD5:2B71864142900544334292C45C9A9A21
    SHA1:763865F2163F8B3A294BB156D1E36B9E73A9EBAB
    SHA-256:94687C2812CD4B0DF1F93C3D083BAA730CAB07E9D9C3931FA6557C808BCEF49B
    SHA-512:DD73C7832A2B43774D18A83AC08CEE5A6F7D76F870A98A344B3FDD1DE61CD9B7362D31009F443592F138EFFB9ED7CDD9E4F8A7282C699B7AF3F434ABE74F215E
    Malicious:false
    Preview:MZ......................@...................................@...PE..L......\...........!..............................@..........................@X......AX...@..........................................0X.`...............................................................................................H............text.....X.......X................. ..@.rsrc...`....0X.......X.............@..@........................................................................................................................H.......P...L.X.................................................................BSJB............WindowsRuntime 1.4......t...t(>.#~...(>..O..#Strings.....xK.....#US..xK.....#GUID....xK.x...#Blob...........W..........3........d.......c$......b"......sV......'.......A...P....s.......a................2...........p...i.....u.......................i.........................6.........o.......................................%.........I.........g...............................................

    C:\Program Files\ScreenBeam\Conference\app\Windows.WinMD

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):174080
    Entropy (8bit):4.838714488862786
    Encrypted:false
    SSDEEP:1536:BXlu9HOsrxLLC581nfkhTf85SfD/8E8pMyF2fIK2E3ZMrf/GXTdXg7A/w:b41x7v54sMyov2+Mrf/GXKA
    MD5:6AEB1C3E0470912D776EF79DC180AEF6
    SHA1:C35A83124548142B7AF868166EEB9B9A8DEDCA03
    SHA-256:249D4EBDCB399002F7B6DCB50384AD0DF3AB6A7CF7087161EDA4E43052128E6D
    SHA-512:3AA0D6D8BFB0788353A85E5C0F88B0D0B0CD80F200C78932D8BD4FCF0711EF6577F9C3F4036BB88A4EC7BCF58ED2C4A48FC003324B47A0FAB51E2A1B73436DE4
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......U.........." ..................... ........@.. ....................................@.......................................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................................H.......H ..............................................................BSJB............WindowsRuntime 1.3......t...@...#~.......s..#Strings....`.......#US.h.......#GUID...x.......#Blob......................3................$.......................................................6=............................................iA......................cE.......................F.......................C.......................A.......................@......................PC................

    C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):103704
    Entropy (8bit):6.283500656281991
    Encrypted:false
    SSDEEP:1536:UZGfW5mvu8DC4AiyZAZIJjAgyzjeIcKNVT7VuWCbwt2Ezl7Qgx:UZGfNu8DyZAZwWtpVT7VVdgYlM
    MD5:5C288D93DBA0C7808C8641D93F966F34
    SHA1:620D664D8CC43630485232A39B0F66B22DF3FAEF
    SHA-256:38238B3E3F09AC56194B8B40E8CBB5E7E079DA2E128BC8A04B6705B28765F6B1
    SHA-512:E7FF0412D22C5BE7E77F66093308E05BE31C48AACF693C5B61CC4431D9DA79AA5B72871F781419B92A657C7433F26ECE877698F17B4A86BCD9150C53D42B2934
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..b............... ........... ....................................`.................................E...O.......L............l...)..........`...T............................................ ............... ..H............text....a... ...b.................. ..`.rsrc...L............d..............@..@.reloc...............j..............@..B................y.......H........................................................................{#...*..{$...*V.(%.....}#.....}$...*...0..A........u........4.,/(&....{#....{#...o'...,.((....{$....{$...o)...*.*.*. ..~. )UU.Z(&....{#...o*...X )UU.Z((....{$...o+...X*...0..b........r...p......%..{#......%q.........-.&.+.......o,....%..{$......%q.........-.&.+.......o,....(-...*..(....*..(....*F.~....o/...t....*6.~.....o0...*F.~....o/...t....*6.~.....o0...*F.~....o/.... ...*J.~...... ...o0...*F.~....o/

    C:\Program Files\ScreenBeam\Conference\app\XamlAnimatedGif.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Microsoft Roslyn C# debugging symbols version 1.0
    Category:dropped
    Size (bytes):28012
    Entropy (8bit):5.07766090155697
    Encrypted:false
    SSDEEP:384:UnhIrxUN3RhP+UVpi+L2P2lxX2rzELJRDXPn1F4da24Ui0o92d2zPSuWaK9cww0H:txwnPJL5JL4Dih9KWK9cww0oUZ
    MD5:9F580CA88DB263A3BDB75D40EE88C8B8
    SHA1:73F47B6B2A04525C8DA776A746933EE8F02E3845
    SHA-256:E0387871E704D9402196F786ED697F87FB63267BDCB142829E02CC1C3F548275
    SHA-512:2839625305CF2375C281C60E86694263AF151F5CDA311624C019A76207543B1A1E9AB91C5D70AB50A151DA52BEEC7225D887C5AA748E4B964271CB8F63C9B681
    Malicious:false
    Preview:BSJB............PDB v1.0........|.......#Pdb........x/..#~..t0..T...#Strings.....2......#US..2..p...#GUID...<3..0:..#Blob.....q0\.UG......j..Z.....W...............r.......#.......9...&...........................i.......j...............@.......................................+...#.......z...=...1...T...B...I...........................G...O...........................H...R...........................8...B...z.......................1...;...z.......................&...0...g...q...................-...7...d...n...................<...F.......................%...]...g.......................8...u.......................*...2...`...h...............).....................................\...c...o...v...........................................................#...0...=...J...W...d...q...~...................................7...................................?...o.......w...................................................*...1...................8...............<...........C...P...X...........j.........

    C:\Program Files\ScreenBeam\Conference\app\de\MahApps.Metro.resources.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):10752
    Entropy (8bit):4.756472052670044
    Encrypted:false
    SSDEEP:192:MGzDcHtDpvhpzcPWg3TUHfBo+6IhF0DY2ACkVtW/lRODhQkBp3ySNUt4LUTsVB6j:M3HtDpvhpz03TafBo+6IhF0DY2ACkVlk
    MD5:742FAA100BAC5ED77490CC84EDC1F7CD
    SHA1:A9EAEFC888393EBE225D185943C8F96CD76D6CCB
    SHA-256:63DF6824DC2E3B89E9EC6B715C3003A5897B0D9922DA5C15E89C7C775076D819
    SHA-512:8744657359041C78161E3CC51497D26A30E1C46F5222764EC1376EBAC0E9602F98B7E7E7B94047F4F3CEC320A6726B352386AF2B4AA704AE4D9788C3EAAAFACC
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.~`...........!..... ...........>... ...@....... ...................................@..................................=..K....@..x....................`....................................................... ............... ..H............text...$.... ... .................. ..`.rsrc...x....@......."..............@..@.reloc.......`.......(..............@..B.................>......H........8............... ......P ......................................A..K..bo....x.r..R~.....T.qs.:....X....3...5U.n #...D...M.V>.s.Ap;.........#..O..]..7F.....i.. ...O*.j.....@..jv=...W_L.$...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.=....T.f.@.i.=.'....C..)bJ.;.$...._*.../.n#0...2..ck.##s.ua..C|.<...u..MQ........gJ.........

    C:\Program Files\ScreenBeam\Conference\app\en-US\SBConference.Model.resources.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):11264
    Entropy (8bit):4.612853416102891
    Encrypted:false
    SSDEEP:192:3N1vttjc+uAS57xu3e5auZJWzE4idhleNjqi4oqTJVnt1JhRw0BVV9r:3bvH0uzE4UhYjqi4/d/RPBBr
    MD5:87C6CFC235A35EB25487B644C9861663
    SHA1:4A9068F285B59D423D380212F97BAB141DED2ABC
    SHA-256:6F5320AE94A0DA80C0E558F3A858A2E71AA7D403229160A0E24F87FB28227AF5
    SHA-512:A449BE35474EEC5A8925E25D26AB0233812DB533908AE66801D10548BEBD90A91CC2191998047BAC6C6F99E6F51501990D1E5464158DFE2BDCC9CF77C62EF813
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....$...........B... ........... ....................................@.................................TB..W....`............................................................................... ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............*..............@..B.................B......H....... ?..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....Q.......PADPADPh....>.......P..Z..'..l..}....;z..!.a..I...J...K...L...M.......i...#......v...w..e+..<..3'.w.......d?...a..s.....AsY.p...H.>..............v..N.R....#...&...&2..*.3.,/1.-B.W3..p7%.o8..r;=..?..G.}.K.}.K.}.K.}.K.}.K{.(O

    C:\Program Files\ScreenBeam\Conference\app\qf4net.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):39192
    Entropy (8bit):5.109347441746483
    Encrypted:false
    SSDEEP:768:m+ZpbHSTTUa8x+qvvIojhSYiQ8duAMxkE:m+Zpb8T2x+CvS7QKcx
    MD5:E9B86FF3090C30FF0E54A68A453D536C
    SHA1:B837C280956635C1388FBD34F0A205D7D87A3540
    SHA-256:E46C40629DA8D94A8F861F6562EBC1C0A5BAD935D29FA0A2E1C33A241EF20181
    SHA-512:8E31E1972160B0A2727559D35B9A8569F27F0908FB684F42F1D794EAB7B7C60358B89E1AC6BD4CE2B640BE51721279E17A2871F4F4A1CC850FA831C90AD4E86D
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....KV.........." ..0..@... ......J^... ...`....... ....................................`..................................]..O....`..<............p...)...........]............................................... ............... ..H............text...P>... ...@.................. ..`.rsrc...<....`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\appsettings\settings.json

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:JSON data
    Category:dropped
    Size (bytes):389
    Entropy (8bit):4.731905128310357
    Encrypted:false
    SSDEEP:12:UYZI36ofqq2NpJXRRdNpVBfHU/iKz6J7z:UYS9qDNrXZNaTzon
    MD5:5F8CB8F1EC254CD5617741E89BC7569A
    SHA1:818A4674AF8BC1713B37CE0A28EAFB14EE6CC29F
    SHA-256:3A3B2CD2FFB3C5554D4828EB695B00AD5E7D1B2EC99D2FD2D10C19BD01AA50D0
    SHA-512:A919EDF9765384F2FC4567F1F1DC34E10B63109EC6748E969BA8D50B86809909CB0F87846E9A6005477C32122D2B8DE4A7EFEB1F1CBABE09ED84B654E5BCB028
    Malicious:false
    Preview:{.. "General": {.. "MinimizeUponConnection": false,.. "RunOnStartUp": false,.. "ShowTutortialUponConnection": true.. },.. "Conference": {.. "ConnectByomAutomatically": false,.. "UseInRoomMicrophoneAutomatically": false,.. "IsStreamingFhdVideo": true.. },.. "Test": {.. "IsEnableEchoCancelling": false.. },.. "Misc": {.. "IsShowOnNextDisconnect": true.. }..}

    C:\Program Files\ScreenBeam\Conference\audio\vac\instrmv.cmd

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:DOS batch file, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1435
    Entropy (8bit):5.168514160976156
    Encrypted:false
    SSDEEP:24:CBc6mGOPDSgJaX7Blu7BW7BFXli/3g/EuzU/OVdEisHROVyOpX:0VgQX7Blu7BW7BFXg3g/EhAXnx
    MD5:9A11812CD3236C4E308130B537534745
    SHA1:26C6225474A25FB9C644CF78D4A7CB87D1E04AA2
    SHA-256:7CBF8C34EBF0318B37AA0ED06FA51BBB07F1F8C2BF4C1B07CAFE733A5D6E58DB
    SHA-512:5BCB6FD583828941F95B267742A82CCA602ADABF36D775F850D50336296EB6144FA1E7BAF29E3A3D9ED043A6BD7A605B1E1650C8D2EBC60F253057293D42C512
    Malicious:false
    Preview:@echo off....setlocal....set "DriverInfFile=vacscbkd.inf"..set "DeviceHwId=ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5"..set "DeviceInstId=Root\{aafa5613-1d56-4309-9c3a-c3911d766be5}\0000"....set Mode=....if /i "%1" == "install" set Mode=install..if /i "%1" == "remove" set Mode=remove....if "%Mode%" == "" (.... echo Parameter 1 must be "install" or "remove".. pause.. exit /b 1....)....if /i "%PROCESSOR_ARCHITECTURE%" == "x86" (.... set ProcDir=x86....) else if /i "%PROCESSOR_ARCHITECTURE%" == "AMD64" (.... set ProcDir=x64....) else (.... echo Unsupported architechture %PROCESSOR_ARCHITECTURE%.. pause.. exit /b 1....)....for /f "tokens=2 delims=[]" %%S in ('ver') do (.... for /f "tokens=2-5 delims=. " %%A in ("%%S") do (.... set /a Ver1=%%A.. set /a Ver2=%%B.. set /a Ver3=%%C.. rem set /a Ver4=%%D.... )....)....set InfFileSfx=....if %Ver1% LEQ 6 set InfFileSfx=6x....for %%F in ("%DriverInfFile%") do set DriverInfFile=%%~nF%InfFileSfx%%%~xF....if "%M

    C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd.cat

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):12270
    Entropy (8bit):7.330686262712275
    Encrypted:false
    SSDEEP:192:E9RPmW9bH/JCTaJ9EwvZvhYCT+ezE7weX01k9z3AUJYVp+Ry:WewpJZvh3BzEnR9zVuVIRy
    MD5:D80C1F0FDBC377D61DFD9F7158EFD158
    SHA1:520D67843181C66360AAEC19A670DD27EA136B3F
    SHA-256:F32E7DC3D4BC5104DF339329D110F051ED0D4C5894DFFEC82100B90D8F199E5C
    SHA-512:A31C25C15B0587A189CD5A5A8B462FEB2423409D3315CFED22142A45DD0A322A0AE18CF86D7E787B824C031163397A44B25A9B557DAF2B1EFC517A9CED743F36
    Malicious:false
    Preview:0./...*.H......../.0./....1.0...`.H.e......0.....+.....7......0...0...+.....7........1O..@..>Kv.....240123034047Z0...+.....7.....0...0.... .C~..d.4..<#.1...(J.*.XY(.......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .C~..d.4..<#.1...(J.*.XY(.......0.... ....~..H...5.&-hm-...!......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ....~..H...5.&-hm-...!......0.... ...Q5.R.B..xE....S.._H.......h..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ...Q5.R.B..xE....S.._H.......h..0.....]..7.`V)A....0N8..>1..0...+.....7...1...04..+.....7...1&0$.

    C:\Program Files\ScreenBeam\Conference\audio\vac\vac\vacscbkd.inf

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Windows setup INFormation
    Category:dropped
    Size (bytes):2929
    Entropy (8bit):5.065142022178145
    Encrypted:false
    SSDEEP:48:fzl3b2Qb2ncb25AMPHwuTHYH9ewl9P8uPtS+iSFEY0dPFF+8PBDx:LMNnhZSkFdPBt
    MD5:66561E329C80089A6F916FADE352E6FC
    SHA1:AC5F26849C758F8B14B4AAEB157160A44AD6B5F6
    SHA-256:10E2C8EB7EF0E74819D5C8351B262D686D2D19C591CF2192D6A096C7B211F199
    SHA-512:9659B11CD773B246FC21291D91907D3C1318155914EBDF310C86DCB4445B6CCE3902D15BE3F26145C968D217B54D613750E00A2ADDC50142F3162E0CE64F8F16
    Malicious:false
    Preview:[Version]....Signature = "$WINDOWS NT$"..Class = MEDIA..Provider = %VendorName%..ClassGUID = {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 03/02/2023, 4.70.0.13054..CatalogFile = vacscbkd.cat........[Manufacturer]....%VendorName% = DevSection, NTx86, NTamd64........[DevSection.NTx86]....%DeviceName% = DevInst, %HardwareId%........[DevSection.NTamd64]....%DeviceName% = DevInst, %HardwareId%........[DevInst.NT]....Include = ks.inf, wdmaudio.inf..Needs = KS.Registration, WDMAUDIO.Registration..CopyFiles = DevInst.DriverModules..AddReg = DevInst.AddReg..AddProperty = DevInst.Properties........;#####################################################################..;..; Services..; ========..;..;#####################################################################........[DevInst.NT.Services]....AddService = %ServiceId%, 0x2, SrvInstSection........[SrvInstSection]....DisplayName = %ServiceName%..ServiceType = %SERVICE_KERNEL_DRIVER%..StartType = %SERVICE_DEMAND_START%..ErrorControl = %

    C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x64\vacscbkd.sys

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (native) x86-64, for MS Windows
    Category:dropped
    Size (bytes):219792
    Entropy (8bit):5.735350585191654
    Encrypted:false
    SSDEEP:3072:JE8wEpWgqisLq82YvqNEmM5jLl3GnE7/PFvpkjNkoB4CWkPfT:J2EAinbojxLpGE7/9ekoqA
    MD5:64B29F91C54FDBA4FDCDD9460B7594F4
    SHA1:D42BAE0B88FB7E7AF29A81816B9DFEC2C6659F11
    SHA-256:BC6863FFF87B0D25DE44D4CA2593F3B31493204EFB9BC490C5CC36A705B633FD
    SHA-512:096EA1751317617E6036D5C81DFFC8695BEFCD4BCB47808AD01C9C0821AB2573545553B81D053A3E940B50D819707F56F3E605F31E9FFC539573B4B52319AE11
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......HdF}..(...(...(.^p-/..(.^p,/..(..n,/..(..n+/..(..n)/..(...).m.(..p-/:.(..p....(..p*/..(.Rich..(.........................PE..d...`Y.e.........."..........\.................@.....................................)....`!......... ..........................................d....................2...(...........6..T...........................07...............................................text............................... ..h.rdata.............................@..H.data........p.......J..............@....pdata...............L..............@..HPAGE.................j.............. ..`INIT....X............l.............. ..b.rsrc................z..............@..B.reloc...............,..............@..B........................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\audio\vac\vac\x86\vacscbkd.sys

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (native) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):191632
    Entropy (8bit):5.775659352675325
    Encrypted:false
    SSDEEP:3072:xeiCi36K6Yi6cnpcfpWxoSP2W9NhOGAZnqBKzWzPG8w7PoiN6boOV:iQp5QTOpzWLGjPoiU
    MD5:42CDA2FE305A48FD4E95308D671F660B
    SHA1:B6A3E0187A779E3CCD8B756972A02CCEA14A4B56
    SHA-256:ED57B23BAADA65CDC62ED7712D190E1FB72FF77FC5B6FC0CF8B40693E5F2BC75
    SHA-512:4DEEE6E391CBB8E9850ECE265A9FD351EFCF6CE3BB6F5D3F8670F01D4ED870EF1E5B29E43DC5AE9A5D1E6906842E0385AEB9EA0E6B758127C5E21A166D86AA3B
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........D............................................................=.......=.*.....=.......Rich............PE..L...IY.e.............................2............@.......................... ............@!..... ..........................X2..d....@...................(......T...,...T...............................@............................................text............................... ..h.rdata...R.......T..................@..H.data...............................@...PAGE....|.... ...................... ..`INIT.........0...................... ..b.rsrc........@......................@..B.reloc..T...........................@..B................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x64\wdmdrvmgr.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):31144
    Entropy (8bit):6.45005930112513
    Encrypted:false
    SSDEEP:768:0mnmSRBRQWj2jdkYpCMmzydjmNsc2pSTVEV3GPkj3UZ:HB7QKFGjmNsLITOEMK
    MD5:5F85D1A6148263FA5B0F68368840E644
    SHA1:890EF23C2592441AEEE5E54EDA628E25215F67B6
    SHA-256:E7DACEF5ECC8289199FFFCFB6859EA6BC308C602DAA24684BCB3D6D9FDF9919C
    SHA-512:7E491C0CC3EC1682D41BFB76C4FC10473F1D9F800BA7519C1DD1AFD8186DDD845ECCDE87F170A545A27D80AF4BA6AA2FA8FBD07D34256D2D7E54696CCA8BD091
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[Su..Su..Su..Z. .Qu..Z.&.^u..Su..nu..Z.6.Pu..Z.?.Wu..Z.!.Ru..Z.$.Ru..RichSu..........................PE..d......`.........."......<...........1....................................................@.......... .......................................D.......p..x....`.......N...+...........................................................................................text...<;.......<.................. ..`.data........P.......@..............@....pdata.......`.......B..............@..@.rsrc...x....p.......D..............@..@........................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\audio\vac\wdmdrvmgr\x86\wdmdrvmgr.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):28584
    Entropy (8bit):6.610450236402353
    Encrypted:false
    SSDEEP:384:+CgU5TxIr4qwCedA/u2EnHvs1vJMQJK2CKV48VEVFJ8ZcGwGBk7/UMQ3W:+QFI0qwCedB/HvsA2pxVEV3GPkjf
    MD5:10992B9F2436DE3DDF8B2E0AFD1040A0
    SHA1:C9EFA7BADB2B1ABEB84586F47512F1649D8E8CF0
    SHA-256:C5F1F14908488AA50D0584B1432386A838AA94117B7E16C1545FB158B1425522
    SHA-512:18F9EE23094D2356ED0736D2DA05CA6B2D6C8F1E562194A6431A4453456A0C4C7A0E6A9A09786C9ED8F44144BAC2BDDDD908F087F174B4054FCE1F1B916CE5E3
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.)U/.G./.G./.G.&...-.G.&...-.G.&...".G./.F...G.&...+.G.&.....G.&.....G.Rich/.G.................PE..L......`.................2..........g*.......P............................................@...... ...........................;.......`..x............D...+...p.......................................................................................text....1.......2.................. ..`.data........P......................@....rsrc...x....`.......6..............@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\eula.rtf

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
    Category:dropped
    Size (bytes):96092
    Entropy (8bit):5.125892289083072
    Encrypted:false
    SSDEEP:768:qsgbCfsZDFVc0P8ad2o1x3osI1vNjlvcwAZ3V2mN6y+DR7I7QQoNXtBxXYco9XFm:qs+ZD/yIIAZwrbE0
    MD5:3A84C8EADA945F4F7F041BC4BCD49F11
    SHA1:F50F5FA1589371F29C4B195EFCB82D2DC2DFE18B
    SHA-256:B83EE69EEA4EF9D0DB9E1A5214BFEF7295776BB1B6E007ECC021BAFF401032DF
    SHA-512:C1C7F5B176CCB574B2C67F8ABA63ABC7212ED592C35C45603AAEC6761176AF129691C9467A1DF8D86EEAFEF650335CC997686A024901BFFCA001CC7A2C186E57
    Malicious:false
    Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\f42\fbidi \fmodern\fcharset0\fprq1{\*\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0302020204030204}Calibri Light;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbm

    C:\Program Files\ScreenBeam\Conference\service\CreateProcessAsUser.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):18712
    Entropy (8bit):6.76645596694645
    Encrypted:false
    SSDEEP:384:UTrw7JCe+uOEGK4nghz4lIYiQ3YxrMAM+o/8E9VF0NyFbb:m8FH+OJYiQdAMxkELb
    MD5:DEA230ABC90612B2E36B5F6E8F7BEDB2
    SHA1:8F4F49E2F0A90B6A80923E547C612AD1B1CD57B7
    SHA-256:3DA5FC8E6AA3112AFA8B5C18A7598A2968F3E4260C92E52C2B0276F0C20BB0B9
    SHA-512:5A0E1085E2946F4DE5C8ED2ACF74FF9AD07229AC6A7525128BB410031F7C8E832EDB0854731C4A4A52E2CEAEC54313D671C035E0A62ADA257106419B96709603
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>..........." ..0..............6... ...@....... ....................................@.................................g6..O....@............... ...)...`......t5..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................6......H.......8"..<............................................................0............~.......~........~..........(....,Y.....(....(............+:.......(....(...............(........{@...-...{>.......X......2...3.(........(....,...~.......(......(....&.*..0..........~.....................~............(....(....}).....(....-.r...ps....z .....-. ....+...`.....-..+..h}5.....ro..p}+.......(....-.r...ps....z...~....~.............(....-.(......r...p.......(....s....z(.......4.(...

    C:\Program Files\ScreenBeam\Conference\service\Microsoft.Win32.Primitives.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.851775353029676
    Encrypted:false
    SSDEEP:384:RN9VWhX3WCIYiQ3DnSAM+o/8E9VF0NyN4:zGSYiQDSAMxkEE
    MD5:45CF55F348A4C6B02A1CECF75C4C0E8B
    SHA1:1D7344C78FE6D4BEBB0F86E4863D08F61C481826
    SHA-256:4154D294B48A50566C0149B2BD89B2EE002AB46397A9C8566873632EAEF9F623
    SHA-512:E9D7B0D8C5E6ECE746F927DCACF66C5897A3631632FBDC879EABF5F0ACA705F1F63B2644528FB09D372687C1033F1B0BA92C9B789C2A7CA1C0E679D6245FFDF4
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@..0................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

    C:\Program Files\ScreenBeam\Conference\service\NLog.config

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
    Category:dropped
    Size (bytes):1470
    Entropy (8bit):4.90143896769124
    Encrypted:false
    SSDEEP:24:JdNQjY88lsfEoKaQe1W04pyaMMW04FzMSMpbP3KabFx2ldnD2cc/Or:3b8ewngpXMzFzMSMdvClJ7r
    MD5:0ECA7C05DCB6880312350E079D1CDA3E
    SHA1:EFFC35AB59077DC1885443C5BB1FDE798CBBBEAC
    SHA-256:497C6FD5714049D34FDA34066F2B877D5CA5EBEEC2CE956821055BEF29187C47
    SHA-512:1E21B44F85DD65EEB273BA2DB2C2827F87D99B588293ECA5493D4647ECE0C1A968E0CAF2DECD289C32CB068458A7F95F125B4CF687EDA31AB84B568B4AED6E11
    Malicious:false
    Preview:.<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. globalThreshold="On".. autoReload="true".. throwExceptions="false">.... <variable name="appName" value="ScreenBeam Conference Service" />.... <targets async="true">.. <target xsi:type="File".. name="default".. layout="${longdate} - ${level:uppercase=true}: ${message}${onexception:${newline}EXCEPTION\: ${exception:format=ToString}}".. fileName="${specialfolder:LocalApplicationData}\${appName}\Logs\${appName}_${shortdate}.log".. keepFileOpen="false".. archiveFileName="${specialfolder:LocalApplicationData}\${appName}\Logs\${appName}_${shortdate}.{##}.log".. archiveNumbering="Sequence".. archiveEvery="Day".. maxArchiveFiles="30".. />.... <target name="debugger".. xsi:type="Debugger"..

    C:\Program Files\ScreenBeam\Conference\service\NLog.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):877336
    Entropy (8bit):6.063778402266666
    Encrypted:false
    SSDEEP:12288:c9RFbNhtvN5FtwfJH1h1S3sg6U/qxurzEZWgb4s6swKbUsQ:c9RFbNhtvN5FtwfHHUwRL96sw6UsQ
    MD5:E506F81590F693436D0A99C04A2354AD
    SHA1:46E1104FB7FCDC403BB36C4918D17C23DA5F1E47
    SHA-256:3D18F95C07EBBD7CB448418479645E754AB06A1B3E2CEF82EA8542B0E86784F3
    SHA-512:903149D175141CF04F0FBE84B92C5702B6DC0E25058FEE07DB3396759BAC9D9F9B818D3121D44505D80FAE79808AF98EFD1718429DA36E374E7002741CCFA8E7
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%............" ..0..,...........I... ...`....... ...............................<....@.................................sI..O....`...............:...)...........H..T............................................ ............... ..H............text...T*... ...,.................. ..`.rsrc........`......................@..@.reloc...............8..............@..B.................I......H.......................t=......$H......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(Z...~....,.~.....o[......+...(......o\......,..(]....*........../7......"..(....*6.(.....(....*..0..........(.......o^...&.*.(....o_...*2(.....o[...*....0..?.......~..........(Z...~....,.~.....o[...+...(.....o`...&...,..(]....*.........,4.......0..?.......~..........(Z...~....,.~....oa......+...(....ob......,..(]..

    C:\Program Files\ScreenBeam\Conference\service\NLog.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with very long lines (385), with CRLF line terminators
    Category:dropped
    Size (bytes):1645140
    Entropy (8bit):4.575621274286417
    Encrypted:false
    SSDEEP:6144:3bDXjSkpsv6ZrgFFG3WeA32lxC78ZaRIHp8TEKcQonqDhIrMBc+6z+beKX:PJe5eyEKT
    MD5:33F4C5EAE89E721F97931787B2CC53ED
    SHA1:A94DF5F3B256C2871D75443777A2EF13F5442D73
    SHA-256:5F67CA9E5B26279BF3E52F4DDDCE531E819633163A82E6811FFCE1725369963F
    SHA-512:CAC58C2E0BB42029F40E4DC16ED8EA02C54B686370D15F75A24894FE82DA61041B61B01A5312974D1BDFAE58FEDD1B452FDBA4DFE2970CACF8D5753BB4F42556
    Malicious:false
    Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>NLog</name>.. </assembly>.. <members>.. <member name="T:JetBrains.Annotations.CanBeNullAttribute">.. <summary>.. Indicates that the value of the marked element could be <c>null</c> sometimes,.. so the check for <c>null</c> is necessary before its usage... </summary>.. <example><code>.. [CanBeNull] object Test() => null;.. .. void UseTest() {.. var p = Test();.. var s = p.ToString(); // Warning: Possible 'System.NullReferenceException'.. }.. </code></example>.. </member>.. <member name="T:JetBrains.Annotations.NotNullAttribute">.. <summary>.. Indicates that the value of the marked element could never be <c>null</c>... </summary>.. <example><code>.. [NotNull] object Foo() {.. return null; // Warning: P

    C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):55064
    Entropy (8bit):6.501355244769144
    Encrypted:false
    SSDEEP:1536:gIGmGhdsR8PDukDWZYA/tybPzLQIUHJU7QYx+o:ZJSdsMDkeisPoIUHJUMVo
    MD5:D20315B47DC091F589F8C9714F39FEF8
    SHA1:4FBD838CD623829DD1ACD4152943C24F1065D220
    SHA-256:8C79D35FBE0B38B92CEF1EEA048263DC7DCF168569829ADD063E50D3F8491964
    SHA-512:63E4E1F9F3D037C1894033ADB0047589977C9E6A7DBD9DA0CA68F0F550DF8766761932164394E0E9DA26C4D54B06843D56DA2455060E388DF9BEAC549EB9445B
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.........." ..0.................. ........... ....................... ............`.....................................K........................)........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............8..........`...X............................................0..........(A...*.*.0..o....... (R..(&....~.....o.....(....,..+..+.-..(1....(1...(.....o...... .R..(&....o......o.....,..+..+.-..(1...*.(1...*..0..........~.... .R..(&....(1...o...... aS..(&... .S..(&...(....o....o.... .S..(&...(.....(1...o.......,..+..+.-..o.....~.... .S..(&....(1...o...... aS..(&...~.....(1...o.......,..+..+.-..o.....*........@[...................0..........~.... .S..(&....(1...o......

    C:\Program Files\ScreenBeam\Conference\service\SBConference.Common.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MSVC program database ver 7.00, 512*75 bytes
    Category:dropped
    Size (bytes):38400
    Entropy (8bit):3.0989320881772695
    Encrypted:false
    SSDEEP:384:CiFyFr8oKKFDulNsBtd7q0dh8oKHFDuw02:CiFyFr8oKgDuLsg038oKlDuw0
    MD5:CC198790FFCD01466AAD8FFF352FA1F6
    SHA1:475893D85B36D36F245DAF1529FF2C7B78681F0A
    SHA-256:B170681CD9C652B55CF570D2F3138E6C40D9365F227875EE13F2F57635DBC873
    SHA-512:81E59420B4CE2E0A21759309B7748BA27C7FB6E8B311408C56DA19F1D014B30B75B7C6FD7F671709C040852F07109649B09CC53B00B1116B995469E1467C6EBB
    Malicious:false
    Preview:Microsoft C/C++ MSF 7.00...DS...........K...........G...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):70424
    Entropy (8bit):6.380411694629763
    Encrypted:false
    SSDEEP:1536:RiNhOcrluXSQBU44IzpKH/TP8y5fpUxWTwX7Q+fHxF:GOMlu42KfD3/UxZXM+fz
    MD5:F25D90A63A82BD80FB591F7F55301577
    SHA1:28BCBC0D211A6A521FA0BEA3A234BFCC3FAA8CF7
    SHA-256:C8D6A41C32B3FD3DA334D76F1EF499160C66AE1CD579AEEBBF0A0BC8A300F408
    SHA-512:369C6BCFEC6232B84F72307BE2752636C51F58339BE56EA4C01F5C44F9F2931AEEC870312AFDE6725DB2BB3FE4C8F0C2FA1EC20743A06A959D8BD0C67BD61C84
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.........."...0.............~.... ........@.. .......................@....../t....`.................................$...W........................)... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................`.......H..........4L......".......X............................................0..........(y...*.*..(....*.0...........(i.....,..+..+.-, .L..(^...(......(...+,..+..+.-...(i.........,..+..+.-\..(......~....(....,..+..+.-?~.......(..........(......$.~....(....,..+..+.-..(....&.(....&..*.......l....$.....0..C.......~.........(i...(....,..+..+.-#(.... _M..(^...(.........(....o.....*..0...........~.....+[....(i...a..+"....(i...a.....AXE........+...:....;(!.....+....6XE........(...4...Q.

    C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.exe.config

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):20025
    Entropy (8bit):4.982975960150322
    Encrypted:false
    SSDEEP:96:hr4ojlKyuWEH+3HGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSL:hr4oB53mPUDCTHffI3
    MD5:51761DEEA245E324DC8A3BD88B37C929
    SHA1:70BEB9E6155395D90A96366BE1BA4B3FF49562A5
    SHA-256:5B1A1ED1F20C95E0C5AE12DECAD909256F1247285290848F95D4425D4ACA317D
    SHA-512:5F1EF64B9D8935DDB838AE9EC0A2CB6C5908B21A395135621DD7D0E82F02C6B6D0830F46B5073F92A6C59B67B0F3BCBE580405D00D21EC804D879BF79BBECFBA
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <system.serviceModel>.. <services>.. <service name="SBConference.Service.Service">.. <endpoint address="Service" binding="netTcpBinding" contract="SBConference.Common.IService" />.. <host>.. <baseAddresses>.. <add baseAddress="net.tcp://localhost:16669" />.. </baseAddresses>.. </host>.. </service>.. </services>.. <behaviors>.. <serviceBehaviors>.. <behavior>.. This should be false in production systems -->.. <serviceDebug includeExceptionDetailInFaults="true" />.. </behavior>.. </serviceBehaviors>.. </behaviors>.. <diagnostics>.. <messageLogging logEntireMessage="true".. logMessagesAtTransportLevel="true" />.. </diagnostics>-->.. </system.serviceModel>.. <system.diagnost

    C:\Program Files\ScreenBeam\Conference\service\SBConference.Service.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MSVC program database ver 7.00, 512*151 bytes
    Category:dropped
    Size (bytes):77312
    Entropy (8bit):3.511225383983073
    Encrypted:false
    SSDEEP:768:UpPpPuY7RgZ4iTcKsF8z/W7MhhPcuxY7RgZ4iTcKAf:6FEWMhhPc7
    MD5:0519F6F75ED508EB1954F37CC5A40156
    SHA1:44495FC09B946DAECF981EB076E8F1ED4CA66CFD
    SHA-256:D30BA7C19F8F79BABCCD9907D5C55701912F8D8296FD44F9B44E327B126B278D
    SHA-512:B1B57D4A9862EF62991A31E58E4ADAD9505EDD5EE1EFBA3F3EDAA4BFA05B9621C0B83A033671A5AF4AD60CB732E50F4D5CCDCA6CE640ECB607ABBCF27F9B6410
    Malicious:false
    Preview:Microsoft C/C++ MSF 7.00...DS...............0...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\service\System.AppContext.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.817141020498317
    Encrypted:false
    SSDEEP:384:cDNxWQFWAIYiQ3VAiAM+o/8E9VF0NywbN:cDNVSYiQGiAMxkEs
    MD5:7C5E8A96E1D8C399056C5C6919BA1E9C
    SHA1:92D49950251AE84009C3F089542633F3CB1D2C70
    SHA-256:80F559E809E256C5F44139276E7A880106F5A3FAB037D88995A017D2740CB43F
    SHA-512:1813C280F81279A8EDE56ACA77E505BFEC29489C254BD3EE907DB5F937288D7DABC2B55BE9CCCFF559A213DDF0D531D9FBAFA46958A4DB173B847D991CB4BA8C
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ..............................1a....@..................................(..O....@...................)...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Collections.Concurrent.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.918923727486823
    Encrypted:false
    SSDEEP:384:im2igOWnW8rWeIYiQ3eRAM+o/8E9VF0NyOBw:KtSYiQSAMxkEiw
    MD5:E839A59A49DF385DFB796344C5FBD15A
    SHA1:DED82C632D54915F55BA764FE7789C582C56C051
    SHA-256:8EE672C0D967E8F180D1497CBA3EFDD540214C9B3D75F552E51DF23F06DA22EB
    SHA-512:4089B7CC63D9935BD39F465933B4093909A70E1D8C326F8592CDC2EDAC50FB490E16828824A5C0598CBDBB2E4AB87823F263505B9D2355DA6434A0D712DF70BC
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................&j....@.................................t)..O....@..D................)...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Collections.NonGeneric.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.907605989300285
    Encrypted:false
    SSDEEP:384:Znapn1iwwPWcGW3IYiQ3IsAM+o/8E9VF0Ny2Q0iy:QDugYiQnAMxkErdy
    MD5:0732792FE287020CC49F1395CB04E878
    SHA1:9FFD76FB5209652CABC998AEE91D1A24DECD21FF
    SHA-256:F93EC94B68498B6B7A42ACE17EEA7BB334B46930C4B83107DAD538386EBEA62D
    SHA-512:B68EC9F2A8CEA12B67E89DF249D129ACE08017B30C332BE50362FAA8ADD4830C037928129442FB0EE3506D2ADE402CBB5CAEDD2951215F507511A9EDD1334819
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................p$....@.................................p)..O....@..@................)...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Collections.Specialized.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.912813895713084
    Encrypted:false
    SSDEEP:384:fHLaEav5aaUa6arWVLWtIYiQ321AM+o/8E9VF0Nyg4k:uPv5t/NO7YiQeAMxkEpk
    MD5:F0194F9802C0D5A9261D05C2FBE3BDF6
    SHA1:929689C0A20EB5912D4F1477BACF88B6CA7B8228
    SHA-256:5EBA1513C84813DD7ED49AAE8825AF3A0DD5C75D0C622D4C118D8D4F94A6AC9F
    SHA-512:53ED1E96D7C09FB03F1140DD3059591DC84DA5729F7105E113FF9A7CE99B36C1AAD94CFB8423CCC5269B779C752D39A55F7B3B7E421F5ED124164E052B436494
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................}.....@..................................)..O....@..P................)...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Collections.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.773444094349858
    Encrypted:false
    SSDEEP:384:x6iIJq56dOuWSKeWfIYiQ37twAM+o/8E9VF0NyvqnuG:fiAgYiQrqAMxkEUuG
    MD5:2DEC7724AC5397D2922B3CF998CC3341
    SHA1:AA0B7CE76F619B4FFCBEE3B1693D788FD7C3ADF5
    SHA-256:A33A6E62813E4D311953CE436B4B6CEDFE3C2AA59778B4D741D6D8414BC3408E
    SHA-512:C0E1187F5491908985FEBA38833D1EB7FAAF0F138BE1A82FD020B0066F2512300D32EADFD883CAC9A757628F61883D203E3A75C25AE6AFAC59A795845FB8BBA7
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ..............................v.....@..................................*..O....@...................)...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

    C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.EventBasedAsync.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.824017053252464
    Encrypted:false
    SSDEEP:384:4nzz+MpSaLWW0+WnIYiQ3op3CAM+o/8E9VF0NyBqM:2puoYiQKyAMxkEu
    MD5:765BD0AFDE95A8F28FDC727B8E967691
    SHA1:FDEA92C571C212AE833E7FAB444DF19F5D87A641
    SHA-256:125BBA13D8FB63515EF7A6949A80D09B53C9DBC1F06092BA2FA2A0BD0B9E58FE
    SHA-512:48A4C3568D1780629EE53C5F3210A2F1D2DAF9FE22C2E1839513C7A7F6395CBCFF57705CE815474DFDB25790BA139D9B31F9981A1AF86B17792B3A592D1E70D4
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ..............................E.....@..................................)..O....@...................)...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

    C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.Primitives.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.8700515736218755
    Encrypted:false
    SSDEEP:384:/Ghr+YUfyHxsW/HWqIYiQ3QNuAM+o/8E9VF0Ny/T:skmyYiQdAMxkEB
    MD5:417DF377B2EEADAAEC30DFA4651BDDAC
    SHA1:0125E265A67F8B6AAB979D8E5D2FD29DE9AEF05A
    SHA-256:3B6C2261A44FBFC71900B3456C48221B5904B72199F930FE8F73293D6867648C
    SHA-512:A0B4DB48B8107645C838DB046F2D138662B1E2EB00ED88E986AA5922A17BD042C31E7AC59816572008DB1EEA305EF2D2314475B532EC0E15DC22DDD71CFCD8C3
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ...............................v....@.................................<+..O....@..`................)...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

    C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.TypeConverter.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):17176
    Entropy (8bit):6.803104458042295
    Encrypted:false
    SSDEEP:384:qRE+ruiA5vzWeNWLIYiQ3OLYXAM+o/8E9VF0Ny8KJ5:qS9b7YiQWYXAMxkEf5
    MD5:FB7603EC5E40664C829CEDB0BA412728
    SHA1:5F8C0051AADA7AA84F47A54A55A1E7BF2FF28A18
    SHA-256:BEC97C8C0DE132BECD9807412FA16F2FAB6DBEA3B9F0D586F3948140967776FC
    SHA-512:89E2B7BBCFCE96EFA7021E247825B005B52203A329748A0C17674648B6B4359FC66EF568A64DACAA8103F78B8CCD3F22E8E4443ACDB63A03B9A7026318543C3E
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ...................................@................................../..O....@..p................)...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

    C:\Program Files\ScreenBeam\Conference\service\System.ComponentModel.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.8579757222430295
    Encrypted:false
    SSDEEP:384:9T+6ywnVvW0LWsIYiQ3fHHFAM+o/8E9VF0Nyc9E:999QYiQ/HFAMxkEE
    MD5:DC304387B1B2C5FB1083606683B49FC1
    SHA1:D75D40EA19428357B977C6C5D14F3569207D15B0
    SHA-256:E7B0CB67F7F0FA1CFD480CAB8C81D45C8EEE1B0B22474DB8F77B14E1CC1D6BC9
    SHA-512:6241375641CE2C277DC3630C2101B14AC724C715086B5FD61F4AAD4AF50E6F9F922B3BE58C0E71D89CC99B68BD8B12AD1AA662DC721D4211D352F5A6CB1EA8EA
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@...................)...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Console.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.8549798193172755
    Encrypted:false
    SSDEEP:384:0RbzriaXT+WlEW8IYiQ3sAZ9EAM+o/8E9VF0Nyt:S7ic3YiQpHEAMxkE
    MD5:7668B277BA8F9A735710920741CFC2FC
    SHA1:E133FAA7FCB40AF1962FAE5D81C60C2CFE603CDD
    SHA-256:C114413901533982BE365D7833D20C1CDAAF4108272709154030828C927D9A59
    SHA-512:5F400DA8F215B2FB0FC113C85AD62B21BC37B6284346725E5D67CBEFDB90E454AE6E22738EC7BEA03FF7F1985CA02D3D5DC202F5DB32E165AF4335FED829C86B
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ...............................M....@..................................(..O....@...................)...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Data.Common.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):148760
    Entropy (8bit):5.423379107592595
    Encrypted:false
    SSDEEP:3072:ZdYO+3m9R6e1x03BZ6bDSzZ8B0uAP+SM:/+2jv1x0ebezWiu
    MD5:B774350DEE7053B09E61811B616CC8F8
    SHA1:064D9EFDE6EE8BCBF5EAFF54AF0BD9CD3936D56C
    SHA-256:9C765650AD12C1EBA7FBC521937C05DBB8AB38BAF8D6A9B16A1FDA4D3DA1541F
    SHA-512:86A6FF1F7D97DB67EBD7AE85B293893688F023050C908C626DFBD2E7EAD2FD01C75CFC7CC88F0E2264E2A830C920FCAEAF4295F2C11B1B7FFD1EACBCC35819C8
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ..............................h.....@..................................,..O....@...................)...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

    C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Contracts.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.824277342287907
    Encrypted:false
    SSDEEP:384:lRtRWjYW1IYiQ3Ha1AM+o/8E9VF0Ny2La9:ticYiQK1AMxkEz9
    MD5:A1C59006B15B8AF3DC783822AF38F636
    SHA1:DEE76C31254C164D71A96827876C6B693A4F18C5
    SHA-256:C8C242C9931A628CA2B42A37282E8A6326FF3CE005FAE36D266AE4C9E61CA86D
    SHA-512:1C7C9B39D5F44E3CDB203263268D1E99793903BD9CF981805F0B8BB684966DF92D47210A071C77EA77B938C4FD8E7E3CBA6FED55852938DCEFEAC81CDFD3FC5F
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................?|....@.................................x*..O....@..@................)...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Debug.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.898691187114516
    Encrypted:false
    SSDEEP:192:mFxrIFWnoW5cIYiYF8uegv7cER+zKZA5K+o/y2sE9jBF0NyNap/:WeWnoWGIYiQ3qeZAM+o/8E9VF0Nyg
    MD5:7DA8166C2FC83E06D41088B3808AB4CC
    SHA1:6BB303EC87576A1AB9AF57BFBCD56BD3626D3F6B
    SHA-256:7E22815581F3CEC1A262DC8CDC470B0A0AA01BFE8D5E13ADF6119707ACE23A76
    SHA-512:77F48E5040E8826CD289D1B132F080A4BE8223740C6A6A91C8C52931259FC8C421AE05BC047C6A405FEA94AA816A09A376D311FDAB527AE3A14D1CF79FFA3B45
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................a.....@.................................X)..O....@..$................)...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.FileVersionInfo.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.860288877643923
    Encrypted:false
    SSDEEP:384:o6oWJjWu2IYiQ32pyAM+o/8E9VF0Ny+2cx:o6v7YiQfAMxkEhc
    MD5:F752EBDB357BB50B2A223AD5E73052B5
    SHA1:1FF221A2A744E78DFDA9382CD2B5442B0AF4FC14
    SHA-256:2495CDEA0F3B87A7F76CA1A61A0504721F2AB419F3D5CF040635184A78372D7E
    SHA-512:DBF3A9ACAA36D0805AE578365B29C70A580A46BEF0638558D4C57417CA9D302A4A7C2DCA038F61093A7A9C4BFCA07BD624A9BA289D8FE579139F66F32FAB3C94
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................7....@.................................H(..O....@..p................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Process.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.786748275175288
    Encrypted:false
    SSDEEP:384:5qk53/hW3fZ+zWmLIYiQ3+cj5aUAM+o/8E9VF0NyAGS:5qk53M60YiQ79zAMxkETS
    MD5:B9AC18B66F005D576D4778058CC2D020
    SHA1:32CB31845D4B1E3EDB08B39F2254817B0C7AEC0D
    SHA-256:1EC667CB838D977434020C13FB9E26B80A0A50A915019093AD08AD7B1E902B8A
    SHA-512:A2B5916DCE0CC1650861A756F6DA7413CDB5C15E5AEB4F459EC66ADBBD248BA5E456EE0F9D33833F9C3CD7745D4E5295747DAF71ABEF91F9BC3982448522C5EE
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ..............................d.....@..................................)..O....@..0................)...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.StackTrace.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):18200
    Entropy (8bit):6.675579031841556
    Encrypted:false
    SSDEEP:384:WFCc4Y4OJWfOWqWWOWyIYiQ37PMAM+o/8E9VF0NyJlO:2CcyCPYiQDMAMxkExO
    MD5:1B209052EE57F9D0815B30C0DDD277E8
    SHA1:406BE8D26785FEFDC85EB9A2EDC2587084258362
    SHA-256:724DA98635D0C67381F5A73EE5397DD85A99AF401EE919007CF6E61A11359A96
    SHA-512:DAF3CA7B370E8DE6D1B4EB8127FDE2E0EB0DBC8502319A38379D6B71407D676D3FB9BDC31A338C8B054711AB00363C10E28A1808CB3FD9D4063874415CF55ACE
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ....................................@..................................-..O....@...................)...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

    C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TextWriterTraceListener.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.883785363086076
    Encrypted:false
    SSDEEP:384:1AWxMWiIYiQ3ofH5AM+o/8E9VF0Ny6t8z:1vFYiQA5AMxkEY
    MD5:4AD8DBBCD474CF328598280678AF79A7
    SHA1:6ED5E828794BF22282741C0C6784BC38D86EB02B
    SHA-256:7BC67C20979417FDEF84FE6EB146830C4DE249F0791DB80FBDD1C74F50F20F1A
    SHA-512:36E75EE5CEBCF047D595C8A71333A1F0F94AB99252F4D9FC5EBACCA6FEC27A9ACF2AAF67053743ACF684C3EDC2D9E91F35266C7C935AB06F4D9CB4976A9B2A92
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................W.....@..................................(..O....@...................)...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tools.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.863230839688589
    Encrypted:false
    SSDEEP:384:ZAlcWHaWyIYiQ33+uNdAM+o/8E9VF0NyM:29TYiQ+MAMxkE
    MD5:561A96DF74B3E70C3F276BDF7F920CC1
    SHA1:704988DA4A11EE8C715E5BD428C113F4C2026E63
    SHA-256:9EE01A93BC0144CAAB167A1C8723133DF67C5BC7537FB6C7C2CDEEF549676E4A
    SHA-512:C72BEB020A3E5030A05B8089404A02754BF112202AF0AD888E042B6F52C328F15EA8209650DF1669913F9EF2B8F92C1C73085C6D6DC30966EF933478894960D2
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................M....@..................................(..O....@.. ................)...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.TraceSource.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.788601693717354
    Encrypted:false
    SSDEEP:384:bBIZnWlNWGIYiQ35SL5AM+o/8E9VF0NyW9:9UyAYiQE5AMxkE
    MD5:A2AEC7A239A4AE78E230E3E5967B37CA
    SHA1:DEB9E54FA65F71E757BC6997046853B13D4B3B8D
    SHA-256:AC50A1D6F517CDAC3372B341EB8373E3AAE3B6C0989A1F9E563D4EB4AD33C2B4
    SHA-512:C0EF46E83C47F8670863D808829AC34CF8AD7B72FDEA16DAC9A422FD5BFBD47F9B77288642D995EC9D0133FB799605ADAAC026B20D35860127D51A2B9B40E0CD
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ..............................=.....@..................................)..O....@..P................)...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Diagnostics.Tracing.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):25880
    Entropy (8bit):6.505388999717045
    Encrypted:false
    SSDEEP:384:IlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdWZIYiQ3g4AM+A:GQq33333333kX+TBi8lYiQ9AMxkEt
    MD5:4C46872789486A350542F18BBC420091
    SHA1:0E5EDA6630B80DA82E7B057795236A7F35BD3CE4
    SHA-256:AF03E9596FFD0A230E953F6427D6EEA7C82408AE614F878B76A48F4BBE01A2BE
    SHA-512:932DB5A0D70A99C9EFA2759E7FBE7547D10CF16F31BD2E2F8FDCB01C86F03EB57BFD0B40CBE02F32349A83D16C4B838816C0B113FD56288A8051C651E14381E6
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ..............................j.....@..................................L..O....`..x............<...)..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

    C:\Program Files\ScreenBeam\Conference\service\System.Drawing.Primitives.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.856195980794726
    Encrypted:false
    SSDEEP:384:l28YFlXulWY/WFIYiQ3BHeDkfAM+o/8E9VF0NyA8b:l0qrYiQx+DkfAMxkE9
    MD5:3A59C935FFEFCDE3D269348C82487F6F
    SHA1:1D37E12218486189F49796F33AFD8FAE83862757
    SHA-256:C3A0464363F6386FB3EB71346B7AB5A0BFB6B67C91BAE5765F0A64652965EB23
    SHA-512:C5D441F40C4850E699E196CCEF84FC8EAAAE21C084ACBAD347EB4C0A75D11004C1B47DC2C4C311D963B88AAB10238473971AF13BE72B9B30C852143EBC830A6B
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ................)...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Dynamic.Runtime.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16664
    Entropy (8bit):6.739895486308657
    Encrypted:false
    SSDEEP:384:JuMLcdQ5MW9MW+IYiQ3Dz7jGegzAM+o/8E9VF0Nyr3w:gOcSphYiQDjqzAMxkEO
    MD5:91F19C48BDAA67555760A60D71CDE149
    SHA1:54FECDD084A1D9F6A67F36157D1855F6552A4885
    SHA-256:271CA9B5160286C98E947A1BFA579B88EB0A3A59ADDF4AEC04FCC0557A172481
    SHA-512:F9B2F635234825AF82B489C0DDA1DE4E31CA510BE524E7ADEE980D7CF95B38BFF03B187BB3EE60CE9AE0004589587E75A48CD83954F4E6D260E3550D2DA5EBA0
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@...................)...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Calendars.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.821695739809255
    Encrypted:false
    SSDEEP:384:mZ7RqXWDRqlRqj0RqFWGIYiQ3AohAM+o/8E9VF0NyOtY:W9qKqjqjuq4YiQ3hAMxkE
    MD5:4C05DB269166DE4E07FE89DF4069A41B
    SHA1:275E9907D7C12E40EF55BD256193B3A6AB0133D8
    SHA-256:565A2B232B843404020E596286CC25C2144557A8494CCBB15E3775AEDA8B5D5B
    SHA-512:4A0405714F98ACBD85900D009334A0B25B83CF6359DCF9939D4A71452A1405F3B6AA8F9E19DBBCCC93088731B94EB79D28B1DE984FF9CE17CDC8524DB327E64C
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ...............................>....@.................................X*..O....@..P................)...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Globalization.Extensions.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):20248
    Entropy (8bit):6.638934592798613
    Encrypted:false
    SSDEEP:384:CNBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9W3IYiQ3mZAM+o/8E9VF0Nye:CvMhF2SzNzwu/NljuvYiQGAMxkE
    MD5:678CD121A9E72AC183BFA80CB33E5B16
    SHA1:173ACB1FA52FF637208AC9F1CA2184F46E00F375
    SHA-256:B8666CE0384D55C1038170425803F3714739333EAB520DB6A726D43CF2D90819
    SHA-512:249BEB1B01ED03734709C080D4489828553999EAF6B69166D0F4770E436AD27ACC9FCB599E1E6B6BCFDA542F01909B5A65804B611279EFE24EB875EF9C690B18
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ....................................@.................................a6..O....@...............&...)...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

    C:\Program Files\ScreenBeam\Conference\service\System.Globalization.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.9070331955416115
    Encrypted:false
    SSDEEP:384:aZ4RLWdRfRJ0RZWlIYiQ3zAAM+o/8E9VF0Ny5ey:aZK0pJuhYiQcAMxkE/
    MD5:E8F3FDA75D022DD6A89FAA367A0A09D9
    SHA1:6E2244713F3D49AA3025E69A9D0310611C4E1BD1
    SHA-256:918C9303C202DE6CD1224F16ACE2AA7FF28DDABAC1579537678BC998C06E4121
    SHA-512:814576A9C4442E75329F2C32A3D8634BA107CBEC88FA0B3E2BD94F995A02CC1E965E4F1FCEA0D21A55AA2EB988AF5AC522A0907A036E5170F51C7C543EA954CF
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@...................)...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

    C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.ZipFile.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.804522102822631
    Encrypted:false
    SSDEEP:192:QFx+WTIEfW5MIYiYF8uegv7cERaDweIiA5K+o/y2sE9jBF0Nyya4R:gYWsmWCIYiQ3WseIiAM+o/8E9VF0NyV+
    MD5:24B638A1F2375EAEF648A148D1CB106D
    SHA1:6FFC9EAD48125E357A898CAC476DF77C434A8768
    SHA-256:1EC52F00DB558424DD511895C49E949F30A9DD24AF4F89909519F52D00174D15
    SHA-512:B7C91D60433517543C97E0A1052EC3B06760EE05A2689E74AF0102086CCA4FC177283976A636928B05D7B63237A8A764F629EE48428E93173511E2373356A957
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ..............................c.....@..................................'..O....@..@................)...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

    C:\Program Files\ScreenBeam\Conference\service\System.IO.Compression.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):105240
    Entropy (8bit):6.386435217815438
    Encrypted:false
    SSDEEP:1536:Yvc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXQ7QUx:ggk1tiLMYiDFvxqrWDWNoJXQM
    MD5:710FECC2D1F0A2BFD1EA1BC2FDE3D66D
    SHA1:04D9D2FFC4DD2714CC53AFD5E0EABA881698B168
    SHA-256:287D5CF9BC4F25AC534825BCF3369B869B8DCD7A4789A4EF6F83503905BD8913
    SHA-512:7FFE2B12981521E4E65FB4DCCAA39F18DB09D94F80D8DE6FFC09C2585AA0581F6030C0713396BADAD8AD6FB7DD46DE11F6095FED9DE6B81F25AE511F5AC816B7
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................j.....@.................................5W..O....................r...)...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

    C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.DriveInfo.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.863946227052733
    Encrypted:false
    SSDEEP:384:SKcuz1W1cWdIYiQ31+pNAM+o/8E9VF0NyEIl8:Ou8gYiQ4AMxkER8
    MD5:20C6E7E2AA3EFCB1C22282EE742B4F51
    SHA1:E2929262FCD90EDC25C99AEA404C7CF15DBE8922
    SHA-256:150E410D560C2FDCAC2B5E16B62C161F3356E5CBD54FC4E184531CFCFE609B8E
    SHA-512:6C0FD529D42236B26CB2F8169C8434A863780C604A84E44CDD585C3D3BB88BD572A963A3AB08AEB239F89BDAB25D4E9585DF9EA26A27015EB84F706C755C46AB
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P................)...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

    C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Primitives.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.869285977422021
    Encrypted:false
    SSDEEP:384:o+SWikWvIYiQ3hRCAM+o/8E9VF0NyH0P:o+eCYiQyAMxkE
    MD5:CF32FEF8A1696AF513913564DB9EC1B6
    SHA1:CD327F404662B42870B31A73780C638EFA5B93DE
    SHA-256:AE9E7F83A8A7D32267F05B9B64D7A853B414EB96D1F9FF8B542627F78B9DB575
    SHA-512:7A01F6CC65954592454981E89863565DD781F8280DF9CD9CC46047F61897C0E060DCCE81A5A839C7A028E20EC3E72B72BC4C8738094727509A0EECC131F7C198
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P................)...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

    C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.Watcher.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.915185025115771
    Encrypted:false
    SSDEEP:384:bAWzgWTJIYiQ3aMy5YAM+o/8E9VF0Nyh+:btUYiQVyOAMxkEG
    MD5:30DFE01B43B0FEE6974897A8B25A7696
    SHA1:24E1DC6E973297E28D922B0B1CC9DE768D04EFDB
    SHA-256:F2C5EDD8E07AE9C4628D74FDCCF0B512D188D24A35DD3284B1E45A0EEF34EA81
    SHA-512:20AA72C1811D9E77C480E54446F8D80FABCC81ED505725C6B4DFC54F39A2F6D13F5BF8F36D1F12FC8D2C290381494FEE6B9A7F9966747DA1B29634B7699EF55B
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@................)...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

    C:\Program Files\ScreenBeam\Conference\service\System.IO.FileSystem.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.872792541457582
    Encrypted:false
    SSDEEP:384:wBLRWbYWAIYiQ34GodaAM+o/8E9VF0Nydd4:wB2TYiQtUaAMxkEp4
    MD5:C34A729F30FD81AF2429B32678D6B45D
    SHA1:CBECAAB294B6656E8C4AB7925AF5015A072741AD
    SHA-256:B47CE57F29EAB2947F25336BC7969644F88DAFB7EA3BFFD644C764D372747E76
    SHA-512:022BB0E8EDEA9CDB3DA4CCD70D34987270FF7DA5A43B786A4AE804D5E24ED647EBE71E96CFC91AC27FA0306CCFB30CFE664011AA8915B9B29E11D3810E035CE3
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ...............................e....@..................................)..O....@...................)...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

    C:\Program Files\ScreenBeam\Conference\service\System.IO.IsolatedStorage.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.8588810504829745
    Encrypted:false
    SSDEEP:384:jHW4/WXAIYiQ3CegAM+o/8E9VF0Nyve43:jrCJYiQAAMxkEg43
    MD5:2A260614C9840A748BB45B498C379B14
    SHA1:6462CE4FE04F3F33376D39580E28956FD3EC36D9
    SHA-256:1F5D6BF33044AA0C998E9568EF2E426B9776D61FC21718FE675513F73FE38783
    SHA-512:53F4A079D2BFD5E5DBE7674422C492A39275AE46D7CD3096684FC67CDC2FA4155B7CB0722CA1765490837FACF5599821EBDB8FF12D8FEEF115829F372EF8CC8B
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ................)...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

    C:\Program Files\ScreenBeam\Conference\service\System.IO.MemoryMappedFiles.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.916827361126043
    Encrypted:false
    SSDEEP:384:8vk7hWmCWJIYiQ3v5LyAM+o/8E9VF0NywI:8s7/yYiQRGAMxkE1
    MD5:0947A58B20E8C539D22498CC6DC0F11C
    SHA1:3FE02137BEE4518FEBF762BA0F2E6C90048C7FA9
    SHA-256:05161D9DD77DB4BDD1F49ECD9173E42877CDA9234552ED5A181CCF1E3AD69C2A
    SHA-512:054E59DEDEBC2BB8B0F555FEC2F134C80ED72E291E1BBBD4DB60CE25A1F2A0877F1BC9951E9471E744967E3E1E2EAF5BC16627BBFC24843FC824228A0391226D
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................>.....@.................................h)..O....@..0................)...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

    C:\Program Files\ScreenBeam\Conference\service\System.IO.Pipes.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.881619838964702
    Encrypted:false
    SSDEEP:384:4GMWCUWvIYiQ3XUAM+o/8E9VF0Nyc+Qum:43qYiQUAMxkEfm
    MD5:0D9CF4EAC2A299D925AE8E5A41959977
    SHA1:81D0ECC0C117E7D42A4808F49151BA7BFF42FA4F
    SHA-256:718C29D50D8717CFA6DEE3498F2B6879D99757DF5D651C0C236654E0CCF0AD2D
    SHA-512:083B1ED260ECED9B3C03743280F2304D122180A222A48E38D75339FBD9C497A21C4A759E763DCDF56AA82B477593C3FF9D0440837EA428666D81E29C7FF52634
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................@)..O....@...................)...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

    C:\Program Files\ScreenBeam\Conference\service\System.IO.UnmanagedMemoryStream.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.8628262549909484
    Encrypted:false
    SSDEEP:384:vBhwI7WSQWrIYiQ3aUAM+o/8E9VF0NydhL:vDwIByYiQDAMxkERL
    MD5:D766CF0B5F587CDA8688C2C99915B6F0
    SHA1:2960CCC8B2ACF762192C85F8ACFE8AB08F98AA78
    SHA-256:2903478CB4A1AEFA255AF23B213CBF1F44A2E94AAA1667AE90A1CFC17D3D86D7
    SHA-512:47FC64B4F1F2747CAEFBE585FAC08C3904DA656FAC525359B25F00845F55653A27C6F7CE80EDA9968A93FCEE171AF23CAC416CB267136223B4F736F6827827A7
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................l(..O....@..P................)...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

    C:\Program Files\ScreenBeam\Conference\service\System.IO.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.877418556667255
    Encrypted:false
    SSDEEP:192:RNc/vlxK6FW4lW5KIYiYF8uegv7cERyjmA5K+o/y2sE9jBF0Nyoaz:byvPRW4lWgIYiQ3eiAM+o/8E9VF0Nyb
    MD5:DF52425FBB2307F1A2094ED91C9C666B
    SHA1:47FCEF74062D1C5740E71386DBA8998384D434B0
    SHA-256:5B427871B93AF85DCFE1F16A98EF2C1A26AD55ED8888ACD62D1D2F1620C8EAE8
    SHA-512:33925CACA2DB14F252CF0CD055FC443A86FE6075060FB2D2A5EDA6DF673FF97285E364028646D8A40846960ABF58B19F3DEC334DFCE2694227EEEC9954DF8EF3
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................!....@..................................)..O....@...................)...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Linq.Expressions.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16664
    Entropy (8bit):6.828213951957553
    Encrypted:false
    SSDEEP:192:Mnhp+J2sx/5W6eW5JIYiYF8uegv7cERFQunA5K+o/y2sE9jBF0NyE8aG:66RW6eWnIYiQ3RQsAM+o/8E9VF0NyeG
    MD5:015EBC541FF164BC1730C1595ACB1F11
    SHA1:E120E2758C6333B422116D7AD60D3B2DC067AC9A
    SHA-256:C79AEED33BDFBA5680FFA0113A580A83022E84CA78BC4FDCA8711FFD57B1D8D0
    SHA-512:8737707E1D460E88A5D980E21D2086BC7557F082853660053A7AFA3A1D812B5C8D355243307E9E0D2BF0431F9CBB425D886FFC761D01FD3F7BE985972809AA8A
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ..............................a.....@..................................-..O....@...................)...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Linq.Parallel.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.8651308196965495
    Encrypted:false
    SSDEEP:384:vSUP9W70WVIYiQ3RrgwAM+o/8E9VF0Ny9oA4i:aUegYiQZgwAMxkEnv
    MD5:C03F1E7E9F054CD9E35F10FABA38E84C
    SHA1:249822605C0C73B8A461EFD79984C6788D108432
    SHA-256:459C03812BEDEC1713E8888978354A01F829988B771D5EF2844A778E8D174738
    SHA-512:675E5DDA185AC77F0043BEED700BEEF18715C5CC8DBC76FE37D94FEE9FB133015D3F5D3C968E1B90BCAFD4C09055F55E0397F2D8237C5D88E08949CAEBD1A8B5
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................ud....@..................................(..O....@...................)...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Linq.Queryable.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.864242045441766
    Encrypted:false
    SSDEEP:384:s8yg07W0/WzIYiQ3HBLAM+o/8E9VF0NyPEn:sBHBYiQRLAMxkE+
    MD5:5B3EEEA49CCCACFF488B78F3F823C4DE
    SHA1:5D1A429D335F74ADFBE8A6B497AD8463C4BB2D10
    SHA-256:72E86FE3432B8A1029ECA6C3E84DDC484E8EEAABA7EB7E151ED4A2D926169232
    SHA-512:E585B67A5CF3B350F9C32BBD531F64A3BFC835AEB910565EA04771E707133DFC7094E1A89A2A414733BCA2D96864A33426C31A4E13F1B96ED603F2445679AFE1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................[....@..................................(..O....@...................)...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Linq.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.824297327959881
    Encrypted:false
    SSDEEP:384:de1WmRWEIYiQ3zMpZqAM+o/8E9VF0NyD+W:dej6YiQop0AMxkEIW
    MD5:AF490625D23D1E9371C205BAD59CAA3C
    SHA1:4471E9B8ED26B93463352CDBC99BC988F0343E2E
    SHA-256:D97038CA97B74E524ABF47772D8E0319411AA585D896DFF81B4AC23EC2FB4759
    SHA-512:B9F588FA95146588ABD12D7AD85C58EA6C84A574ABCD62FD68077518652DBD8629899F38BA925F9DDDFF6CBB6B4A8CF5ADEBF83453BA94410971B93619CEF799
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................EM....@.................................p(..O....@...................)...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Net.Http.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):192792
    Entropy (8bit):6.116830973908073
    Encrypted:false
    SSDEEP:3072:WeruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSghM:/W60VcTvakcXcApO
    MD5:EDE463D6CDF078417165CA2F4B8FB954
    SHA1:904CE510A7FF1E4D5223171024DFF03338BF5B1E
    SHA-256:CC4E9C6FE694DE6D83FB6AC2C632BC28446AEF0DCD643BF52FB880B01835DB2A
    SHA-512:EAF3A63B2B7E18CBA2063C700AC71C1AF9B06D452EE21D53B314D1DA5699C26A5AE4861DCA81E94C981BA7C1B0D42A2BECC8E09E8C0D247D22D7F9486FF2DE31
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... ...........@.....................................O.......h................)........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

    C:\Program Files\ScreenBeam\Conference\service\System.Net.NameResolution.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.845922313594643
    Encrypted:false
    SSDEEP:384:u6ZWYLWNIYiQ3fQAM+o/8E9VF0NyHNQd4g:u6l3YiQYAMxkEsp
    MD5:B111DA97CDB038ACD4CBE895202FB8E2
    SHA1:2B98679B45F585B3AB4FDDC289D4E76CA4CD20DC
    SHA-256:ECE1FDCBA25FF9D4E1C08629FFBA57334D2B27C27679A40F216DBCAE60D897CA
    SHA-512:AF570646E10004D7FAF0C4A014B36F7CCF2B5A01140D821A0C096DE7D53873616C23AE78F8E50F54AEF04A2C11C926317B8E5EDC2CED7E82D8ED6011295CC094
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Net.NetworkInformation.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16664
    Entropy (8bit):6.802175620280724
    Encrypted:false
    SSDEEP:384:y1W1WMQWiIYiQ35n/2AM+o/8E9VF0NyRU:51FYiQBuAMxkEA
    MD5:C1D0B1B25F934B62B5FBBA4A251FD153
    SHA1:3A85A89627B19B4F3C2563D0283518D7CA66EC72
    SHA-256:207DBA4723AB30B8FA5D3FC19458D53F007200C7ADEDD3EF47DFA5EC49EB9803
    SHA-512:DFF3DB141CD4BEE48E31AC8DF6B412BAA2882AF8784D300BF7EE090606B77A56F95E54B108AD4F33CAC9795A6AF41F9419AE7FEE9C1F9879D3B17526D5B8F44B
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ....................................@..................................,..O....@..@................)...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Net.Ping.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.839347435448581
    Encrypted:false
    SSDEEP:192:IQ/rx72WSKW5cIYiYF8uegv7cER1IJ9A5K+o/y2sE9jBF0NyNas:3dSWSKWKIYiQ35InAM+o/8E9VF0Nygs
    MD5:53D7617DD5F44B96D931033A720E821C
    SHA1:555F05EA9AA67D53A649286DDDC4977C804F1326
    SHA-256:BF15DDDBA2C26A36A82623B028C982D763250258D512E44025217D02BE1C971A
    SHA-512:F601C61A42BA0CD16F862D5DAF900C9A186A0811EE48AF1FCA1F59BE87B01CB373B1BDCBF3B4A4C666E70337492EAFB6998E0BC7BB9BC8EB55081140E2E0D812
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@...................)...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Net.Primitives.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16664
    Entropy (8bit):6.756533299663023
    Encrypted:false
    SSDEEP:384:cJEYA2WkIWWIYiQ3i34VAM+o/8E9VF0Nyc:cyYA8lYiQW4VAMxkE
    MD5:15F1BC0CB96D24E896C0A84E25F2C212
    SHA1:C274DF8B292B1307D537FF3E1A3319F446759354
    SHA-256:0FC3344BAE75E1917E13C164EFAD9870F72398F2026E27B240B27457DE2AD527
    SHA-512:6E9254725C906BFE762E86907290D29118AC3C5C428CF2053F836A2C3A2E2DC248884F5267ADDF3FD0AC165D7128F76F6EDC825D24082400365E1D54515C71AB
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................Y.....@................................. ,..O....@...................)...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Net.Requests.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.880976189933418
    Encrypted:false
    SSDEEP:192:2l0qgopJ5xBcWe4W5SIYiYF8uegv7cERQcnA5K+o/y2sE9jBF0Nycaevq:iJGWe4W8IYiQ3U2AM+o/8E9VF0NyXevq
    MD5:41BD5A9A4E0BE5D48FEF097D6D1AE279
    SHA1:B2AD1FCD6065DF5AAC13E37F618E02638144CCD2
    SHA-256:688256BFBACAECCF20A79A2F4B653E322DF9AAD577639C8E4DB2F57CAA91A278
    SHA-512:BDF95CB5FEC8CCA34BC3B8F01FDA5ED8FD677935D565EED3D01715A57EF58EEFC4ACBB61DE20B731B67AAD5BDCDD5F2DFD2E95EA155D944585EB10D15D5F7E60
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................:t....@.................................0)..O....@...................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Net.Security.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.798347641604623
    Encrypted:false
    SSDEEP:384:+dW1w3WesWSIYiQ355AM+o/8E9VF0NyIxnw:T1wxBYiQrAMxkE
    MD5:3716BA7DB35D4F942A36A93722975C4D
    SHA1:D278A12AF1E825250DDC51FD62B58320F8695773
    SHA-256:D8E16039D4E6A2336D1E73059AD1D207692EC3A64705A2CA5D0659E8578394E0
    SHA-512:BC5A052AAA1EC5EE58AD7F9699CEAD4AF4CCC8542E3F5451B52792307ABF04D423FAB62C588350779007C7FDC642C6EFB550A850FF8AAD592B5B83C07B2A5541
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ....................................@.................................,*..O....@...................)...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Net.Sockets.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):24856
    Entropy (8bit):6.603071490915545
    Encrypted:false
    SSDEEP:384:sylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsW2GIYiQ3oQAK:syp12Bhkg3qnV/sIbYiQdAMxkE
    MD5:A2AEC212090471F5E7AFEB2E173DBDB3
    SHA1:A3A56F1CD008E706DB74A4768262B66CCB00220A
    SHA-256:BC7048DC2318623323FABBDC10FAE756DEA582BF0CEE40A44D1821170828BC32
    SHA-512:D21390FD83C8F030619BE4EF5F6373A0FC210D96D3768682947DE6DFBC9536C6835423F0145D9155CFC3428D352E0366BC59573BD34CB463B72E580FC8CE7BBB
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ....................................@.................................gI..O....`...............8...)...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

    C:\Program Files\ScreenBeam\Conference\service\System.Net.WebHeaderCollection.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.8621300257052065
    Encrypted:false
    SSDEEP:384:+HPAW1bWsIYiQ3iDcGAM+o/8E9VF0Nyqug5b:2rYYiQyAMxkEfu
    MD5:F8FC07352D739ECC2E9E34926E4F31FF
    SHA1:AAA148F244DB5B7899C8A33D17D25301C5628EF7
    SHA-256:09084E6409649D62D8D6A7F1361B0CAB66EDB948F6076A09B4CAC368CE4D65C9
    SHA-512:5EDDF94A9CCAE082BE82ED9D7BE7F770F2ED65340C51B9D3D06A0012E44AF0096D12A8FB98808BD5835DD839B64478C5BB0C68CE005EF62EE4C1CF49BA3EF223
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P................)...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.Client.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.862964862969334
    Encrypted:false
    SSDEEP:384:xNoqWD7WdIYiQ3A5AM+o/8E9VF0NyEp87:xNofDYiQAAMxkEN
    MD5:5E2993A34ACB3E577CB86BBDA3120772
    SHA1:421D0EBE3075102C8E9C9019C67F4B7BF5D6E4EB
    SHA-256:3943F583EE4DD9F9F12D49F12F80D65D7D5E780C23C246ADE4F7ECF90CBD5D05
    SHA-512:99C995436F516D6F59EE6769D8A44E8B97DBA1F1066820F5BE92C7A852AB4CF168EA0A81CA38386621A59EBD78D66152BA59977FE82C802027555200B18318B9
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................<....@.................................|(..O....@..@................)...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Net.WebSockets.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.872635256695441
    Encrypted:false
    SSDEEP:384:YGETSAWUEWFIYiQ3ZLiAM+o/8E9VF0NyA9:OT1MYiQMAMxkEU
    MD5:80915FD41BB58FD62F78C7305AB68AF7
    SHA1:FEE3F5A0E68F4346C930F83DBB905E0F2A81CBB6
    SHA-256:D432485F67CC7D71D5E98D026EE84039DB4DA52701474CF29A64E5104FCD29AE
    SHA-512:2DA8C0C5DD7A93F0B718AD2226A9D6A2DFC5776AF2DC284E76D0D3898A01EDF14DD50EBFAC04C8913DCF2E3C9E15C0D97F4763243F3DC103275A74150FB5022F
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ..............................x.....@..................................(..O....@...................)...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

    C:\Program Files\ScreenBeam\Conference\service\System.ObjectModel.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.856900111396571
    Encrypted:false
    SSDEEP:384:vcDagtDApWSKJWdIYiQ3XRwAM+o/8E9VF0NyO+:vPKBRYiQGAMxkEB
    MD5:0DC290F369D87DAF37B8FDA638B15B73
    SHA1:1DC4E4EA2E96B8F20C723A4261101D1970F58042
    SHA-256:B916D2EC0784597CE3A802D5A8E420DF02DAF3BBED502008F779E4A770F9AEDF
    SHA-512:C63D270FAA85ADF9F2379204EAC77DCD5FC2B0446733DE8D7EA335505F96D51BAE333F13CC08E4C097B34F30ED2D9B5D79A2BF1D9BBEC3A561C0459730E17264
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ...............................P....@.................................0+..O....@...................)...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Extensions.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.863646416666424
    Encrypted:false
    SSDEEP:384:3IWD4WIIYiQ38cx1AM+o/8E9VF0NyvWmv0G:31rYiQdbAMxkER0G
    MD5:ACE71D3A745B9736029AB579410C560D
    SHA1:4D1751997ABFA36641150DC8F7F28BE29E8F4AA7
    SHA-256:0DAF92817BCAFCFA3F4AEB7390B61A8C0942AB389BD4CB0AF0925ADFE7C6DC87
    SHA-512:17BCE6CE757341F6C12F206E0C1B34113B4BD4C9981C4B04AB290690604A1F18B2AE26D2751DF7B42A863E0DA17DC4DDFCEDA4AA3DC9C8C7366B51E93FF47430
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..@................)...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Reflection.Primitives.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.797088116693476
    Encrypted:false
    SSDEEP:384:SMWzQW0IYiQ3GNc9VAM+o/8E9VF0NyYh:S5LYiQK8AMxkE
    MD5:D8E920A099F85EB4C556A2F2195947F3
    SHA1:A3C70630603D4B21A62027B9CA4FF84AD83842FC
    SHA-256:1B547D997A256800FE93B3B7B0F2C0EA97E68C5A032281055146035DDB4A317F
    SHA-512:CA24891556A5C46DB7CA4641FAA38378603FE103C2088B86C51296D2F97EE3FBC29746F8F2D7FAEA32DF8B25FD1203FCB2EB621E0745FB6232A49DD2B0207888
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ....................................@..................................)..O....@..@................)...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Reflection.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16664
    Entropy (8bit):6.733365626299542
    Encrypted:false
    SSDEEP:384:xxDHKWAMWHIYiQ3QRvIAM+o/8E9VF0Ny8iv:nD8yYiQ4IAMxkEL
    MD5:3B59DCBC677C398D20EE424660121A0D
    SHA1:5F8ED6EEB3A4E197A1856D8998685EB3016841C2
    SHA-256:55907C38BEF0C9556EC83A2AA6691077B30D480EF6C4EA1ACA1C4FBE6B690F77
    SHA-512:491F33BAF8CB9FDB4A39F82FDE781ACD25F72F64D6D8FA391DADFC22EF6F15E814E1439906CF39A8B677E1CF60DB55E20C11A1EF199EBA44AEA8F0048559F35E
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ....................................@................................. ,..O....@...................)...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Resources.Reader.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.838221699667086
    Encrypted:false
    SSDEEP:384:cLNBEW6pWbIYiQ350LmkAM+o/8E9VF0NyrL7/:cbMjYiQ8fAMxkEh
    MD5:FA3803CDAE628ED3A482C207D4B3553A
    SHA1:4B3C1BA4236D82B87D015D207A63373C3B751834
    SHA-256:0FA5CCF2EF22C591E0C1C8F1495201526B2149A7D2E74A917D67A8EF73AACC6D
    SHA-512:4644361D6F45C897A2D666F55FDBB6304D060916844012E41BCF7D281332AFAF1BCE9C18E261F1F29BD5FFAA1FD9F7A920116BF7DB112A30E750FC5C8A9EB4B7
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................D(..O....@...................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Resources.ResourceManager.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.892145206644255
    Encrypted:false
    SSDEEP:384:5KkHKW/tWtIYiQ3N7fuGqAM+o/8E9VF0NyOGs:cuZYiQ9GFAMxkE3s
    MD5:EB4CA3FDD0AA1D979C342AD3FAA74324
    SHA1:EF7E0ABC5AA4302D69246E1E1F7BE66DE2A39A93
    SHA-256:A552272C04050B265CF66EE4D07E89C05A60578680E0C440221186E49711023E
    SHA-512:F9676E2B77A1FD5D6205C38E60E755902D4DA39B82F355B61B0198E01ADCFCB5D28A778425F08206B88DF341EFB8E3699C1C82329A75CAC0FD3C0A1127C618EF
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................i....@..................................(..O....@..`................)...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Resources.Writer.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.83854504015392
    Encrypted:false
    SSDEEP:384:+LnfIWqrWpIYiQ3pvwbAM+o/8E9VF0Ny3:+Df4PYiQcAMxkE
    MD5:A93AEAAAF0B077DDB0C4853F6FE3F65E
    SHA1:829C5AEF007A08D82D5C87EC3139CE7B1EA0DB0C
    SHA-256:B1AFFDD643C13BC53E7C0DB6AFB44C0022FC70DBCA39BD74E2A1B7CA965308AB
    SHA-512:D3FB12B6F698D64A90A92918C7ADB79E911CD57BDD74F7ADB15B3D38B867018DFE339E6C1DD963C16C5EC10C2505BFAD4A669398772A2B3FAA0C8C6412ACF390
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................&.....@.................................D(..O....@...................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.CompilerServices.VisualC.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.822381771215944
    Encrypted:false
    SSDEEP:384:Pna8WK1WrIYiQ3pG4iAM+o/8E9VF0NyA+:Pna0/YiQqAMxkEF
    MD5:38A7200B8107240505535F60CD40CFB9
    SHA1:FFFA6EF632766200F694D624EA9DB3F0D1ADAD79
    SHA-256:9321731005AB6AF108639F7EC4DE87760C774C51D8EB3E6B01B3D6CAF5C3BF12
    SHA-512:389DB3B695222084DA25FFB15A64E91896710836BFEAEDAE207C8490683F7C8B1DD88F0552E2CFA88054A6C86D4934709041F78DF1FD418EAB4F41DF5ECB0816
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... .............................._.....@..................................*..O....@...................)...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Extensions.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.775481972217584
    Encrypted:false
    SSDEEP:384:GBSWITW4IYiQ3NxMqL7AM+o/8E9VF0NyIe:G6AYiQDMqXAMxkEn
    MD5:29D19B34398A9150553170B0ACB89B6B
    SHA1:B961DCC47B68DC081912FAE7CD3E20EDFABF9461
    SHA-256:5C4DA7D2170B54AB039505F923A945B35163972CDA8547A05DDA82E2DA8F4D2C
    SHA-512:0F2B6322ABB3BCBEFD136F6E1969657A97717DC4EB2D1E7308C8D61CA4ADF557267CCE73C2FEB18A91309369BD104B161BCB35CF276333AF940312352866F2DC
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ..............................*5....@..................................)..O....@.. ................)...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Handles.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.884779438808251
    Encrypted:false
    SSDEEP:384:588cIIWNoWNIYiQ31q4AM+o/8E9VF0NywAXT:59cUkYiQ04AMxkE
    MD5:139E0E0329EBCFAD6D946870DDF828B0
    SHA1:5F7EAC24A3027FE3BF722CBF6696C8D8F259CE2E
    SHA-256:EBACEEB391615DD3C97F2478B358EB37633AE9A1D5CFD9FD0E2075D2C557BF5A
    SHA-512:8353D64B886F7B581F71AC6ECC04BA5C493CD665D274ACD9F873F558726F923DD579A368D31C349B21EC0AF9AE4EF9A77EC2D8C5FCE5DA0AD748CBDC640259FF
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ..............................K.....@..................................)..O....@...................)...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.RuntimeInformation.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):22808
    Entropy (8bit):6.626813269603682
    Encrypted:false
    SSDEEP:384:CkUwx9rm5go1fWKmmW4oqN5dWjaW+IYiQ3m+jUAM+o/8E9VF0NyD1:5rmoFmWXXPYiQtUAMxkE7
    MD5:7399C196484BB42D2293D9511FB83EBD
    SHA1:86821A3C6857A3CF7713E39D9A2339C820161FBF
    SHA-256:3E82840D4631C4FE126C8B1FDA521AEB08AB9F57B92F5A152312567EF93C43D7
    SHA-512:D6B1B1361BC060A5F3F4A60CFE27F594FB59D49CEBFAE26835E2BC235E35F5252AAC0CDFA5DF72522B71CD7C09229A45C28D311D11BCBA960456DDBC21E7A5BB
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ...............................y....@.................................PE..O....`..x............0...)...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.InteropServices.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):18712
    Entropy (8bit):6.686350516754278
    Encrypted:false
    SSDEEP:384:909bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVsm:cOAghbsDCyVnVc3p/i2fBVlAO/BRU+po
    MD5:57DAA60185D2929904276C2DABD4BB7A
    SHA1:C6D899A699F401F2EAFF2CEB4D35DE320FAC2C66
    SHA-256:580D327EFF85FFC937F23E0F05B5BB75FC84613AE1C2AF6F139E6B665DED9D80
    SHA-512:6678DE7F6381819547FBABB5F6556D62756D6C62EE72ECFD1C09D4357DA4ABAF8127AC774430802A20A4C1079D311986570DD91CD5C0652B75F61CBA7E4261D8
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ..............................U.....@................................. 5..O....@..P............ ...)...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Numerics.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.845945039417271
    Encrypted:false
    SSDEEP:192:cfYx4AW6RW54IYiYF8uegv7cERzqJA5K+o/y2sE9jBF0NyoaSQn:R7W6RWuIYiQ33qJAM+o/8E9VF0Nyb
    MD5:907DC9240E8E74D5B0303AFE8D979A96
    SHA1:0F994816E683C445B7EC40D4E8A9AC609F44A0E4
    SHA-256:829D4EC653550BFE5EFDDFBA796D0E0B50FCEB25BC5EC2743635D68049463441
    SHA-512:F81011DF4D82D8C537C2417578A88FD270A05F834C39DBC069840D625343CB6804AEA0EF7FD38AA55DE4FA436B0243D95F5B17521FE3C458326AC5F699C1A8BA
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................1/....@.................................T(..O....@...................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Formatters.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.93120788488163
    Encrypted:false
    SSDEEP:384:nI5HeWFwTBsWiIYiQ3sOmAM+o/8E9VF0NyfRWb3:nI5HFwTBpYiQjmAMxkE6b3
    MD5:6C0C9AD5C5C2556D94D2DA55168F8843
    SHA1:9B49B61991DAD3CCBCDFE8C246A7C7DF2192F7A6
    SHA-256:2A69E1CE062B3A3F96F679F786A261FD96D6CDD40A4ABD6712221AF83F803736
    SHA-512:CDF5A0C132135748D28C690530F47688D8A45965AF33EBB9783CD531D64920848A2AC5E3FEF6B120AA3AC2B42A4AAF3BFF73DBBF4C618631D2C88F31BEA2EB74
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................G9....@.................................|)..O....@...................)...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Json.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.896705023659106
    Encrypted:false
    SSDEEP:384:tAJpVWbfkBnWkIYiQ3StPAM+o/8E9VF0NygZ:tAJpWfkBQYiQkAMxkEM
    MD5:20E5B36B7597B6B0957948F432BC19F2
    SHA1:E66D79E00180612D316F4B16DA839FA37DEC7BF6
    SHA-256:AC5C5C1F54AC7A1BB83EFA61204655C6A99B0C946CB0FDD1286FA6DB995F41E3
    SHA-512:BC4DEA24EE2F32BAF04EABEDB9DBBFCDB201270E2A6F9D3538F45806BD2C9597E249A1328EDFE5CFBAC008C08D785517EFEE99C8328203FF766C56D79CD9ACEA
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ..............................&1....@..................................(..O....@..`................)...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Primitives.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):21272
    Entropy (8bit):6.554702025168383
    Encrypted:false
    SSDEEP:384:n8R71h7yzt94dHWFgQBVWeHWFyTBVWMIYiQ3tNEiAM+o/8E9VF0Nyplhd:S1dyAqgQBfqyTBCYiQduiAMxkE
    MD5:0036CF9579692B46979F294AC612E2A4
    SHA1:78E10475AA087A0809140E37B9045A911AD74B5A
    SHA-256:881CFCED582D4A655D41F41C5AB02C918A88A7D7F1CD49E28BBC89803469FCF5
    SHA-512:75F9EEB3584003209A2DC29523559FC4EF47B3D8AA9FE7619A692E3DDB97549923A843519037FAD37E13A4E34CF6BC1BE00D9BA49A014418C6F85119075D662A
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ...............................D....@..................................8..O....@..8............*...)...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.Serialization.Xml.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):19224
    Entropy (8bit):6.695038677643829
    Encrypted:false
    SSDEEP:384:CpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWKIYiQ3QotAM+o/8E9VF0NyIA3:IsPMQMI8COYyi4oBNw4tBHYiQjAMxkEz
    MD5:0B909175531E1EC4AB06AEBEEFEEB1CB
    SHA1:D2B869CC87F118740C3E8E552B4542AEB42F0A09
    SHA-256:17EC8C2A3614CD5D206B3D80E4FD9108DAFCC37E0A7CFB4B1548EA3561918C32
    SHA-512:3530176D542D75990C7DF4DFC7B99FE149B034FB7577C04F730822B615BE517C9031E4B3959A1C451CBDE883551F04984826BB63D875A4B570906E954167399F
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ....................................@..................................3..O....@..............."...)...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):22808
    Entropy (8bit):6.595547825764017
    Encrypted:false
    SSDEEP:384:sB9g5l+A3VVdCRdtOfd7TCUBQ4BX8JZa6Si5HsOgrE2WGCWcIYiQ3k4ERhAM+o/y:49g5HVVX12fsOgrE+ZYiQdEjAMxkE
    MD5:6B79466B136F6EB6583F8803F0E1BD30
    SHA1:846C267C3EB1338553EE89F77411E548CAFC992D
    SHA-256:BAABD83766922EC082EBD2F44DD2B9226928F6C602B9E6C986FCC71C5CEBF75E
    SHA-512:67E4609AE86AAE8BFF328B51FD1A5AF10DC3AD72307CA788C2ECFAA4C5E217E2884236E331BBB6818D6C55DA21F3986CF521B3E3579DCE8B5F522AFF4075B823
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP...........!.....&...........E... ...`....... ....................................`..................................E..S....`...............0...)........................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H.......<#..\"..................P ......................................'o...Ab]+.^nz..w..fBw..W.r..D..0...|..fc.x.@.J.S......_..t....&].. ~.8...t..j.j.W...g...d %..:/`b..X.q~....s.[G!]otwD..m...*..*..*..*..*..*..*..*..*..*..*..*..*..*...0...................*...0...................*...0...................*...0...................*..*..*..*..*..*..*..*..*..*..*..*..*..*..*..*..*..(....*..*..*..*..*..*..*.*.*.*.*.*.*..*..*..*..*..*..*.s....z*#........*.**#........*.*..*..

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.WindowsRuntime.xml

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (541), with CRLF line terminators
    Category:dropped
    Size (bytes):76981
    Entropy (8bit):4.819464476297391
    Encrypted:false
    SSDEEP:384:YNa7Vx5ughg2y1eEics/2cLtU+61hYg45bmZiNjcAjdKvj59znKSe5+YjTjljcKZ:YHeEUZtgsccITKSFYjxcKSskiKS1
    MD5:3A4E05CD88971CC7988F3179977192CA
    SHA1:C0F796775FB852E6F9F75AB70846EE49619D9988
    SHA-256:576D49F78CEDFC37A7F7452EA7519EBF690642EBB87D01AC777605FFDBC648B0
    SHA-512:4E649FE654160B8D2595927CB215F078E1D97EE5B1D366D0651743E143DD990867FFB3E6C69AC19AFEF0D75C9B8B28E36977AAA4D64C5FFD24B0037B04828479
    Malicious:false
    Preview:.<?xml version="1.0" encoding="utf-8"?>..<doc>.. <assembly>.. <name>System.Runtime.WindowsRuntime</name>.. </assembly>.. <members>.. <member name="T:System.WindowsRuntimeSystemExtensions">.. <summary>Provides extension methods for converting between tasks and Windows Runtime asynchronous actions and operations. </summary>.. </member>.. <member name="M:System.WindowsRuntimeSystemExtensions.AsAsyncAction(System.Threading.Tasks.Task)">.. <summary>Returns a Windows Runtime asynchronous action that represents a started task. </summary>.. <returns>A Windows.Foundation.IAsyncAction instance that represents the started task. </returns>.. <param name="source">The started task. </param>.. <exception cref="T:System.ArgumentNullException">.. <paramref name="source" /> is null. </exception>.. <exception cref="T:System.InvalidOperationException">.. <paramref name="source" /> is an unstarted task. </exception>.. </member>.. <member na

    C:\Program Files\ScreenBeam\Conference\service\System.Runtime.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):23832
    Entropy (8bit):6.33329085102848
    Encrypted:false
    SSDEEP:384:GbhigwLAuZtM66g/Id7WVXWJIYiQ3RDAM+o/8E9VF0Ny6Yo:GbhzkKsnYiQdAMxkEE7
    MD5:5D2DEDC7322AC22365380695F07F5421
    SHA1:FD800539377FFA2A04AC2CF7AD206CB20B999F4B
    SHA-256:91BF0D70577068585ED271C32282F99EFC2AA02963747A94A50B82832D097C20
    SHA-512:68AF03FF21805C7999B5B0F676113E570653DD210C92A9041897E02E33BEFFA34F33359AA987648BF9F5796979B10A1095721F014DEC33A6B10F96CC17707DAB
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ..............................G.....@..................................G..O....`...............4...)...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Security.Claims.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.874483365543339
    Encrypted:false
    SSDEEP:384:FUcX6W9aWoIYiQ345ZCRAM+o/8E9VF0NykTJZ:FUch1YiQ48RAMxkEC
    MD5:E180D06F50F269C1BD22E4CF821BC27B
    SHA1:ABACC47BF7AC201DDF3CFB0866BD00079861C0EC
    SHA-256:A835169F511BE2E260F1B04700105D30F5730C4222EABA8FE78ED02502D9D144
    SHA-512:C6C08EDDC48741F1D59771A7EBA26FAA80C5C770E983C134CC8CCBF015A7D4E6DFE6BCDDC129D5C0D3479812A7F01DCA2B7CAAB1281F4D5C0410F870C2756E8C
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ....................................@..................................(..O....@...................)...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Algorithms.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):41240
    Entropy (8bit):5.9668698270688925
    Encrypted:false
    SSDEEP:768:IoBj7kS+8mjvHTeaWKs0Sd4eeEYiQKDDAMxkE0:fPmb9WKs0PeeE7QCxg
    MD5:4D65CC387F76A24E11FB03CD40819E97
    SHA1:20140619FF1ADF7AB5AF958C1F7337C3DB2771D3
    SHA-256:AC4D8E6B98C5A7BA598E093FA0C4F7B5BE1E5A09E6F62FFE68DB96F3713018D1
    SHA-512:613099D7DC16A15BE9DB122A88CB93F6C7ADD07CE30D9DC7C0557C900D8EE2E878BC37730F3DA62A10D07F72D658CA0B4CCAC21DC4E240D4D30DE2DE07732763
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ..............................sd....@.................................u...O.......8............x...)........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

    C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Csp.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.902972296355842
    Encrypted:false
    SSDEEP:384:sTI2pWPzW1IYiQ3O0AM+o/8E9VF0NyNm4Ni:sE3rYiQfAMxkEhi
    MD5:34E1DEBA3587CB42CF6191D12E6E547E
    SHA1:A06D0047C27771B9DD73CB9D7D4845A05049FC7F
    SHA-256:B7B246A85A3E5F91692E16600E7BABE7D91506D54F61994DDCD9E088F9BB94AC
    SHA-512:8A5346BB6BA479E2041EBE5F9FC675F535E517069CB94F2E62A20B71E62791B72EA8C43838B5178DBD7756A23C1CCA2F7479C31ECCF72856AAC280733A16B58B
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ..............................y6....@..................................)..O....@..`................)...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Encoding.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.921056946574833
    Encrypted:false
    SSDEEP:384:qcezoy4W04WhFIYiQ3plZAM+o/8E9VF0NyyFdZ:qBzoy+mYiQHZAMxkE4/
    MD5:4582BE5C549C8DA4313A2CBA2C827903
    SHA1:6C06F8C739C8FA746BAF60EFCFE488A3428E799A
    SHA-256:46CEBFD816295F17D0FA1764B86C61C72C0FA552DC4D9022D2FF18CC47422785
    SHA-512:C15566215665F5DA2CA81816DEB71D5202F16860FEFB609F519D3679D7F988F136F9F458FBBEB0EE61E5AA64A0D57CDD6AB0214543148967B16D35943F1294BE
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ..............................G.....@.................................,)..O....@...................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.Primitives.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.806703783445933
    Encrypted:false
    SSDEEP:384:JH/JWKpWWIYiQ3ywSaWAM+o/8E9VF0NyV6:JH/jEYiQNdWAMxkEW
    MD5:576B024467C60161C8964A0713C1B131
    SHA1:71832C440464895B2754CFAE504AEE81DEFCD835
    SHA-256:010B0848F97E9D760CFFF90B3C37806C04F2AE2425FA2332DA98FEFFF5319B20
    SHA-512:D77CE2960026819C7FF7A0F8E63888B82EC6999EF52EC51DC5EA221A9104ADB380E183207E0F24B8398FA5AB6635F367E38ED440F9368EA79A1F2889247E58D1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ...............................)....@..................................)..O....@...................)...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Security.Cryptography.X509Certificates.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):17176
    Entropy (8bit):6.752923174842551
    Encrypted:false
    SSDEEP:384:+TjbocNsWMhWyIYiQ3ih+bqAM+o/8E9VF0Ny7ss8lV:uboYyEYiQMAMxkEIlV
    MD5:D20D68888199CC64B7CBA3F152F1F8B0
    SHA1:3855B3C7C3DC30FD3662DFFFFC7694471B1EE51D
    SHA-256:272F550E0DF31C43FB367E1EB7539D359920F41E6839CE76AEE3704C9648D333
    SHA-512:81F3EEADB1D5F65CAC3B770364A399E20420FADC3D74BF65668CD1F931435874145D36556154F081C7A6E46120CFABB53A659ADF3F76DFE85614B14BF3200CCA
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ..............................`.....@..................................-..O....@...................)...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Security.Principal.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.858839097031882
    Encrypted:false
    SSDEEP:384:ESKiWIhWwIYiQ3zNKk6lAM+o/8E9VF0NycuAcky:ESK8yYiQxl6lAMxkEHpky
    MD5:C34E4243806E6D050B04412FF8D54DA4
    SHA1:526F9201226BE1DF860E3163376CCDD7077BD365
    SHA-256:632B9111A5B770207FC2828F397E3395E788C35053EF3D4F7CAA75EC179BF642
    SHA-512:F9BC8D37F8499CC6303949ACE32D9A0E27C690B522E5ACCF1C0103BFAA68108B4039ED8EEA07A9F5E9EDE5CAD274E495190D5056DB7C64FDA8CF0F8E57D25C84
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...................................@.................................t(..O....@.. ................)...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Security.SecureString.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16664
    Entropy (8bit):6.79747213750612
    Encrypted:false
    SSDEEP:384:u0KbZWApWmWTpWmIYiQ3HnAM+o/8E9VF0Nyuu:JKRyYYiQ3AMxkED
    MD5:820029E839BC1A0662A3C24B5251B6CC
    SHA1:AD02AB72E7853D88671EB364D43DC7B389282FD4
    SHA-256:BF798CE3B76458F7A79FF25F3027A6D4A2DB9C4526FBE6F68C1371CDFAC91BF4
    SHA-512:B21656E83D674E1B0120F5A7D88CDA059AB7EE7E897B1DF5041424E17DAAD60265801051621386C60CC58F88CD3FC8AF7AA66751AC900460F848260206B299D4
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ..............................MC....@.................................>)..O....@...................)...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

    C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.Extensions.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.883517555633137
    Encrypted:false
    SSDEEP:384:ob1nWCXWDIYiQ3LRtc3AM+o/8E9VF0Ny1T:S7RYiQniAMxkET
    MD5:585993A2A01B48DA4AAF6831C9417D5D
    SHA1:C0EB6F84CC0349F12E2AFD2BA9933750A7F4212C
    SHA-256:36F7BF2A57D83005F34E2F4B5970D2E4C7AF2417DB6EA642D8C5BD20FB98A78B
    SHA-512:11DAC8E6AFC09B5EE52774CE97AB03C0AD91C9E274BCFB2829FAFB25D15084B463B298942387B4C89CDB7F82B0BD0F1152D39AC77EA3C29F32EE963FD5581DF5
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................q....@..................................(..O....@..T................)...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Text.Encoding.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.788579353948668
    Encrypted:false
    SSDEEP:384:lcyW7TWIIYiQ3ljAM+o/8E9VF0NygD/d:efwYiQNAMxkEw/d
    MD5:188DCF3D64FD241996271702985C1E9D
    SHA1:E5D81466E9BDAF3D1556A2641C7E4B570849F8AE
    SHA-256:5AE5580D452E25660AAF7F4DF362129825DC1E4555A1EB8F4C36B7E7F3F9E405
    SHA-512:CDFAE342D883847F398D03C83AFFF668559B519E7F0126A0D4C5BD55873744C41962B25E3CBE7590C325570A297CE6BC29B2C0E34A40515E7F8C2B7A793D2697
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ..............................>G....@..................................)..O....@...................)...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Text.RegularExpressions.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.914425821392454
    Encrypted:false
    SSDEEP:384:E6Rb32WVzWCIYiQ3kBW8bAM+o/8E9VF0Ny0Vf:TRb3dCYiQ0EmAMxkEQ
    MD5:4966B3C1D4E37CE302B09BFC9F3B3796
    SHA1:28F41DC5656BE339B6AE395989921EA5D2220E0A
    SHA-256:1946F4DE2B4E02999B595BBE5EA5D6AAEA7C223CCCDB7692DDAF85AEFE74695D
    SHA-512:028C8EA83ACDF7BCB68B29C0DC2888277F7BD3BD4F3AAD5B55C5845102BF17DC8457A483CF3A909FF8F63219999114B57CB68EDB46E4938CCB0D4375DE67BB0C
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................t)..O....@..P................)...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Threading.Overlapped.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):32024
    Entropy (8bit):6.54787259180045
    Encrypted:false
    SSDEEP:768:+u5I+sqOylryry8qqIfUc7a58YiQUAMxkEwg:+YIVBpry8qqIfUcm587QyxH
    MD5:2D2CE4ADC35B3DE484024A17D1D56EEB
    SHA1:361D85CDE3191DCEB46870F9FCE4CBE7F0128AEB
    SHA-256:C27167D2E25F531EB2126585A53D4055590A6593F369F073EFC88670405CB691
    SHA-512:A4122A12F2093D1D245BFF0DB69A38B2E6BB2233A2DF7CE90CB96708F30DE82B56BE92D3BAB7A483E4ECA6B35259A5F4D880967C82BBE265234DD2056B2D61CE
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ..............................;z....@..................................c..O.......x............T...)...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

    C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.Parallel.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.880163130277369
    Encrypted:false
    SSDEEP:384:Cvn4HREpWiQWHIYiQ3oBAM+o/8E9VF0NyJY59:dSGYiQaAMxkEM59
    MD5:C84D856BB9C762B321504EE3C83C05C3
    SHA1:B8AF668AC67A3228CDD7DF6044B8EE0649D2FE1E
    SHA-256:81450083B0AC42E11EF4DFD3919F983EFEB02A5FEFDFB63CCEDA1301D86D382E
    SHA-512:606D60F4B8B534E8EF004311304284A1B3E33B9CCB0B34BD513EDFEA8771CD23ABA11D27D835DACC17D01DABAE1C0B4020929F364B636BE4CFBDE28480CBC1EB
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................h....@..................................(..O....@..P................)...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Threading.Tasks.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16664
    Entropy (8bit):6.782841959136622
    Encrypted:false
    SSDEEP:384:W8MjKb47T3UCcqFMkJ59WdtWoIYiQ3j/C1AM+o/8E9VF0NyDXh/t:TMjKb4vcGdOeYiQO1AMxkEdf
    MD5:5C292D5199989BA8704AE24C47E3C6CA
    SHA1:1B11D11E477DFC558BBA2986A75F2A96AA33A2C2
    SHA-256:BDD220AD45C84557AD8301F20E4539520178537C255709382424A0C01C6F4749
    SHA-512:23F620F24F644D6963ACAD0036F22AE28B93287E12E211D99DE6CF563FB220952F102E0591D867800154DE89473005761A35A3DD71F6D2A3EAC5027666DF2023
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@.................................`,..O....@...................)...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Threading.Thread.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.870283770750724
    Encrypted:false
    SSDEEP:384:0zyNXd4+BW6FWZIYiQ3IUqAM+o/8E9VF0Nyf7:pzFYiQ1qAMxkE
    MD5:F9B9D1EABBC42B5008D7E7CE7AF891F3
    SHA1:1BFAD380C75987ED7BDEBA1668B632707B35EADC
    SHA-256:839DF3FCA50895543D54431650F351D9510A42A088A4BA6CA8BFC100EFE18807
    SHA-512:30DBA2DBFAF054822BE6E747FF680A74D38CC5F96B2B105532089CD156AE55EF7FEE7981C9FBA2ECB4D6619D8F021F70F17006C3A75B371C87315FE1D9993A35
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@...................)...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Threading.ThreadPool.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.869131602103997
    Encrypted:false
    SSDEEP:384:Ovs2Q3HKJNrWWRWGIYiQ3APQXjAM+o/8E9VF0NyP+e:OuM0YiQVAMxkEd
    MD5:EB8BC121CA91BB29832868DB0ADEA7B8
    SHA1:8ECD919716BD0AB0C76ED19A24E1C43A07152948
    SHA-256:CF25F6B678B72B862E0CF21C41FA89C09E914FE860F9082B1AC2D9D0D9C0AE01
    SHA-512:3321E611A1C81029250FBCB94F52029970A4BAE327F890AE714F6665D29EAC913E72ACF1DCE5A8835533C293AFDEE61EA2E1A32BAC73ECB2D2314514987D850C
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..4................)...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Threading.Timer.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.840852158008534
    Encrypted:false
    SSDEEP:384:dFz0Q6gcqRhcsMWdMWDIYiQ3wg+2AM+o/8E9VF0Ny+MRF7:dFz1c6iYiQdAMxkEX
    MD5:EDFDF3C29B404089EA8D3CDB32CF8869
    SHA1:409D74561E0D4667C3875CCC500AB6429B632BEB
    SHA-256:E2F1781F89B3FEE5241AC93163844939570A14861A73FAD775DCCDA37EDDE767
    SHA-512:BFD627E367890C79655602E7A72BBF93AF6FB5C85249DEF0C3C8070005FFBD8994557676E96F54367D00EB3661C21197E329F1BAF91C1E52A2C72B29F397D3E9
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@.................................L(..O....@...................)...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Threading.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16664
    Entropy (8bit):6.732976396374359
    Encrypted:false
    SSDEEP:384:g6xWA3W4aW/NW2IYiQ3FOEWAM+o/8E9VF0NytI:gaBkYiQwdAMxkEY
    MD5:47A14C08CD93687B293202FE3D17F5E7
    SHA1:1F8932641E5B08B10600B9AFB6DEA2D1205254B4
    SHA-256:C7FDBBAAB4B94FBAF50F9895E228496916793BE26A042659D9A3AFAD669B25BD
    SHA-512:32E0A8EDCA108F18A8A3F0542AE0E6DD68DC696A9B0355374C9854BE1564D746C74B51070D105548F8E014C8FB095F0E090EE8170D93B6FB31084D15C83A4F30
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@...................)...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

    C:\Program Files\ScreenBeam\Conference\service\System.ValueTuple.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):73496
    Entropy (8bit):5.927124822441387
    Encrypted:false
    SSDEEP:1536:CIumja0tbe16pSc45EfL+4vD4SuJbhjXuE3FMqF1KAy4kHo05ureseh7997Q+xW:CIuAaGbeGq5rKASI0ICh9MP
    MD5:CAFFD8B1A72FF9B23D6D090F21FB6EDE
    SHA1:D73AED0AADF00A6EFC2FC8C43F55B049BDF5883F
    SHA-256:CC8DC3641186CD899E1880E57360046D762BCC5020898FE07FB1F21D926E849B
    SHA-512:75C5E5B2E66730CCF79CD4780DFA220AAECE334C141C8CA2574261E547D522813EA969171D31F94E8615914C14C7324DECB3787BEF22D5DC227E6AFE331E92CD
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............~.... ... ....... .......................`............@.................................,...O.... ..x................)...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...x.... ......................@..@.reloc.......@......................@..B................`.......H.......................d.......t.......................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o...........o ...........o!........*...o"..........o#..........o$...........o%...........o&........*....0..L.........o'..........o(..........o)...........o*...........o+...........o,........*.0..Y.........o-..........o...........o/...........o0...........o1...........o2...........o3.... ...*....0..k.........o4....

    C:\Program Files\ScreenBeam\Conference\service\System.Xml.ReaderWriter.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.8623555509022856
    Encrypted:false
    SSDEEP:384:Jr97WquWIIYiQ37S/AM+o/8E9VF0Ny+k4b:JRJhYiQqAMxkEe
    MD5:A4725B91C8A37667A0160D0CDA00BF2C
    SHA1:BB5FCA1D8633EEB30138CEEA8BB967652970BF81
    SHA-256:F502968F31785373463E44223801FADB55A6B6600D08B8C72E6915929027F0D3
    SHA-512:1B8C3CDB6CA8C1EF0676C00355356FB8E17641502A6DEE0C9D85C5C141CB5B4A350E6E9C297258486FC87E3C88CA5008EF16C62BB816CB37A11F7A55B3C5106C
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ...............................-....@.................................\+..O....@...................)...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Xml.XDocument.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.806901445435268
    Encrypted:false
    SSDEEP:384:N16eWLDWZIYiQ3W/PAM+o/8E9VF0NyC/Ul6:v6LfYiQ6PAMxkEnI
    MD5:C72092F038FB8FC6478D2360A82BF9C4
    SHA1:EFAD985B3D623432EC48AF34E7B867BA6F26063B
    SHA-256:2F766E307BE6760E48BB0380D465E6AABAF91248B11EB3281688CFC38B9918AA
    SHA-512:CD90E0CD5A6F5FB71A0B2A7DA82292ECF990DED228CDF9F1FA2ABF248BFA533FA729349D245FA89FE5BDC5C18B2EFD41E96618753C5658A905DE5C7FD8E9336F
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ...............................r....@.................................|*..O....@...................)...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.XDocument.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):17176
    Entropy (8bit):6.800309352277586
    Encrypted:false
    SSDEEP:384:o8G4YC2W+wW8WpwWyIYiQ3EZu3dAM+o/8E9VF0NyxFc:zGZ5JYiQmu3dAMxkEu
    MD5:6376D98908715960E576E6CFEF2F95DC
    SHA1:B1952BDD710C46681FA7C9D9BC4678E741BEB6EB
    SHA-256:12BF6F83DDA0C39DA3AF80E80D0A33FDFFCC2C39A60F7505796ACFF5668BBD0C
    SHA-512:B8CB08FAC2D4E1E8CF97F6E80D7D981D11E17638D6820A52156873AE8F4C12A470DB02D03A0069D57D4B962D811497AF2275E485B96B4ADCE7DCADF831D97ED9
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ..............................._....@.................................z+..O....@..x................)...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

    C:\Program Files\ScreenBeam\Conference\service\System.Xml.XPath.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):15640
    Entropy (8bit):6.9079561166424694
    Encrypted:false
    SSDEEP:384:26ziqTEkGWvRWRIYiQ3R/LAM+o/8E9VF0NyQy9S:2YT1JYiQVLAMxkEB9S
    MD5:AC29E8863F9EA0D412C4E8F199969E0B
    SHA1:207ABBF8607F35B4787CAF289449D91EA88C0C86
    SHA-256:DF85D240CA4A2BCD315CF3E0DC84CD5F222353037B465F578C346B97989E235A
    SHA-512:B41A41F041B7BEFA83FFC937AC49F0100E32274A731021B0B3E02324CF8DA2A484514C0FE46D3B10C5DA083C5B6FC67E0ECDA72DA64C570C5276CFCA50C19C68
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................x.....@..................................)..O....@...................)...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlDocument.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.81714782970886
    Encrypted:false
    SSDEEP:384:qUv7c7iWNCWAIYiQ3ODSBAM+o/8E9VF0Ny9:qM7c1VYiQ+oAMxkE
    MD5:7C7B8E36213BE745948A4C00A6BC197B
    SHA1:3B0E149B97B1E935EFDC6F80728D7BDB13181FA0
    SHA-256:68FB9A52EC8379152F90B951D5C5AEFCADB24AF842BA2935A8360D4772962554
    SHA-512:DAF52B1930419089C40FBCEBB213583BC06933983DCA7A1D33DB971F644B76C54086ACCC2EE2D6230D53FDEC7D7E4B985898A1DE6EFB75F81B8B3C50E2FF156B
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ....................................@..................................*..O....@...................)...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

    C:\Program Files\ScreenBeam\Conference\service\System.Xml.XmlSerializer.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):16152
    Entropy (8bit):6.863714213386029
    Encrypted:false
    SSDEEP:192:o+vxmNWnRW5zIYiYF8uegv7cERfSsw9A5K+o/y2sE9jBF0NysaFI:NSWnRWZIYiQ3LUAM+o/8E9VF0NyHu
    MD5:3F5275B37A5D4433B29A565C667C38AE
    SHA1:46A6CAEADF923E9541C3D9A33C4A99DC87CA4ABC
    SHA-256:A2D445B4B5263685F0790E2326D9DC6AF037A42536996D48CE7D8ABDE6C8BC68
    SHA-512:7089EEF7AE97103029CB689CA0985992EB70075ACCCE1A1FCF9C6B40F47A9B47DF3A893B4C2E0960EE6159FBAA0404092BD35774D903B9FAC48265A450AF697C
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ...................................@.................................L+..O....@..$................)...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

    C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):20248
    Entropy (8bit):6.671536483435053
    Encrypted:false
    SSDEEP:384:1fNieVZaksEEwXJj12yIYiQ3RSLHAM+o/8E9VF0NyqrL:nXJj1UYiQoDAMxkEE
    MD5:96BDABDED6CFA0B9B83326F778EE51C3
    SHA1:CCCB3B64083DBB6226B5EA58AF114A88A274F05F
    SHA-256:50142D848BA1F0D448372FB58C79E6709ADC4EB115A5BBCB5B95A20EBB6E2BAE
    SHA-512:0574D8BCCBBFA4BCD1D8F056CB1E86F4609EB20367D25EA84660D4589B5DF6C1777BAA870BE51802D23624AB2DACC3140C14A507E83D5C2F1BA2B1970AFB2598
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............b;... ...@....@.. ...................................`..................................;..O....@...............&...)...`......L:..8............................................ ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B................C;......H.......x$...............................................................~....*.......*.~....*.......*.~....*.......*....0..I.........i./%(....r...p.o....(....o....rQ..p(....*...(....s....(....(....(....&*....0..........(....,.(....ri..po....*(....r...po....r#..p......%.r...p..(....(....(......%......s.....%......s...........s....(...+(......%......s.....%.. ...s...........s!...(...+(....o"...*....0..........s.......}....(...........s#...o$.....9......{....o%...(....r...p.o&.

    C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.exe.config

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
    Category:dropped
    Size (bytes):189
    Entropy (8bit):4.975451013309139
    Encrypted:false
    SSDEEP:3:JLWMNHU8LdgCzMvHcIMOofMuQVQDURAmIRMNHjFHr0lUfEyhTRLelFvREBAW4QIT:JiMVBdTMkIGMfVJ7VJdfEyFRLefJuAWq
    MD5:DA0EED2F114F1288C8DE452D5B95596E
    SHA1:1CF8A57C6DF6C309F373A2114A88B980A49D03E5
    SHA-256:AE5E7FA8373B273FAD07E0486CEBFD88C18F9517BA609C2B8E6534F5D9E53DCB
    SHA-512:A2B2F1CD8A772AA3EF074864DD1CE8A37FDB2A1A811B476DFB360F1C71FC787560E9F188916E2C73B290EDA74A56251DDD8EF85DD462515DF12D2E073DA9CF38
    Malicious:false
    Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>..</configuration>

    C:\Program Files\ScreenBeam\Conference\service\UnpairDeviceApp.pdb

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MSVC program database ver 7.00, 512*51 bytes
    Category:dropped
    Size (bytes):26112
    Entropy (8bit):2.404591342759292
    Encrypted:false
    SSDEEP:192:9P3APpAPDAPpAPthp1VOj9KbXouYVIMIhTbbOEe4QsENbpe4qgM:BMKgKbVOoPAi
    MD5:0151FC741197C424E672E759DB5BDA70
    SHA1:2647089388A60A10159ECF7AE491C701A36110C8
    SHA-256:7428A28A358CD23C0483E7DD934248DA83F60E5385D3CDB0DE33A497AFDC2066
    SHA-512:D2F047ED16F4A54EECAFD0CAE68EC257859FD705FCCE84BE34FFBE531C1BD849788AFFC20B0DF65FED512C60A9145B30DF4F99F24B65FFDF0730EEACDC69B65B
    Malicious:false
    Preview:Microsoft C/C++ MSF 7.00...DS...........3...........0............................................................................................................................................................................................................................................................................................................................................................................................................................................................................O......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.FoundationContract.winmd

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):24064
    Entropy (8bit):5.436377150873873
    Encrypted:false
    SSDEEP:384:nOeNiCPJ8d//4CMSKtmVbFhFMTuzO3zoVOgvevU3+uARkArvLU8Wyt:/x8d/i49z7cgWvwARkwvLU8
    MD5:D0854E8DB0D1AFBDAB9CEDB8464561A7
    SHA1:7550E1257E2D243AC0A12439D2A55C74718753D4
    SHA-256:363DC1FDC0C50618C9049F87BF6E2C6EB9D9CE4AC08960373BF778EF854D78AD
    SHA-512:CAF5CB38121FE12A560CEBE4E1AC3266AEFB3C7AB0635EFF26D1AB7DE8CD349F52CB8F9FD4F8E05CF6E496FF07083961881517298FF80A07691B22EF2B317A3D
    Malicious:false
    Preview:MZ......................@...................................@...PE..L......\...........!..............................@..................................o....@..........................................p..`...............................................................................................H............text....V.......X.................. ..@.rsrc...`....p.......Z..............@..@........................................................................................................................H.......P...hV..................................................................BSJB............WindowsRuntime 1.4......t...x3..#~...3......#Strings.....G......#US..G......#GUID....H..`...#Blob...........W.........%3........h...a...m...9...........)...S.......................,... ...............!.....0.........l.e...~.............................5.....b.e...g.....s...........................................................&.....>.....L.....V.....o.e...v.........................e.....

    C:\Program Files\ScreenBeam\Conference\service\Windows.Foundation.UniversalApiContract.winmd

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):5773312
    Entropy (8bit):5.68640191645299
    Encrypted:false
    SSDEEP:49152:OVINVwJzGKybK12T5yb9ksyZWPsADcn0XjOTQVm8fGwoAIMHFqG:/NVwJzVSs+Wp4xyD
    MD5:2B71864142900544334292C45C9A9A21
    SHA1:763865F2163F8B3A294BB156D1E36B9E73A9EBAB
    SHA-256:94687C2812CD4B0DF1F93C3D083BAA730CAB07E9D9C3931FA6557C808BCEF49B
    SHA-512:DD73C7832A2B43774D18A83AC08CEE5A6F7D76F870A98A344B3FDD1DE61CD9B7362D31009F443592F138EFFB9ED7CDD9E4F8A7282C699B7AF3F434ABE74F215E
    Malicious:false
    Preview:MZ......................@...................................@...PE..L......\...........!..............................@..........................@X......AX...@..........................................0X.`...............................................................................................H............text.....X.......X................. ..@.rsrc...`....0X.......X.............@..@........................................................................................................................H.......P...L.X.................................................................BSJB............WindowsRuntime 1.4......t...t(>.#~...(>..O..#Strings.....xK.....#US..xK.....#GUID....xK.x...#Blob...........W..........3........d.......c$......b"......sV......'.......A...P....s.......a................2...........p...i.....u.......................i.........................6.........o.......................................%.........I.........g...............................................

    C:\Program Files\ScreenBeam\Conference\service\Windows.WinMD

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):174080
    Entropy (8bit):4.838714488862786
    Encrypted:false
    SSDEEP:1536:BXlu9HOsrxLLC581nfkhTf85SfD/8E8pMyF2fIK2E3ZMrf/GXTdXg7A/w:b41x7v54sMyov2+Mrf/GXKA
    MD5:6AEB1C3E0470912D776EF79DC180AEF6
    SHA1:C35A83124548142B7AF868166EEB9B9A8DEDCA03
    SHA-256:249D4EBDCB399002F7B6DCB50384AD0DF3AB6A7CF7087161EDA4E43052128E6D
    SHA-512:3AA0D6D8BFB0788353A85E5C0F88B0D0B0CD80F200C78932D8BD4FCF0711EF6577F9C3F4036BB88A4EC7BCF58ED2C4A48FC003324B47A0FAB51E2A1B73436DE4
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......U.........." ..................... ........@.. ....................................@.......................................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................................H.......H ..............................................................BSJB............WindowsRuntime 1.3......t...@...#~.......s..#Strings....`.......#US.h.......#GUID...x.......#Blob......................3................$.......................................................6=............................................iA......................cE.......................F.......................C.......................A.......................@......................PC................

    C:\Program Files\ScreenBeam\Conference\service\netstandard.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):92952
    Entropy (8bit):5.492285731898612
    Encrypted:false
    SSDEEP:1536:K2Ec05j4eAH64rh5fSt5T9nFcI94Wh7Qux:plK4eA7mDmWhM
    MD5:44C9D4261456B66660E95B4E6F76A91E
    SHA1:6836D2E10D37FE8914DF08B893A641699BAE7B98
    SHA-256:F094805527BAB65226A7A5CDD30C89AD6B51C015256C9135F23248C6CE796530
    SHA-512:326A0C69D806ED1F5FD0FF0907124232D140E1371AFE749112DD740A6CF611982CEFC6D6D6B559400DD5D816BEF99431150BC01C9098415CC301FC8945222195
    Malicious:true
    Yara Hits:
    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\ScreenBeam\Conference\service\netstandard.dll, Author: Joe Security
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ...............................S....@..................................U..O....`..,............B...)........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

    C:\Program Files\ScreenBeam\Conference\service\qf4net.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):39192
    Entropy (8bit):5.111012693768591
    Encrypted:false
    SSDEEP:768:C+ZpbHSTTUa8x+qvvIojhSYiQ8dvAMxkE:C+Zpb8T2x+CvS7QKvx
    MD5:27ECC507B03D4E985CBA18E940964F04
    SHA1:95725C54D908EFC3082D31F6628E25023B19ECDF
    SHA-256:4A15AF92AE21F539A900BD871939247C155E3ED4EE08C492C5508A3F552D7303
    SHA-512:840395117DAF5200340D85817C1932F7152F266C81BA3F6C2D73561DD5CD016FD7789116DEA7AF891BD1685BC372453385949C64A31673C5E3DCD91F8633A51F
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....KV.........." ..0..@... ......J^... ...`....... ..............................R/....`..................................]..O....`..<............p...)...........]............................................... ............... ..H............text...P>... ...@.................. ..`.rsrc...<....`.......P..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\service\vac\instrmv.cmd

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:DOS batch file, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1435
    Entropy (8bit):5.168514160976156
    Encrypted:false
    SSDEEP:24:CBc6mGOPDSgJaX7Blu7BW7BFXli/3g/EuzU/OVdEisHROVyOpX:0VgQX7Blu7BW7BFXg3g/EhAXnx
    MD5:9A11812CD3236C4E308130B537534745
    SHA1:26C6225474A25FB9C644CF78D4A7CB87D1E04AA2
    SHA-256:7CBF8C34EBF0318B37AA0ED06FA51BBB07F1F8C2BF4C1B07CAFE733A5D6E58DB
    SHA-512:5BCB6FD583828941F95B267742A82CCA602ADABF36D775F850D50336296EB6144FA1E7BAF29E3A3D9ED043A6BD7A605B1E1650C8D2EBC60F253057293D42C512
    Malicious:false
    Preview:@echo off....setlocal....set "DriverInfFile=vacscbkd.inf"..set "DeviceHwId=ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5"..set "DeviceInstId=Root\{aafa5613-1d56-4309-9c3a-c3911d766be5}\0000"....set Mode=....if /i "%1" == "install" set Mode=install..if /i "%1" == "remove" set Mode=remove....if "%Mode%" == "" (.... echo Parameter 1 must be "install" or "remove".. pause.. exit /b 1....)....if /i "%PROCESSOR_ARCHITECTURE%" == "x86" (.... set ProcDir=x86....) else if /i "%PROCESSOR_ARCHITECTURE%" == "AMD64" (.... set ProcDir=x64....) else (.... echo Unsupported architechture %PROCESSOR_ARCHITECTURE%.. pause.. exit /b 1....)....for /f "tokens=2 delims=[]" %%S in ('ver') do (.... for /f "tokens=2-5 delims=. " %%A in ("%%S") do (.... set /a Ver1=%%A.. set /a Ver2=%%B.. set /a Ver3=%%C.. rem set /a Ver4=%%D.... )....)....set InfFileSfx=....if %Ver1% LEQ 6 set InfFileSfx=6x....for %%F in ("%DriverInfFile%") do set DriverInfFile=%%~nF%InfFileSfx%%%~xF....if "%M

    C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd.cat

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):12270
    Entropy (8bit):7.330686262712275
    Encrypted:false
    SSDEEP:192:E9RPmW9bH/JCTaJ9EwvZvhYCT+ezE7weX01k9z3AUJYVp+Ry:WewpJZvh3BzEnR9zVuVIRy
    MD5:D80C1F0FDBC377D61DFD9F7158EFD158
    SHA1:520D67843181C66360AAEC19A670DD27EA136B3F
    SHA-256:F32E7DC3D4BC5104DF339329D110F051ED0D4C5894DFFEC82100B90D8F199E5C
    SHA-512:A31C25C15B0587A189CD5A5A8B462FEB2423409D3315CFED22142A45DD0A322A0AE18CF86D7E787B824C031163397A44B25A9B557DAF2B1EFC517A9CED743F36
    Malicious:false
    Preview:0./...*.H......../.0./....1.0...`.H.e......0.....+.....7......0...0...+.....7........1O..@..>Kv.....240123034047Z0...+.....7.....0...0.... .C~..d.4..<#.1...(J.*.XY(.......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .C~..d.4..<#.1...(J.*.XY(.......0.... ....~..H...5.&-hm-...!......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ....~..H...5.&-hm-...!......0.... ...Q5.R.B..xE....S.._H.......h..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........v.a.c.s.c.b.k.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ...Q5.R.B..xE....S.._H.......h..0.....]..7.`V)A....0N8..>1..0...+.....7...1...04..+.....7...1&0$.

    C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd.inf

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Windows setup INFormation
    Category:dropped
    Size (bytes):2929
    Entropy (8bit):5.065142022178145
    Encrypted:false
    SSDEEP:48:fzl3b2Qb2ncb25AMPHwuTHYH9ewl9P8uPtS+iSFEY0dPFF+8PBDx:LMNnhZSkFdPBt
    MD5:66561E329C80089A6F916FADE352E6FC
    SHA1:AC5F26849C758F8B14B4AAEB157160A44AD6B5F6
    SHA-256:10E2C8EB7EF0E74819D5C8351B262D686D2D19C591CF2192D6A096C7B211F199
    SHA-512:9659B11CD773B246FC21291D91907D3C1318155914EBDF310C86DCB4445B6CCE3902D15BE3F26145C968D217B54D613750E00A2ADDC50142F3162E0CE64F8F16
    Malicious:false
    Preview:[Version]....Signature = "$WINDOWS NT$"..Class = MEDIA..Provider = %VendorName%..ClassGUID = {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 03/02/2023, 4.70.0.13054..CatalogFile = vacscbkd.cat........[Manufacturer]....%VendorName% = DevSection, NTx86, NTamd64........[DevSection.NTx86]....%DeviceName% = DevInst, %HardwareId%........[DevSection.NTamd64]....%DeviceName% = DevInst, %HardwareId%........[DevInst.NT]....Include = ks.inf, wdmaudio.inf..Needs = KS.Registration, WDMAUDIO.Registration..CopyFiles = DevInst.DriverModules..AddReg = DevInst.AddReg..AddProperty = DevInst.Properties........;#####################################################################..;..; Services..; ========..;..;#####################################################################........[DevInst.NT.Services]....AddService = %ServiceId%, 0x2, SrvInstSection........[SrvInstSection]....DisplayName = %ServiceName%..ServiceType = %SERVICE_KERNEL_DRIVER%..StartType = %SERVICE_DEMAND_START%..ErrorControl = %

    C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd6x.cat

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):12070
    Entropy (8bit):7.457999528354426
    Encrypted:false
    SSDEEP:192:n8qp5UMQVMeKazCKVHGzexo44/VUVFKmqdBC4/C+Q3ISVSWMZMQ3bRg:n+MQJK2CKVjy/VUVFheCGBk7/UMQ3ba
    MD5:FA12FB4E8459A07B36C5A95FD167D077
    SHA1:99E0B4900057767ED7FFA71A082D8D3AE22AA3F3
    SHA-256:176FF202131A269A36EDCA62C2F1DAEC1DB8BBA1EC3F480572B48D6434A12727
    SHA-512:BA97E1805D05C23DA4A4AC88995D9F7DC0018D5B7289B040FA1B5F7A43CB89A4F62EFBBD81037078F86BE843C71CCE3C4DCA0B701680156885F7D42E096E3BFD
    Malicious:false
    Preview:0./"..*.H......../.0./....1.0...`.H.e......0..x..+.....7.....i0..e0...+.....7.....3.Q.."\@..k.i5.W..210419120904Z0...+.....7.....0.."0....R1.2.4.6.0.1.D.C.A.5.5.1.4.D.E.5.8.E.3.2.A.3.9.2.3.F.3.1.9.D.E.E.3.6.C.9.8.3.8.5...1..0M..+.....7...1?0=0...+.....7...0...........0!0...+.........F..QM.2..?1..6..0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R8.A.0.B.3.1.D.D.C.7.2.6.4.8.D.1.2.3.8.8.8.4.B.E.1.C.6.3.9.B.4.7.8.8.D.8.4.B.B.0...1..0M..+.....7...1?0=0...+.....7...0...........0!0...+..........1..&H.#....c.G..K.0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RC.1.4.8.F.B.9.6.6.5.0.8.6.B.8.C.4.0.5.A.E.5.5.2.C.8.A.4.7.5.D.3.5.B.6.2.C.B.E.A...1..0E..+.....7...17050...+.....7.......0!0...+.........H..e.k.@Z.R.u.[b..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0..N0..6........._....5+de.j0...*.H........0W1.0...U....BE1.0

    C:\Program Files\ScreenBeam\Conference\service\vac\vac\vacscbkd6x.inf

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Windows setup INFormation
    Category:dropped
    Size (bytes):2929
    Entropy (8bit):5.0674748908058245
    Encrypted:false
    SSDEEP:48:fzlhb2Qb2ncb25AMPHwuTHYH9ewl9P8uPtS+iSFEY0dPFi+8PBDx:LmNnhZSkFwPBt
    MD5:D07F07C26859DAB89970D4AD96D3F108
    SHA1:C148FB9665086B8C405AE552C8A475D35B62CBEA
    SHA-256:8B8A375ED4FEE5F3BB2CC42543409A0ACC6DDFB8FD5A1EF8F235442D54ABDD13
    SHA-512:7EAD667ECC295857988F0192ED30904A5CBFBF5180742E54F3DB890CF7903379D11FE3FCB2718908A6948B94D6D3BA5FF8B6F917190A699CD6A3C963C1857E3C
    Malicious:false
    Preview:[Version]....Signature = "$WINDOWS NT$"..Class = MEDIA..Provider = %VendorName%..ClassGUID = {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 04/19/2021, 4.65.0.11554..CatalogFile = vacscbkd6x.cat........[Manufacturer]....%VendorName% = DevSection, NTx86, NTamd64........[DevSection.NTx86]....%DeviceName% = DevInst, %HardwareId%........[DevSection.NTamd64]....%DeviceName% = DevInst, %HardwareId%........[DevInst.NT]....Include = ks.inf, wdmaudio.inf..Needs = KS.Registration, WDMAUDIO.Registration..CopyFiles = DevInst.DriverModules..AddReg = DevInst.AddReg..AddProperty = DevInst.Properties........;#####################################################################..;..; Services..; ========..;..;#####################################################################........[DevInst.NT.Services]....AddService = %ServiceId%, 0x2, SrvInstSection........[SrvInstSection]....DisplayName = %ServiceName%..ServiceType = %SERVICE_KERNEL_DRIVER%..StartType = %SERVICE_DEMAND_START%..ErrorControl =

    C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbcp.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):171544
    Entropy (8bit):5.144201025595193
    Encrypted:false
    SSDEEP:3072:nuQ0x55l3sW/GuUCxgJ4Ij+5I4sHFOZTDDaDVXx+ECq:nSxbZuQgulC4sHFOaXx
    MD5:AD9BFFA5A4628861E3F26AC346CD48A9
    SHA1:8556B7C3A15AE76D7264E3CF07910BD20EF1E80C
    SHA-256:349337C2B77F987F54461D9980BA06495DB1451D47B2C756A3A03BA6D31411FB
    SHA-512:E9AC2AF35EBD4CA5DD118ED9616A5344A715AF216E3ECDFF41D93D13B194C77E0925AD233F6B14C3642124BE53C8C7B9B292ABB3F87A7A8464D20CE73D9C3E13
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PV.L.7...7...7...OR..7...OO..7...OI..7...7...7...OY..7...O^..7...ON..7...OK..7..Rich.7..........................PE..d....r}`.........."..................f..............................................5.....@.......... ......................................|...................,....r...,......h...P................................................... ............................text...|........................... ..`.data...............................@....pdata..,...........................@..@.rsrc...............................@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\service\vac\vac\x64\vacscbkd.sys

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (native) x86-64, for MS Windows
    Category:dropped
    Size (bytes):219792
    Entropy (8bit):5.735350585191654
    Encrypted:false
    SSDEEP:3072:JE8wEpWgqisLq82YvqNEmM5jLl3GnE7/PFvpkjNkoB4CWkPfT:J2EAinbojxLpGE7/9ekoqA
    MD5:64B29F91C54FDBA4FDCDD9460B7594F4
    SHA1:D42BAE0B88FB7E7AF29A81816B9DFEC2C6659F11
    SHA-256:BC6863FFF87B0D25DE44D4CA2593F3B31493204EFB9BC490C5CC36A705B633FD
    SHA-512:096EA1751317617E6036D5C81DFFC8695BEFCD4BCB47808AD01C9C0821AB2573545553B81D053A3E940B50D819707F56F3E605F31E9FFC539573B4B52319AE11
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......HdF}..(...(...(.^p-/..(.^p,/..(..n,/..(..n+/..(..n)/..(...).m.(..p-/:.(..p....(..p*/..(.Rich..(.........................PE..d...`Y.e.........."..........\.................@.....................................)....`!......... ..........................................d....................2...(...........6..T...........................07...............................................text............................... ..h.rdata.............................@..H.data........p.......J..............@....pdata...............L..............@..HPAGE.................j.............. ..`INIT....X............l.............. ..b.rsrc................z..............@..B.reloc...............,..............@..B........................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbcp.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):153624
    Entropy (8bit):5.25201729531026
    Encrypted:false
    SSDEEP:3072:o1kBmhlHK7tYi3v5cfLWEbp9FzeF+7xegoHq:HBcJs/+zA+7xv
    MD5:92544DA55C0757D9D744D4A08C050326
    SHA1:2EDDACBC3D0C148141D969EB1522D84BF0543E36
    SHA-256:7A37866D3907B636D9526414F2BE2A800DDAA21B8829BFE7BEA549473E421B54
    SHA-512:667139084EB90F8AA35B127F7BD9095E2031EA37B7B134333F5ACEA437724C9303C8A519562C4FE01836857BEF95949E524F16C282FCF61EA00B66644B237F25
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M.................................................)...................Rich............................PE..L....r}`.................N..........p........`...............................P............@...... ...........................P.......p...............,...,...0..........................................................|............................text....M.......N.................. ..`.data...D....`.......R..............@....rsrc........p.......T..............@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\service\vac\vac\x86\vacscbkd.sys

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (native) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):191632
    Entropy (8bit):5.775659352675325
    Encrypted:false
    SSDEEP:3072:xeiCi36K6Yi6cnpcfpWxoSP2W9NhOGAZnqBKzWzPG8w7PoiN6boOV:iQp5QTOpzWLGjPoiU
    MD5:42CDA2FE305A48FD4E95308D671F660B
    SHA1:B6A3E0187A779E3CCD8B756972A02CCEA14A4B56
    SHA-256:ED57B23BAADA65CDC62ED7712D190E1FB72FF77FC5B6FC0CF8B40693E5F2BC75
    SHA-512:4DEEE6E391CBB8E9850ECE265A9FD351EFCF6CE3BB6F5D3F8670F01D4ED870EF1E5B29E43DC5AE9A5D1E6906842E0385AEB9EA0E6B758127C5E21A166D86AA3B
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........D............................................................=.......=.*.....=.......Rich............PE..L...IY.e.............................2............@.......................... ............@!..... ..........................X2..d....@...................(......T...,...T...............................@............................................text............................... ..h.rdata...R.......T..................@..H.data...............................@...PAGE....|.... ...................... ..`INIT.........0...................... ..b.rsrc........@......................@..B.reloc..T...........................@..B................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x64\wdmdrvmgr.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):31144
    Entropy (8bit):6.45005930112513
    Encrypted:false
    SSDEEP:768:0mnmSRBRQWj2jdkYpCMmzydjmNsc2pSTVEV3GPkj3UZ:HB7QKFGjmNsLITOEMK
    MD5:5F85D1A6148263FA5B0F68368840E644
    SHA1:890EF23C2592441AEEE5E54EDA628E25215F67B6
    SHA-256:E7DACEF5ECC8289199FFFCFB6859EA6BC308C602DAA24684BCB3D6D9FDF9919C
    SHA-512:7E491C0CC3EC1682D41BFB76C4FC10473F1D9F800BA7519C1DD1AFD8186DDD845ECCDE87F170A545A27D80AF4BA6AA2FA8FBD07D34256D2D7E54696CCA8BD091
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[Su..Su..Su..Z. .Qu..Z.&.^u..Su..nu..Z.6.Pu..Z.?.Wu..Z.!.Ru..Z.$.Ru..RichSu..........................PE..d......`.........."......<...........1....................................................@.......... .......................................D.......p..x....`.......N...+...........................................................................................text...<;.......<.................. ..`.data........P.......@..............@....pdata.......`.......B..............@..@.rsrc...x....p.......D..............@..@........................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\service\vac\wdmdrvmgr\x86\wdmdrvmgr.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):28584
    Entropy (8bit):6.610450236402353
    Encrypted:false
    SSDEEP:384:+CgU5TxIr4qwCedA/u2EnHvs1vJMQJK2CKV48VEVFJ8ZcGwGBk7/UMQ3W:+QFI0qwCedB/HvsA2pxVEV3GPkjf
    MD5:10992B9F2436DE3DDF8B2E0AFD1040A0
    SHA1:C9EFA7BADB2B1ABEB84586F47512F1649D8E8CF0
    SHA-256:C5F1F14908488AA50D0584B1432386A838AA94117B7E16C1545FB158B1425522
    SHA-512:18F9EE23094D2356ED0736D2DA05CA6B2D6C8F1E562194A6431A4453456A0C4C7A0E6A9A09786C9ED8F44144BAC2BDDDD908F087F174B4054FCE1F1B916CE5E3
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.)U/.G./.G./.G.&...-.G.&...-.G.&...".G./.F...G.&...+.G.&.....G.&.....G.Rich/.G.................PE..L......`.................2..........g*.......P............................................@...... ...........................;.......`..x............D...+...p.......................................................................................text....1.......2.................. ..`.data........P......................@....rsrc...x....`.......6..............@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\service\vacdisable.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):22808
    Entropy (8bit):6.651269522625864
    Encrypted:false
    SSDEEP:384:DwmfOy4CLLTkOJFIQvojDV7OLIYiQ3ygAM+o/8E9VF0Ny08ni6:Umf14CLnkAC5YiQ5AMxkE3ni6
    MD5:47D4EBEBEAD197CB39656890D63EED87
    SHA1:5CF5944DDE439DDD08FA9003AD705FB39FF8922A
    SHA-256:03D4F97B81F30AE6BE513CD568B17885B06FA36DF08819BBAD6918C7593EF432
    SHA-512:A2B37B83DDC8FE58D4BE01180CBC2ABC7CA5AA4606CFF42657F6D077E348EBD2A419B98F0725DE470A807C2CADFDCEDCF2E2217BB1402535DA92C54F3AE7DC9B
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B..v,.v,.v,....v,.(-.v,.(/.v,.().v,.((.v,.e...v,.v-..v,./(%.v,./(..v,.Rich.v,.........................PE..L...=..e.....................................0....@..................................!....@.................................D9.......................0...)...p......`5..T............................5..@............0...............................text...}........................... ..`.rdata..^....0......................@..@.data........P.......*..............@....gfids.. ....`.......,..............@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................

    C:\Program Files\ScreenBeam\Conference\service\vacenable.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):22808
    Entropy (8bit):6.65159308859288
    Encrypted:false
    SSDEEP:384:vwmfOyUCLLTkOJFIQeRjDV7RIYiQ3ZEAM+o/8E9VF0Nyvj:omf1UCLHkAUGYiQOAMxkEF
    MD5:06EDB16F31D8C30C2218BD61E5E00FEF
    SHA1:2B360B76E032D9003A03D5E328AF1FDBCF47C2C8
    SHA-256:82C08DE0A2D46FF94FA6741AF14AB2ADB7E98DF4A7279B7919688E3592FEDAE3
    SHA-512:0963DE86932879D279F88DDF1E9B4DF003BBED80B55F0A9FEB645160A41ACCDE6674939A36798E4366298199B0F95459EEEC7A82ABB0E1ECF3E08D7F30035A2E
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B..v,.v,.v,....v,.(-.v,.(/.v,.().v,.((.v,.e...v,.v-..v,./(%.v,./(..v,.Rich.v,.........................PE..L...?..e.....................................0....@.................................Z.....@.................................D9.......................0...)...p......`5..T............................5..@............0...............................text...}........................... ..`.rdata..^....0......................@..@.data........P.......*..............@....gfids.. ....`.......,..............@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ScreenBeam\Conference\ScreenBeam Conference.lnk

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
    Category:dropped
    Size (bytes):2615
    Entropy (8bit):2.5969452024351347
    Encrypted:false
    SSDEEP:24:8a+DSwWr7eJTKxjO6+Mk/wsdSyq3+Mk/wFtuZSC34Wk/w:8hkr7gwjdkYsdSv5kY/uZSCoWkY
    MD5:5D620DC9390F953FCB125341BD71B406
    SHA1:7DA98826D38C5EAA1A163D380A9152E55C30724F
    SHA-256:A9D7410E3FF696A6149DA8A61FE46506D995539ECC5E9F8189C8673E5479ED6F
    SHA-512:C61EC218DB8D19BFCDC9B20B9C021AAE64CF74F3B608DC50105AEF785B069937BE8CB8981C7D5CD90ABE080FFDD78DD1AA96817A81AF7B1F1D60438AC1622F02
    Malicious:false
    Preview:L..................F.P...........................................................P.O. .:i.....+00.../C:\...................V.1.....DWP`..Windows.@......OwH.Y:@....3.....................I+..W.i.n.d.o.w.s.....\.1......Yt@..Installer.D......O.I.Yt@............................I.I.n.s.t.a.l.l.e.r.......1......Y{@..{E1BB7~1..~.......Y{@.Y{@.....H.....................h_.{.E.1.B.B.7.7.D.B.-.A.6.A.4.-.4.6.C.F.-.B.4.A.C.-.1.B.9.0.5.1.B.2.8.7.6.F.}.....j.2.>B...Y{@!.SCREEN~1.EXE..N.......Y{@.Y{@.....H.....................h_.S.c.r.e.e.n.B.e.a.m...e.x.e.........S.c.r.e.e.n.B.e.a.m. .C.o.n.f.e.r.e.n.c.e...e.x.e.\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.E.1.B.B.7.7.D.B.-.A.6.A.4.-.4.6.C.F.-.B.4.A.C.-.1.B.9.0.5.1.B.2.8.7.6.F.}.\.S.c.r.e.e.n.B.e.a.m...e.x.e.+.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.S.c.r.e.e.n.B.e.a.m.\.C.o.n.f.e.r.e.n.c.e.\.a.p.p.\.J.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.E.1.B.B.7.7.D.B.-.A.6.A.4.-.4.6.C.F.-.B.4.A.C.-.1.B.9.0.5.1.B.2.8.7.6

    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:CSV text
    Category:dropped
    Size (bytes):651
    Entropy (8bit):5.348956889965525
    Encrypted:false
    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6KhaOK9eDLI4MNOK9XGK9yiv:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoM
    MD5:7CFF259EE7A28D8B8BA9D28BE3288747
    SHA1:89023672C346B4101410DF25D4CB42BD3FB38285
    SHA-256:D6EE41ADE037CF4F71E67C00CC8A98EA5BD5A6E3370CD36093EBA31DCE7B421A
    SHA-512:34224680DE9604686778FC1B4C3DAF83A47A248F6431E1BDA97F753043D760B701F8A5BB8BE0AA9FE16995C75410FC3336CE5E4A88F47EE6DFB9344912C1F0CA
    Malicious:false
    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..

    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sbdrvmgr.exe.log

    Download File
    Process:C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):42
    Entropy (8bit):4.0050635535766075
    Encrypted:false
    SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
    MD5:84CFDB4B995B1DBF543B26B86C863ADC
    SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
    SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
    SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
    Malicious:false
    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DefMic.exe.log

    Download File
    Process:C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):42
    Entropy (8bit):4.0050635535766075
    Encrypted:false
    SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
    MD5:84CFDB4B995B1DBF543B26B86C863ADC
    SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
    SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
    SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
    Malicious:false
    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

    C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
    Category:dropped
    Size (bytes):532629
    Entropy (8bit):7.23855643702159
    Encrypted:false
    SSDEEP:12288:6wHL0D1qc47q5CGzG/bdViRggskkyHm3Bm7IWIkK:bHL0YL0CGIDiRg4lGVP
    MD5:0A8C597BC720C23767767CEB5D894FE5
    SHA1:CF31FF3426C142E6BD0FF98926DDBF19933E800C
    SHA-256:FFCAD47754C1B88E02FA692FA7BADA9E578BDB1A38BFC492449F504B044A8D21
    SHA-512:0E6F93BED26445C74FD3D52987ACCED5FBB0956E528E9A0C13183F3125AFCDA14E48D090C43525FADFD070E518DEF02E51177BBABD082B1F2E915664947834FC
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\ByomCustomAction.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):4.843366347962712
    Encrypted:false
    SSDEEP:768:jzmYFEr6mMN+c28dt0n0cmb9K8CaME86El8aJAvg5vinx8l:DErpO28Un0cmbo8CaME86El8aJAvghic
    MD5:91B58050CC3C371AD9CB26C8DA35BF65
    SHA1:E37C9AB91CDE46CAF0887FA7C634D3A1D9D7D9DA
    SHA-256:3935F2CCC0DD459B0A47C25F7C56B903B2728F13F18014BCFAB59A38D8ED8D24
    SHA-512:D881FA00BC1905DC7193D3B3FF33F4B6995096F7251871E5DBB47312A3CD37446DA3C1E775F4447839A9E22A5358F746B8545B66D1618D306E6AF811114E9F70
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

    C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\CustomAction.config

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1493
    Entropy (8bit):4.732294656481805
    Encrypted:false
    SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
    MD5:01C01D040563A55E0FD31CC8DAA5F155
    SHA1:3C1C229703198F9772D7721357F1B90281917842
    SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
    SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

    C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):28784
    Entropy (8bit):6.08346118574361
    Encrypted:false
    SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
    MD5:F03298C90AB58E72A04E1AA310608B4C
    SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
    SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
    SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

    C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):184240
    Entropy (8bit):5.876033362692288
    Encrypted:false
    SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
    MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
    SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
    SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
    SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):701992
    Entropy (8bit):5.940787194132384
    Encrypted:false
    SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
    MD5:081D9558BBB7ADCE142DA153B2D5577A
    SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
    SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
    SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\sbdrvmgr.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):34984
    Entropy (8bit):6.000650459314047
    Encrypted:false
    SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
    MD5:C7EEAC397EC6B4EC895E89D0E43C652D
    SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
    SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
    SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

    C:\Users\user\AppData\Local\Temp\MSIA388.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
    Category:dropped
    Size (bytes):532629
    Entropy (8bit):7.23855643702159
    Encrypted:false
    SSDEEP:12288:6wHL0D1qc47q5CGzG/bdViRggskkyHm3Bm7IWIkK:bHL0YL0CGIDiRg4lGVP
    MD5:0A8C597BC720C23767767CEB5D894FE5
    SHA1:CF31FF3426C142E6BD0FF98926DDBF19933E800C
    SHA-256:FFCAD47754C1B88E02FA692FA7BADA9E578BDB1A38BFC492449F504B044A8D21
    SHA-512:0E6F93BED26445C74FD3D52987ACCED5FBB0956E528E9A0C13183F3125AFCDA14E48D090C43525FADFD070E518DEF02E51177BBABD082B1F2E915664947834FC
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\ByomCustomAction.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):4.843366347962712
    Encrypted:false
    SSDEEP:768:jzmYFEr6mMN+c28dt0n0cmb9K8CaME86El8aJAvg5vinx8l:DErpO28Un0cmbo8CaME86El8aJAvghic
    MD5:91B58050CC3C371AD9CB26C8DA35BF65
    SHA1:E37C9AB91CDE46CAF0887FA7C634D3A1D9D7D9DA
    SHA-256:3935F2CCC0DD459B0A47C25F7C56B903B2728F13F18014BCFAB59A38D8ED8D24
    SHA-512:D881FA00BC1905DC7193D3B3FF33F4B6995096F7251871E5DBB47312A3CD37446DA3C1E775F4447839A9E22A5358F746B8545B66D1618D306E6AF811114E9F70
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

    C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\CustomAction.config

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1493
    Entropy (8bit):4.732294656481805
    Encrypted:false
    SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
    MD5:01C01D040563A55E0FD31CC8DAA5F155
    SHA1:3C1C229703198F9772D7721357F1B90281917842
    SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
    SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

    C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):28784
    Entropy (8bit):6.08346118574361
    Encrypted:false
    SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
    MD5:F03298C90AB58E72A04E1AA310608B4C
    SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
    SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
    SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

    C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):184240
    Entropy (8bit):5.876033362692288
    Encrypted:false
    SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
    MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
    SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
    SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
    SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):701992
    Entropy (8bit):5.940787194132384
    Encrypted:false
    SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
    MD5:081D9558BBB7ADCE142DA153B2D5577A
    SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
    SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
    SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):34984
    Entropy (8bit):6.000650459314047
    Encrypted:false
    SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
    MD5:C7EEAC397EC6B4EC895E89D0E43C652D
    SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
    SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
    SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

    C:\Users\user\AppData\Local\Temp\MSIA44D.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIA4CB.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIA4FB.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIA654.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIA674.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIA694.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIA703.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):753984
    Entropy (8bit):6.461872633696775
    Encrypted:false
    SSDEEP:12288:sXWV44ngBNmhAzLUhfVdrjpuG1PE0I7+avw4UbY6t5rXf63Rfklet:KWV4zHzLUdVB1n1PE0Yw4Ubz5rXf63hL
    MD5:8DD026145833182777A182A646DF81F3
    SHA1:4F5CB840193EEA97DF088C83A794FB6E8F67AB07
    SHA-256:3071AF6BE43A2611DB45205F0D3F1F25ABA05ACF5F70992FCE2FFFD63EE9C85D
    SHA-512:F6C860BF563A24C046A7D76A6BC1E2F6BBFC80A87AC4513DE331049F35198DCBBDBB5BE7F5D49100E1D1C8AB680ECF3EAAA4FDB8F744C9FD5479A1BA64079391
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......':r.c[.Tc[.Tc[.T.).Un[.T.).U.[.T.%.Ur[.T.%.U{[.T.).Uz[.T.%.U=[.T.).Ub[.T.).Ut[.Tc[.T.Z.Tz$.U([.Tz$.Ub[.Tz$.Tb[.Tc[.Tb[.Tz$.Ub[.TRichc[.T................PE..L....=.d.........."!...$.>..........+........P............................................@.........................`..................h............D..@=.......r.....p............................e..@............P..........@....................text....=.......>.................. ..`.rdata...q...P...r...B..............@..@.data...H(..........................@....rsrc...h...........................@..@.reloc...r.......t..................@..B................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIA761.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):1126208
    Entropy (8bit):6.475548916717572
    Encrypted:false
    SSDEEP:24576:cBbmgYewSBprKpygTqkg0z/f2sbQEiwiUt5KTD54qQc3w0RZqTkqMUM0zVQZA:cBflKp/Dz/f2sbQEidUt5K35Bz3w0RZg
    MD5:8E3862ECC7A591DF93CB916906EAE863
    SHA1:1C9F1F80BE421F8C87662B5AB11749DD7604FCF2
    SHA-256:B980C67B11CC39F006535303151273749E4CA69DD370CF45B6110A0B5AF77B68
    SHA-512:5D58C26F1F4ED448578E118C526A67159284E68B58062A0FF74492A38785FC94608CA09AADB5473F66DD0161FCCDBAD3EA4A2ED5C65396BEF5E3D6572AC607CE
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J"..+L..+L..+L.>YO..+L.>YI.X+L.IUH..+L.IUO..+L.IUI..+L.>YH..+L.>YM..+L..+M..*L..TE..+L..TL..+L..T...+L..+..+L..TN..+L.Rich.+L.........................PE..L....=.d.........."!...$.t..........0u.......................................P......#}....@.........................`...t...............................@=.......A.../..p....................0..........@...............4............................text...^s.......t.................. ..`.rdata...U.......V...x..............@..@.data...8...........................@....rsrc...............................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIA791.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIA7B2.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIC74E.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
    Category:dropped
    Size (bytes):532629
    Entropy (8bit):7.23855643702159
    Encrypted:false
    SSDEEP:12288:6wHL0D1qc47q5CGzG/bdViRggskkyHm3Bm7IWIkK:bHL0YL0CGIDiRg4lGVP
    MD5:0A8C597BC720C23767767CEB5D894FE5
    SHA1:CF31FF3426C142E6BD0FF98926DDBF19933E800C
    SHA-256:FFCAD47754C1B88E02FA692FA7BADA9E578BDB1A38BFC492449F504B044A8D21
    SHA-512:0E6F93BED26445C74FD3D52987ACCED5FBB0956E528E9A0C13183F3125AFCDA14E48D090C43525FADFD070E518DEF02E51177BBABD082B1F2E915664947834FC
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\ByomCustomAction.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):4.843366347962712
    Encrypted:false
    SSDEEP:768:jzmYFEr6mMN+c28dt0n0cmb9K8CaME86El8aJAvg5vinx8l:DErpO28Un0cmbo8CaME86El8aJAvghic
    MD5:91B58050CC3C371AD9CB26C8DA35BF65
    SHA1:E37C9AB91CDE46CAF0887FA7C634D3A1D9D7D9DA
    SHA-256:3935F2CCC0DD459B0A47C25F7C56B903B2728F13F18014BCFAB59A38D8ED8D24
    SHA-512:D881FA00BC1905DC7193D3B3FF33F4B6995096F7251871E5DBB47312A3CD37446DA3C1E775F4447839A9E22A5358F746B8545B66D1618D306E6AF811114E9F70
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

    C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\CustomAction.config

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1493
    Entropy (8bit):4.732294656481805
    Encrypted:false
    SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
    MD5:01C01D040563A55E0FD31CC8DAA5F155
    SHA1:3C1C229703198F9772D7721357F1B90281917842
    SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
    SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

    C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):28784
    Entropy (8bit):6.08346118574361
    Encrypted:false
    SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
    MD5:F03298C90AB58E72A04E1AA310608B4C
    SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
    SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
    SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

    C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):184240
    Entropy (8bit):5.876033362692288
    Encrypted:false
    SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
    MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
    SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
    SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
    SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):701992
    Entropy (8bit):5.940787194132384
    Encrypted:false
    SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
    MD5:081D9558BBB7ADCE142DA153B2D5577A
    SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
    SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
    SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\sbdrvmgr.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):34984
    Entropy (8bit):6.000650459314047
    Encrypted:false
    SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
    MD5:C7EEAC397EC6B4EC895E89D0E43C652D
    SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
    SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
    SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

    C:\Users\user\AppData\Local\Temp\MSICBD3.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
    Category:dropped
    Size (bytes):532629
    Entropy (8bit):7.23855643702159
    Encrypted:false
    SSDEEP:12288:6wHL0D1qc47q5CGzG/bdViRggskkyHm3Bm7IWIkK:bHL0YL0CGIDiRg4lGVP
    MD5:0A8C597BC720C23767767CEB5D894FE5
    SHA1:CF31FF3426C142E6BD0FF98926DDBF19933E800C
    SHA-256:FFCAD47754C1B88E02FA692FA7BADA9E578BDB1A38BFC492449F504B044A8D21
    SHA-512:0E6F93BED26445C74FD3D52987ACCED5FBB0956E528E9A0C13183F3125AFCDA14E48D090C43525FADFD070E518DEF02E51177BBABD082B1F2E915664947834FC
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\ByomCustomAction.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):4.843366347962712
    Encrypted:false
    SSDEEP:768:jzmYFEr6mMN+c28dt0n0cmb9K8CaME86El8aJAvg5vinx8l:DErpO28Un0cmbo8CaME86El8aJAvghic
    MD5:91B58050CC3C371AD9CB26C8DA35BF65
    SHA1:E37C9AB91CDE46CAF0887FA7C634D3A1D9D7D9DA
    SHA-256:3935F2CCC0DD459B0A47C25F7C56B903B2728F13F18014BCFAB59A38D8ED8D24
    SHA-512:D881FA00BC1905DC7193D3B3FF33F4B6995096F7251871E5DBB47312A3CD37446DA3C1E775F4447839A9E22A5358F746B8545B66D1618D306E6AF811114E9F70
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

    C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\CustomAction.config

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1493
    Entropy (8bit):4.732294656481805
    Encrypted:false
    SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
    MD5:01C01D040563A55E0FD31CC8DAA5F155
    SHA1:3C1C229703198F9772D7721357F1B90281917842
    SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
    SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

    C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):28784
    Entropy (8bit):6.08346118574361
    Encrypted:false
    SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
    MD5:F03298C90AB58E72A04E1AA310608B4C
    SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
    SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
    SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

    C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):184240
    Entropy (8bit):5.876033362692288
    Encrypted:false
    SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
    MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
    SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
    SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
    SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):701992
    Entropy (8bit):5.940787194132384
    Encrypted:false
    SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
    MD5:081D9558BBB7ADCE142DA153B2D5577A
    SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
    SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
    SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):34984
    Entropy (8bit):6.000650459314047
    Encrypted:false
    SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
    MD5:C7EEAC397EC6B4EC895E89D0E43C652D
    SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
    SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
    SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

    C:\Users\user\AppData\Local\Temp\MSID346.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
    Category:dropped
    Size (bytes):532629
    Entropy (8bit):7.23855643702159
    Encrypted:false
    SSDEEP:12288:6wHL0D1qc47q5CGzG/bdViRggskkyHm3Bm7IWIkK:bHL0YL0CGIDiRg4lGVP
    MD5:0A8C597BC720C23767767CEB5D894FE5
    SHA1:CF31FF3426C142E6BD0FF98926DDBF19933E800C
    SHA-256:FFCAD47754C1B88E02FA692FA7BADA9E578BDB1A38BFC492449F504B044A8D21
    SHA-512:0E6F93BED26445C74FD3D52987ACCED5FBB0956E528E9A0C13183F3125AFCDA14E48D090C43525FADFD070E518DEF02E51177BBABD082B1F2E915664947834FC
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSID346.tmp-\ByomCustomAction.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):4.843366347962712
    Encrypted:false
    SSDEEP:768:jzmYFEr6mMN+c28dt0n0cmb9K8CaME86El8aJAvg5vinx8l:DErpO28Un0cmbo8CaME86El8aJAvghic
    MD5:91B58050CC3C371AD9CB26C8DA35BF65
    SHA1:E37C9AB91CDE46CAF0887FA7C634D3A1D9D7D9DA
    SHA-256:3935F2CCC0DD459B0A47C25F7C56B903B2728F13F18014BCFAB59A38D8ED8D24
    SHA-512:D881FA00BC1905DC7193D3B3FF33F4B6995096F7251871E5DBB47312A3CD37446DA3C1E775F4447839A9E22A5358F746B8545B66D1618D306E6AF811114E9F70
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

    C:\Users\user\AppData\Local\Temp\MSID346.tmp-\CustomAction.config

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1493
    Entropy (8bit):4.732294656481805
    Encrypted:false
    SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
    MD5:01C01D040563A55E0FD31CC8DAA5F155
    SHA1:3C1C229703198F9772D7721357F1B90281917842
    SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
    SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

    C:\Users\user\AppData\Local\Temp\MSID346.tmp-\DefMic.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):28784
    Entropy (8bit):6.08346118574361
    Encrypted:false
    SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
    MD5:F03298C90AB58E72A04E1AA310608B4C
    SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
    SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
    SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

    C:\Users\user\AppData\Local\Temp\MSID346.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):184240
    Entropy (8bit):5.876033362692288
    Encrypted:false
    SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
    MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
    SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
    SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
    SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSID346.tmp-\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):701992
    Entropy (8bit):5.940787194132384
    Encrypted:false
    SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
    MD5:081D9558BBB7ADCE142DA153B2D5577A
    SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
    SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
    SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):34984
    Entropy (8bit):6.000650459314047
    Encrypted:false
    SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
    MD5:C7EEAC397EC6B4EC895E89D0E43C652D
    SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
    SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
    SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

    C:\Users\user\AppData\Local\Temp\MSID877.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):753984
    Entropy (8bit):6.461872633696775
    Encrypted:false
    SSDEEP:12288:sXWV44ngBNmhAzLUhfVdrjpuG1PE0I7+avw4UbY6t5rXf63Rfklet:KWV4zHzLUdVB1n1PE0Yw4Ubz5rXf63hL
    MD5:8DD026145833182777A182A646DF81F3
    SHA1:4F5CB840193EEA97DF088C83A794FB6E8F67AB07
    SHA-256:3071AF6BE43A2611DB45205F0D3F1F25ABA05ACF5F70992FCE2FFFD63EE9C85D
    SHA-512:F6C860BF563A24C046A7D76A6BC1E2F6BBFC80A87AC4513DE331049F35198DCBBDBB5BE7F5D49100E1D1C8AB680ECF3EAAA4FDB8F744C9FD5479A1BA64079391
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......':r.c[.Tc[.Tc[.T.).Un[.T.).U.[.T.%.Ur[.T.%.U{[.T.).Uz[.T.%.U=[.T.).Ub[.T.).Ut[.Tc[.T.Z.Tz$.U([.Tz$.Ub[.Tz$.Tb[.Tc[.Tb[.Tz$.Ub[.TRichc[.T................PE..L....=.d.........."!...$.>..........+........P............................................@.........................`..................h............D..@=.......r.....p............................e..@............P..........@....................text....=.......>.................. ..`.rdata...q...P...r...B..............@..@.data...H(..........................@....rsrc...h...........................@..@.reloc...r.......t..................@..B................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSID914.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):753984
    Entropy (8bit):6.461872633696775
    Encrypted:false
    SSDEEP:12288:sXWV44ngBNmhAzLUhfVdrjpuG1PE0I7+avw4UbY6t5rXf63Rfklet:KWV4zHzLUdVB1n1PE0Yw4Ubz5rXf63hL
    MD5:8DD026145833182777A182A646DF81F3
    SHA1:4F5CB840193EEA97DF088C83A794FB6E8F67AB07
    SHA-256:3071AF6BE43A2611DB45205F0D3F1F25ABA05ACF5F70992FCE2FFFD63EE9C85D
    SHA-512:F6C860BF563A24C046A7D76A6BC1E2F6BBFC80A87AC4513DE331049F35198DCBBDBB5BE7F5D49100E1D1C8AB680ECF3EAAA4FDB8F744C9FD5479A1BA64079391
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......':r.c[.Tc[.Tc[.T.).Un[.T.).U.[.T.%.Ur[.T.%.U{[.T.).Uz[.T.%.U=[.T.).Ub[.T.).Ut[.Tc[.T.Z.Tz$.U([.Tz$.Ub[.Tz$.Tb[.Tc[.Tb[.Tz$.Ub[.TRichc[.T................PE..L....=.d.........."!...$.>..........+........P............................................@.........................`..................h............D..@=.......r.....p............................e..@............P..........@....................text....=.......>.................. ..`.rdata...q...P...r...B..............@..@.data...H(..........................@....rsrc...h...........................@..@.reloc...r.......t..................@..B................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\MSIDA8C.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):753984
    Entropy (8bit):6.461872633696775
    Encrypted:false
    SSDEEP:12288:sXWV44ngBNmhAzLUhfVdrjpuG1PE0I7+avw4UbY6t5rXf63Rfklet:KWV4zHzLUdVB1n1PE0Yw4Ubz5rXf63hL
    MD5:8DD026145833182777A182A646DF81F3
    SHA1:4F5CB840193EEA97DF088C83A794FB6E8F67AB07
    SHA-256:3071AF6BE43A2611DB45205F0D3F1F25ABA05ACF5F70992FCE2FFFD63EE9C85D
    SHA-512:F6C860BF563A24C046A7D76A6BC1E2F6BBFC80A87AC4513DE331049F35198DCBBDBB5BE7F5D49100E1D1C8AB680ECF3EAAA4FDB8F744C9FD5479A1BA64079391
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......':r.c[.Tc[.Tc[.T.).Un[.T.).U.[.T.%.Ur[.T.%.U{[.T.).Uz[.T.%.U=[.T.).Ub[.T.).Ut[.Tc[.T.Z.Tz$.U([.Tz$.Ub[.Tz$.Tb[.Tc[.Tb[.Tz$.Ub[.TRichc[.T................PE..L....=.d.........."!...$.>..........+........P............................................@.........................`..................h............D..@=.......r.....p............................e..@............P..........@....................text....=.......>.................. ..`.rdata...q...P...r...B..............@..@.data...H(..........................@....rsrc...h...........................@..@.reloc...r.......t..................@..B................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\shiA73B.tmp

    Download File
    Process:C:\Windows\SysWOW64\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):80800
    Entropy (8bit):6.781496286846518
    Encrypted:false
    SSDEEP:1536:FRk1rh/be3Z1bij+8xG+sQxzQF50I9VSHIecbWZOUXYOe0/zuvY:FRk/+Z1z8s+s+QrTmIecbWIA7//gY
    MD5:1E6E97D60D411A2DEE8964D3D05ADB15
    SHA1:0A2FE6EC6B6675C44998C282DBB1CD8787612FAF
    SHA-256:8598940E498271B542F2C04998626AA680F2172D0FF4F8DBD4FFEC1A196540F9
    SHA-512:3F7D79079C57786051A2F7FACFB1046188049E831F12B549609A8F152664678EE35AD54D1FFF4447428B6F76BEA1C7CA88FA96AAB395A560C6EC598344FCC7FA
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.Dq..*"..*"..*"..+#..*".."..*"..+"4.*"}.)#..*"}..#..*"}./#..*"}.*#..*"}.."..*"}.(#..*"Rich..*"........................PE..L...7.O.........."!... .....................................................P............@A........................0........ .......0...................'...@.......$..T............................#..@............ ...............................text...D........................... ..`.data...............................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\shiE960.tmp

    Download File
    Process:C:\Windows\SysWOW64\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):80800
    Entropy (8bit):6.781496286846518
    Encrypted:false
    SSDEEP:1536:FRk1rh/be3Z1bij+8xG+sQxzQF50I9VSHIecbWZOUXYOe0/zuvY:FRk/+Z1z8s+s+QrTmIecbWIA7//gY
    MD5:1E6E97D60D411A2DEE8964D3D05ADB15
    SHA1:0A2FE6EC6B6675C44998C282DBB1CD8787612FAF
    SHA-256:8598940E498271B542F2C04998626AA680F2172D0FF4F8DBD4FFEC1A196540F9
    SHA-512:3F7D79079C57786051A2F7FACFB1046188049E831F12B549609A8F152664678EE35AD54D1FFF4447428B6F76BEA1C7CA88FA96AAB395A560C6EC598344FCC7FA
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.Dq..*"..*"..*"..+#..*".."..*"..+"4.*"}.)#..*"}..#..*"}./#..*"}.*#..*"}.."..*"}.(#..*"Rich..*"........................PE..L...7.O.........."!... .....................................................P............@A........................0........ .......0...................'...@.......$..T............................#..@............ ...............................text...D........................... ..`.data...............................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\viewer.exe

    Download File
    Process:C:\Windows\SysWOW64\msiexec.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):440152
    Entropy (8bit):6.586188597397118
    Encrypted:false
    SSDEEP:12288:5gbiQnSDqYisDEiD3jbTFiuiSiO+3P53nUNlQ:SbvnSDqJsDEiD3PTFTFiv53UNW
    MD5:2229B255EED3280B3AC696F0F3388C72
    SHA1:9AF549FFE4E2CBAADD6513831B27B7D6EC13E405
    SHA-256:D99F212B9C6D199A201F4F9317BB586CAFA78323692474DE56D67FF47E9C65B2
    SHA-512:3C4831337EDEC24246B0CA4875A86D8DB78A47C2904467B4349BE5CCD7B49273AD930994DA339021CEDEA1A24AF78F91F7C366FDB52EC56631969441D1C62483
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a.m.2.m.2.m.2A..3.m.2A..3<m.26..3.m.26..3.m.26..3.m.2A..3.m.2A..3.m.2A..3.m.2.m.2_m.2...3.m.2..s2.m.2.m.2.m.2...3.m.2Rich.m.2........................PE..L...3>.d.........."....$.........................@.................................sE....@..................................4..........8...............X).......:..@...p...............................@...............l............................text...F........................... ..`.rdata...R.......T..................@..@.data....7...P.......,..............@....rsrc...8............F..............@..@.reloc...:.......<...R..............@..B................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\5adaf8.msi

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {6EBE4205-4E27-4DB1-9068-3012795620A8}, Number of Words: 2, Subject: ScreenBeam Conference, Author: ScreenBeam Inc., Name of Creating Application: ScreenBeam Conference, Template: x64;1033, Comments: ScreenBeam Conference Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Jan 31 19:10:38 2024, Number of Pages: 200
    Category:dropped
    Size (bytes):102135296
    Entropy (8bit):7.970214572753853
    Encrypted:false
    SSDEEP:3145728:SDe0/dkW72De0/+T94dMnW5DzmufvsRCHJ97C:SDe0OWSDe0Xd4W13fvsRC77
    MD5:A770CB1544E4CE49E254DCC8B0A92FF9
    SHA1:1EC5C384F1E1700692642933F3BC6ED97F1E703F
    SHA-256:E8FA77ECA6F7A5DB3B7AD7FE0ECF363DB990DDD4359579500FBC56EBA67C06DE
    SHA-512:1B4EBF4CEBA32CFF2FC410DD632E0576AA82E657FBBC9CCD9E780D8075A738ED03848048F62AC6F357CE095EDBDAB316077B57A2CE7CFE9816AE785D3423E8B6
    Malicious:false
    Preview:......................>............................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~...........................y...............................................................6...F.......................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\5adafa.msi

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {6EBE4205-4E27-4DB1-9068-3012795620A8}, Number of Words: 2, Subject: ScreenBeam Conference, Author: ScreenBeam Inc., Name of Creating Application: ScreenBeam Conference, Template: x64;1033, Comments: ScreenBeam Conference Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Jan 31 19:10:38 2024, Number of Pages: 200
    Category:modified
    Size (bytes):102135296
    Entropy (8bit):7.970214572753853
    Encrypted:false
    SSDEEP:3145728:SDe0/dkW72De0/+T94dMnW5DzmufvsRCHJ97C:SDe0OWSDe0Xd4W13fvsRC77
    MD5:A770CB1544E4CE49E254DCC8B0A92FF9
    SHA1:1EC5C384F1E1700692642933F3BC6ED97F1E703F
    SHA-256:E8FA77ECA6F7A5DB3B7AD7FE0ECF363DB990DDD4359579500FBC56EBA67C06DE
    SHA-512:1B4EBF4CEBA32CFF2FC410DD632E0576AA82E657FBBC9CCD9E780D8075A738ED03848048F62AC6F357CE095EDBDAB316077B57A2CE7CFE9816AE785D3423E8B6
    Malicious:false
    Preview:......................>............................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~...........................y...............................................................6...F.......................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSI1A8D.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
    Category:dropped
    Size (bytes):532629
    Entropy (8bit):7.23855643702159
    Encrypted:false
    SSDEEP:12288:6wHL0D1qc47q5CGzG/bdViRggskkyHm3Bm7IWIkK:bHL0YL0CGIDiRg4lGVP
    MD5:0A8C597BC720C23767767CEB5D894FE5
    SHA1:CF31FF3426C142E6BD0FF98926DDBF19933E800C
    SHA-256:FFCAD47754C1B88E02FA692FA7BADA9E578BDB1A38BFC492449F504B044A8D21
    SHA-512:0E6F93BED26445C74FD3D52987ACCED5FBB0956E528E9A0C13183F3125AFCDA14E48D090C43525FADFD070E518DEF02E51177BBABD082B1F2E915664947834FC
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

    C:\Windows\Installer\MSI1A8D.tmp-\ByomCustomAction.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):4.843366347962712
    Encrypted:false
    SSDEEP:768:jzmYFEr6mMN+c28dt0n0cmb9K8CaME86El8aJAvg5vinx8l:DErpO28Un0cmbo8CaME86El8aJAvghic
    MD5:91B58050CC3C371AD9CB26C8DA35BF65
    SHA1:E37C9AB91CDE46CAF0887FA7C634D3A1D9D7D9DA
    SHA-256:3935F2CCC0DD459B0A47C25F7C56B903B2728F13F18014BCFAB59A38D8ED8D24
    SHA-512:D881FA00BC1905DC7193D3B3FF33F4B6995096F7251871E5DBB47312A3CD37446DA3C1E775F4447839A9E22A5358F746B8545B66D1618D306E6AF811114E9F70
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

    C:\Windows\Installer\MSI1A8D.tmp-\CustomAction.config

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1493
    Entropy (8bit):4.732294656481805
    Encrypted:false
    SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
    MD5:01C01D040563A55E0FD31CC8DAA5F155
    SHA1:3C1C229703198F9772D7721357F1B90281917842
    SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
    SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

    C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):28784
    Entropy (8bit):6.08346118574361
    Encrypted:false
    SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
    MD5:F03298C90AB58E72A04E1AA310608B4C
    SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
    SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
    SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

    C:\Windows\Installer\MSI1A8D.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):184240
    Entropy (8bit):5.876033362692288
    Encrypted:false
    SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
    MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
    SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
    SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
    SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSI1A8D.tmp-\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):701992
    Entropy (8bit):5.940787194132384
    Encrypted:false
    SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
    MD5:081D9558BBB7ADCE142DA153B2D5577A
    SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
    SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
    SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Windows\Installer\MSI1A8D.tmp-\sbdrvmgr.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):34984
    Entropy (8bit):6.000650459314047
    Encrypted:false
    SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
    MD5:C7EEAC397EC6B4EC895E89D0E43C652D
    SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
    SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
    SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

    C:\Windows\Installer\MSI2339.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
    Category:dropped
    Size (bytes):532629
    Entropy (8bit):7.23855643702159
    Encrypted:false
    SSDEEP:12288:6wHL0D1qc47q5CGzG/bdViRggskkyHm3Bm7IWIkK:bHL0YL0CGIDiRg4lGVP
    MD5:0A8C597BC720C23767767CEB5D894FE5
    SHA1:CF31FF3426C142E6BD0FF98926DDBF19933E800C
    SHA-256:FFCAD47754C1B88E02FA692FA7BADA9E578BDB1A38BFC492449F504B044A8D21
    SHA-512:0E6F93BED26445C74FD3D52987ACCED5FBB0956E528E9A0C13183F3125AFCDA14E48D090C43525FADFD070E518DEF02E51177BBABD082B1F2E915664947834FC
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

    C:\Windows\Installer\MSI2339.tmp-\ByomCustomAction.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):4.843366347962712
    Encrypted:false
    SSDEEP:768:jzmYFEr6mMN+c28dt0n0cmb9K8CaME86El8aJAvg5vinx8l:DErpO28Un0cmbo8CaME86El8aJAvghic
    MD5:91B58050CC3C371AD9CB26C8DA35BF65
    SHA1:E37C9AB91CDE46CAF0887FA7C634D3A1D9D7D9DA
    SHA-256:3935F2CCC0DD459B0A47C25F7C56B903B2728F13F18014BCFAB59A38D8ED8D24
    SHA-512:D881FA00BC1905DC7193D3B3FF33F4B6995096F7251871E5DBB47312A3CD37446DA3C1E775F4447839A9E22A5358F746B8545B66D1618D306E6AF811114E9F70
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

    C:\Windows\Installer\MSI2339.tmp-\CustomAction.config

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1493
    Entropy (8bit):4.732294656481805
    Encrypted:false
    SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
    MD5:01C01D040563A55E0FD31CC8DAA5F155
    SHA1:3C1C229703198F9772D7721357F1B90281917842
    SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
    SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

    C:\Windows\Installer\MSI2339.tmp-\DefMic.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):28784
    Entropy (8bit):6.08346118574361
    Encrypted:false
    SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
    MD5:F03298C90AB58E72A04E1AA310608B4C
    SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
    SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
    SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

    C:\Windows\Installer\MSI2339.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):184240
    Entropy (8bit):5.876033362692288
    Encrypted:false
    SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
    MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
    SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
    SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
    SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSI2339.tmp-\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):701992
    Entropy (8bit):5.940787194132384
    Encrypted:false
    SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
    MD5:081D9558BBB7ADCE142DA153B2D5577A
    SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
    SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
    SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Windows\Installer\MSI2339.tmp-\sbdrvmgr.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):34984
    Entropy (8bit):6.000650459314047
    Encrypted:false
    SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
    MD5:C7EEAC397EC6B4EC895E89D0E43C652D
    SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
    SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
    SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

    C:\Windows\Installer\MSI27ED.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSI2A11.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):803047
    Entropy (8bit):6.549316373996505
    Encrypted:false
    SSDEEP:12288:IFz4xC95xMMFd88UyWRAIUcm4xC95xMMFd88UyWRAIUc9:GeC95xMilwCIUcmeC95xMilwCIUc9
    MD5:D93E619C096AF1299555ED021212B881
    SHA1:0D8AF7D378248E16EC540603BEE70D62F0CE2DD5
    SHA-256:467C6C4A6EA9A2A7437A6CB49DD70C76ED86B2E2156530DA12FD208967EE1834
    SHA-512:61CCD62C42231C5E95CA6A7B61C54FF63CD3F22DD59A54D00406622B8B238F4A92A3A4FF6D97515A592D6A59B8FF430ABC8818FB53F974BCBE05FE997BEBE54C
    Malicious:false
    Preview:...@IXOS.@.....@r .Y.@.....@.....@.....@.....@.....@......&.{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}..ScreenBeam Conference).ScreenBeam_Conference_Windows_1.0.5.9.msi.@.....@.....@.....@......ScreenBeam.exe..&.{6EBE4205-4E27-4DB1-9068-3012795620A8}.....@.....@.....@.....@.......@.....@.....@.......@......ScreenBeam Conference......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{7199D981-9853-484B-8139-2C2B34F1FA2A}'.C:\Program Files\ScreenBeam\Conference\.@.......@.....@.....@......&.{EC32DB67-553E-42DB-8AB0-D93C26D64C7E}:.22:\Software\ScreenBeam Inc.\ScreenBeam Conference\Version.@.......@.....@.....@......&.{85245CA4-064E-4C9A-A44A-343774C760F3}9.C:\Program Files\ScreenBeam\Conference\app\ControlzEx.dll.@.......@.....@.....@......&.{041A7DD2-445F-4C98-9186-26507D7F21CB}9.C:\Program Files\ScreenBeam\Conference\app\ControlzEx.xml.@.......@.....@.....@......&.{

    C:\Windows\Installer\MSI2A31.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
    Category:dropped
    Size (bytes):532629
    Entropy (8bit):7.23855643702159
    Encrypted:false
    SSDEEP:12288:6wHL0D1qc47q5CGzG/bdViRggskkyHm3Bm7IWIkK:bHL0YL0CGIDiRg4lGVP
    MD5:0A8C597BC720C23767767CEB5D894FE5
    SHA1:CF31FF3426C142E6BD0FF98926DDBF19933E800C
    SHA-256:FFCAD47754C1B88E02FA692FA7BADA9E578BDB1A38BFC492449F504B044A8D21
    SHA-512:0E6F93BED26445C74FD3D52987ACCED5FBB0956E528E9A0C13183F3125AFCDA14E48D090C43525FADFD070E518DEF02E51177BBABD082B1F2E915664947834FC
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

    C:\Windows\Installer\MSI2A31.tmp-\ByomCustomAction.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):4.843366347962712
    Encrypted:false
    SSDEEP:768:jzmYFEr6mMN+c28dt0n0cmb9K8CaME86El8aJAvg5vinx8l:DErpO28Un0cmbo8CaME86El8aJAvghic
    MD5:91B58050CC3C371AD9CB26C8DA35BF65
    SHA1:E37C9AB91CDE46CAF0887FA7C634D3A1D9D7D9DA
    SHA-256:3935F2CCC0DD459B0A47C25F7C56B903B2728F13F18014BCFAB59A38D8ED8D24
    SHA-512:D881FA00BC1905DC7193D3B3FF33F4B6995096F7251871E5DBB47312A3CD37446DA3C1E775F4447839A9E22A5358F746B8545B66D1618D306E6AF811114E9F70
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

    C:\Windows\Installer\MSI2A31.tmp-\CustomAction.config

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1493
    Entropy (8bit):4.732294656481805
    Encrypted:false
    SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
    MD5:01C01D040563A55E0FD31CC8DAA5F155
    SHA1:3C1C229703198F9772D7721357F1B90281917842
    SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
    SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

    C:\Windows\Installer\MSI2A31.tmp-\DefMic.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):28784
    Entropy (8bit):6.08346118574361
    Encrypted:false
    SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
    MD5:F03298C90AB58E72A04E1AA310608B4C
    SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
    SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
    SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

    C:\Windows\Installer\MSI2A31.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):184240
    Entropy (8bit):5.876033362692288
    Encrypted:false
    SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
    MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
    SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
    SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
    SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSI2A31.tmp-\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):701992
    Entropy (8bit):5.940787194132384
    Encrypted:false
    SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
    MD5:081D9558BBB7ADCE142DA153B2D5577A
    SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
    SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
    SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):34984
    Entropy (8bit):6.000650459314047
    Encrypted:false
    SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
    MD5:C7EEAC397EC6B4EC895E89D0E43C652D
    SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
    SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
    SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

    C:\Windows\Installer\MSI3619.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
    Category:dropped
    Size (bytes):532629
    Entropy (8bit):7.23855643702159
    Encrypted:false
    SSDEEP:12288:6wHL0D1qc47q5CGzG/bdViRggskkyHm3Bm7IWIkK:bHL0YL0CGIDiRg4lGVP
    MD5:0A8C597BC720C23767767CEB5D894FE5
    SHA1:CF31FF3426C142E6BD0FF98926DDBF19933E800C
    SHA-256:FFCAD47754C1B88E02FA692FA7BADA9E578BDB1A38BFC492449F504B044A8D21
    SHA-512:0E6F93BED26445C74FD3D52987ACCED5FBB0956E528E9A0C13183F3125AFCDA14E48D090C43525FADFD070E518DEF02E51177BBABD082B1F2E915664947834FC
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

    C:\Windows\Installer\MSI3619.tmp-\ByomCustomAction.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):4.843366347962712
    Encrypted:false
    SSDEEP:768:jzmYFEr6mMN+c28dt0n0cmb9K8CaME86El8aJAvg5vinx8l:DErpO28Un0cmbo8CaME86El8aJAvghic
    MD5:91B58050CC3C371AD9CB26C8DA35BF65
    SHA1:E37C9AB91CDE46CAF0887FA7C634D3A1D9D7D9DA
    SHA-256:3935F2CCC0DD459B0A47C25F7C56B903B2728F13F18014BCFAB59A38D8ED8D24
    SHA-512:D881FA00BC1905DC7193D3B3FF33F4B6995096F7251871E5DBB47312A3CD37446DA3C1E775F4447839A9E22A5358F746B8545B66D1618D306E6AF811114E9F70
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

    C:\Windows\Installer\MSI3619.tmp-\CustomAction.config

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1493
    Entropy (8bit):4.732294656481805
    Encrypted:false
    SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
    MD5:01C01D040563A55E0FD31CC8DAA5F155
    SHA1:3C1C229703198F9772D7721357F1B90281917842
    SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
    SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

    C:\Windows\Installer\MSI3619.tmp-\DefMic.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):28784
    Entropy (8bit):6.08346118574361
    Encrypted:false
    SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
    MD5:F03298C90AB58E72A04E1AA310608B4C
    SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
    SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
    SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

    C:\Windows\Installer\MSI3619.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):184240
    Entropy (8bit):5.876033362692288
    Encrypted:false
    SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
    MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
    SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
    SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
    SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSI3619.tmp-\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):701992
    Entropy (8bit):5.940787194132384
    Encrypted:false
    SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
    MD5:081D9558BBB7ADCE142DA153B2D5577A
    SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
    SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
    SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Windows\Installer\MSI3619.tmp-\sbdrvmgr.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):34984
    Entropy (8bit):6.000650459314047
    Encrypted:false
    SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
    MD5:C7EEAC397EC6B4EC895E89D0E43C652D
    SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
    SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
    SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

    C:\Windows\Installer\MSI3DAB.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):353600
    Entropy (8bit):6.524461384910501
    Encrypted:false
    SSDEEP:6144:f4xsB95xMzgFkesmW1XAORoUSUU+eVWRAItCc9:f4xC95xMMFd88UyWRAIUc9
    MD5:FD4C73245936B9050D8D22E651F191F1
    SHA1:6B314D781C234B13ED25C4F5B03C0F873D5FCAE0
    SHA-256:22CFDC73F6B1866E2C8419BE4C350DE4F1AE4D4C73E8B5A510DEED4CF6BAEE3B
    SHA-512:EB3FB26735F14DDCB642F14C6E70B1E431682ED842FC3C2B7A611F2E379A55D667B2525327EEB41DA951D4332782B7439E60DFC5A8BA2DAB5ECD823EAEF758E4
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+A5.o [.o [.o [..RX.b [..R^.. [..^_.` [..^X.x [..^^.< [..R_.w [..RZ.~ [.o Z.. [.v_R.t [.v_[.n [.v_..n [.o .n [.v_Y.n [.Richo [.................PE..L....=.d.........."!...$............?........................................p......Z.....@.......................................... ..x............(..@=...0...4...l..p...................@m.......k..@...............0............................text...V........................... ..`.rdata..NR.......T..................@..@.data...$...........................@....rsrc...x.... ......................@..@.reloc...4...0...6..................@..B........................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSI746C.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):353600
    Entropy (8bit):6.524461384910501
    Encrypted:false
    SSDEEP:6144:f4xsB95xMzgFkesmW1XAORoUSUU+eVWRAItCc9:f4xC95xMMFd88UyWRAIUc9
    MD5:FD4C73245936B9050D8D22E651F191F1
    SHA1:6B314D781C234B13ED25C4F5B03C0F873D5FCAE0
    SHA-256:22CFDC73F6B1866E2C8419BE4C350DE4F1AE4D4C73E8B5A510DEED4CF6BAEE3B
    SHA-512:EB3FB26735F14DDCB642F14C6E70B1E431682ED842FC3C2B7A611F2E379A55D667B2525327EEB41DA951D4332782B7439E60DFC5A8BA2DAB5ECD823EAEF758E4
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+A5.o [.o [.o [..RX.b [..R^.. [..^_.` [..^X.x [..^^.< [..R_.w [..RZ.~ [.o Z.. [.v_R.t [.v_[.n [.v_..n [.o .n [.v_Y.n [.Richo [.................PE..L....=.d.........."!...$............?........................................p......Z.....@.......................................... ..x............(..@=...0...4...l..p...................@m.......k..@...............0............................text...V........................... ..`.rdata..NR.......T..................@..@.data...$...........................@....rsrc...x.... ......................@..@.reloc...4...0...6..................@..B........................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIBE4.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIC04.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIC34.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
    Category:dropped
    Size (bytes):532629
    Entropy (8bit):7.23855643702159
    Encrypted:false
    SSDEEP:12288:6wHL0D1qc47q5CGzG/bdViRggskkyHm3Bm7IWIkK:bHL0YL0CGIDiRg4lGVP
    MD5:0A8C597BC720C23767767CEB5D894FE5
    SHA1:CF31FF3426C142E6BD0FF98926DDBF19933E800C
    SHA-256:FFCAD47754C1B88E02FA692FA7BADA9E578BDB1A38BFC492449F504B044A8D21
    SHA-512:0E6F93BED26445C74FD3D52987ACCED5FBB0956E528E9A0C13183F3125AFCDA14E48D090C43525FADFD070E518DEF02E51177BBABD082B1F2E915664947834FC
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

    C:\Windows\Installer\MSIC34.tmp-\ByomCustomAction.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):4.843366347962712
    Encrypted:false
    SSDEEP:768:jzmYFEr6mMN+c28dt0n0cmb9K8CaME86El8aJAvg5vinx8l:DErpO28Un0cmbo8CaME86El8aJAvghic
    MD5:91B58050CC3C371AD9CB26C8DA35BF65
    SHA1:E37C9AB91CDE46CAF0887FA7C634D3A1D9D7D9DA
    SHA-256:3935F2CCC0DD459B0A47C25F7C56B903B2728F13F18014BCFAB59A38D8ED8D24
    SHA-512:D881FA00BC1905DC7193D3B3FF33F4B6995096F7251871E5DBB47312A3CD37446DA3C1E775F4447839A9E22A5358F746B8545B66D1618D306E6AF811114E9F70
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

    C:\Windows\Installer\MSIC34.tmp-\CustomAction.config

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1493
    Entropy (8bit):4.732294656481805
    Encrypted:false
    SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
    MD5:01C01D040563A55E0FD31CC8DAA5F155
    SHA1:3C1C229703198F9772D7721357F1B90281917842
    SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
    SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

    C:\Windows\Installer\MSIC34.tmp-\DefMic.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):28784
    Entropy (8bit):6.08346118574361
    Encrypted:false
    SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
    MD5:F03298C90AB58E72A04E1AA310608B4C
    SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
    SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
    SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

    C:\Windows\Installer\MSIC34.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):184240
    Entropy (8bit):5.876033362692288
    Encrypted:false
    SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
    MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
    SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
    SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
    SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIC34.tmp-\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):701992
    Entropy (8bit):5.940787194132384
    Encrypted:false
    SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
    MD5:081D9558BBB7ADCE142DA153B2D5577A
    SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
    SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
    SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):34984
    Entropy (8bit):6.000650459314047
    Encrypted:false
    SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
    MD5:C7EEAC397EC6B4EC895E89D0E43C652D
    SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
    SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
    SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

    C:\Windows\Installer\MSIE847.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIE8C5.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIE8F5.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIE944.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):753984
    Entropy (8bit):6.461872633696775
    Encrypted:false
    SSDEEP:12288:sXWV44ngBNmhAzLUhfVdrjpuG1PE0I7+avw4UbY6t5rXf63Rfklet:KWV4zHzLUdVB1n1PE0Yw4Ubz5rXf63hL
    MD5:8DD026145833182777A182A646DF81F3
    SHA1:4F5CB840193EEA97DF088C83A794FB6E8F67AB07
    SHA-256:3071AF6BE43A2611DB45205F0D3F1F25ABA05ACF5F70992FCE2FFFD63EE9C85D
    SHA-512:F6C860BF563A24C046A7D76A6BC1E2F6BBFC80A87AC4513DE331049F35198DCBBDBB5BE7F5D49100E1D1C8AB680ECF3EAAA4FDB8F744C9FD5479A1BA64079391
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......':r.c[.Tc[.Tc[.T.).Un[.T.).U.[.T.%.Ur[.T.%.U{[.T.).Uz[.T.%.U=[.T.).Ub[.T.).Ut[.Tc[.T.Z.Tz$.U([.Tz$.Ub[.Tz$.Tb[.Tc[.Tb[.Tz$.Ub[.TRichc[.T................PE..L....=.d.........."!...$.>..........+........P............................................@.........................`..................h............D..@=.......r.....p............................e..@............P..........@....................text....=.......>.................. ..`.rdata...q...P...r...B..............@..@.data...H(..........................@....rsrc...h...........................@..@.reloc...r.......t..................@..B................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIE9A2.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):753984
    Entropy (8bit):6.461872633696775
    Encrypted:false
    SSDEEP:12288:sXWV44ngBNmhAzLUhfVdrjpuG1PE0I7+avw4UbY6t5rXf63Rfklet:KWV4zHzLUdVB1n1PE0Yw4Ubz5rXf63hL
    MD5:8DD026145833182777A182A646DF81F3
    SHA1:4F5CB840193EEA97DF088C83A794FB6E8F67AB07
    SHA-256:3071AF6BE43A2611DB45205F0D3F1F25ABA05ACF5F70992FCE2FFFD63EE9C85D
    SHA-512:F6C860BF563A24C046A7D76A6BC1E2F6BBFC80A87AC4513DE331049F35198DCBBDBB5BE7F5D49100E1D1C8AB680ECF3EAAA4FDB8F744C9FD5479A1BA64079391
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......':r.c[.Tc[.Tc[.T.).Un[.T.).U.[.T.%.Ur[.T.%.U{[.T.).Uz[.T.%.U=[.T.).Ub[.T.).Ut[.Tc[.T.Z.Tz$.U([.Tz$.Ub[.Tz$.Tb[.Tc[.Tb[.Tz$.Ub[.TRichc[.T................PE..L....=.d.........."!...$.>..........+........P............................................@.........................`..................h............D..@=.......r.....p............................e..@............P..........@....................text....=.......>.................. ..`.rdata...q...P...r...B..............@..@.data...H(..........................@....rsrc...h...........................@..@.reloc...r.......t..................@..B................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIE9D2.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
    Category:dropped
    Size (bytes):532629
    Entropy (8bit):7.23855643702159
    Encrypted:false
    SSDEEP:12288:6wHL0D1qc47q5CGzG/bdViRggskkyHm3Bm7IWIkK:bHL0YL0CGIDiRg4lGVP
    MD5:0A8C597BC720C23767767CEB5D894FE5
    SHA1:CF31FF3426C142E6BD0FF98926DDBF19933E800C
    SHA-256:FFCAD47754C1B88E02FA692FA7BADA9E578BDB1A38BFC492449F504B044A8D21
    SHA-512:0E6F93BED26445C74FD3D52987ACCED5FBB0956E528E9A0C13183F3125AFCDA14E48D090C43525FADFD070E518DEF02E51177BBABD082B1F2E915664947834FC
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

    C:\Windows\Installer\MSIE9D2.tmp-\ByomCustomAction.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):4.843366347962712
    Encrypted:false
    SSDEEP:768:jzmYFEr6mMN+c28dt0n0cmb9K8CaME86El8aJAvg5vinx8l:DErpO28Un0cmbo8CaME86El8aJAvghic
    MD5:91B58050CC3C371AD9CB26C8DA35BF65
    SHA1:E37C9AB91CDE46CAF0887FA7C634D3A1D9D7D9DA
    SHA-256:3935F2CCC0DD459B0A47C25F7C56B903B2728F13F18014BCFAB59A38D8ED8D24
    SHA-512:D881FA00BC1905DC7193D3B3FF33F4B6995096F7251871E5DBB47312A3CD37446DA3C1E775F4447839A9E22A5358F746B8545B66D1618D306E6AF811114E9F70
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

    C:\Windows\Installer\MSIE9D2.tmp-\CustomAction.config

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1493
    Entropy (8bit):4.732294656481805
    Encrypted:false
    SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
    MD5:01C01D040563A55E0FD31CC8DAA5F155
    SHA1:3C1C229703198F9772D7721357F1B90281917842
    SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
    SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

    C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):28784
    Entropy (8bit):6.08346118574361
    Encrypted:false
    SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
    MD5:F03298C90AB58E72A04E1AA310608B4C
    SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
    SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
    SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

    C:\Windows\Installer\MSIE9D2.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):184240
    Entropy (8bit):5.876033362692288
    Encrypted:false
    SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
    MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
    SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
    SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
    SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIE9D2.tmp-\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):701992
    Entropy (8bit):5.940787194132384
    Encrypted:false
    SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
    MD5:081D9558BBB7ADCE142DA153B2D5577A
    SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
    SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
    SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):34984
    Entropy (8bit):6.000650459314047
    Encrypted:false
    SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
    MD5:C7EEAC397EC6B4EC895E89D0E43C652D
    SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
    SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
    SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
    Malicious:true
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

    C:\Windows\Installer\MSIF3A7.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):602432
    Entropy (8bit):6.469389454249605
    Encrypted:false
    SSDEEP:6144:QaFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOl+mN9ysU5pvs8g73E:pYL9HXVW0xOA+KlZC4vc55s8g73E
    MD5:B7A6A99CBE6E762C0A61A8621AD41706
    SHA1:92F45DD3ED3AAEAAC8B488A84E160292FF86281E
    SHA-256:39FD8D36F8E5D915AD571EA429DB3C3DE6E9C160DBEA7C3E137C9BA4B7FD301D
    SHA-512:A17E4512D906599B7F004EBB2F19EE2566EE93C2C18114AC05B0A0115A8C481592788F6B97DA008795D5C31FB8D819AC82A5097B1792248319139C3FACE45642
    Malicious:false
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u..u..u.n.v..u.n.p...u...q..u...v..u...p...u.n.q..u.n.s..u.n.t..u..t...u.|...u.u..u....u.....u.w..u.Rich..u.........................PE..L....=.d.........."!...$.>...........Y.......P...............................0.......4....@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIF3D7.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
    Category:dropped
    Size (bytes):532629
    Entropy (8bit):7.23855643702159
    Encrypted:false
    SSDEEP:12288:6wHL0D1qc47q5CGzG/bdViRggskkyHm3Bm7IWIkK:bHL0YL0CGIDiRg4lGVP
    MD5:0A8C597BC720C23767767CEB5D894FE5
    SHA1:CF31FF3426C142E6BD0FF98926DDBF19933E800C
    SHA-256:FFCAD47754C1B88E02FA692FA7BADA9E578BDB1A38BFC492449F504B044A8D21
    SHA-512:0E6F93BED26445C74FD3D52987ACCED5FBB0956E528E9A0C13183F3125AFCDA14E48D090C43525FADFD070E518DEF02E51177BBABD082B1F2E915664947834FC
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.>..>..>....w.>....u..>....t.>...V..>...V..>...V..>..F..>..>...>..>W..>..>W..>..>Wy.>..>..>..>W..>..Rich.>..........................PE..d....o.].........." .....R...........U.......................................p............`.........................................P....*......x....P.......0...............`..X......T...........................0................p...............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...............................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B........................................................................................................................................................................................................................

    C:\Windows\Installer\MSIF3D7.tmp-\ByomCustomAction.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):37888
    Entropy (8bit):4.843366347962712
    Encrypted:false
    SSDEEP:768:jzmYFEr6mMN+c28dt0n0cmb9K8CaME86El8aJAvg5vinx8l:DErpO28Un0cmbo8CaME86El8aJAvghic
    MD5:91B58050CC3C371AD9CB26C8DA35BF65
    SHA1:E37C9AB91CDE46CAF0887FA7C634D3A1D9D7D9DA
    SHA-256:3935F2CCC0DD459B0A47C25F7C56B903B2728F13F18014BCFAB59A38D8ED8D24
    SHA-512:D881FA00BC1905DC7193D3B3FF33F4B6995096F7251871E5DBB47312A3CD37446DA3C1E775F4447839A9E22A5358F746B8545B66D1618D306E6AF811114E9F70
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......e.........." ..0.................. ........... ....................................`...@......@............... ............................................................................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@........................................H.......LI..Hc...........................................................0...........r...po....~.....rY..p..r...po....&.r...po......"...%..,.o......r...po......"...%..,.o.......i..i...r/..po.... C............8.....r...p....(....o........(.........9.........o........r6..p(....,y.rB..prX..po.......+Z.....o....o....r^..po....,9.rj..po.....rB..pr...po.........o....->.....(....(.....+,...X.......i2.+......o....-......(....(........X......i?.....r...po.....(......r...p(.....,8.r2..po.....

    C:\Windows\Installer\MSIF3D7.tmp-\CustomAction.config

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1493
    Entropy (8bit):4.732294656481805
    Encrypted:false
    SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB7ZtG9jDqRp:c0nd5t7q7WsFD7tztG96n
    MD5:01C01D040563A55E0FD31CC8DAA5F155
    SHA1:3C1C229703198F9772D7721357F1B90281917842
    SHA-256:33D947C04A10E3AFF3DCA3B779393FA56CE5F02251C8CBAE5076A125FDEA081F
    SHA-512:9C3F0CC17868479575090E1949E31A688B8C1CDFA56AC4A08CBE661466BB40ECFC94EA512DC4B64D5FF14A563F96F1E71C03B6EEACC42992455BD4F1C91F17D5
    Malicious:false
    Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

    C:\Windows\Installer\MSIF3D7.tmp-\DefMic.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):28784
    Entropy (8bit):6.08346118574361
    Encrypted:false
    SSDEEP:384:Njd3dLRRG0F3yFpRzAFgLU5pnsEdy4qy5NFa4ElKiH7A0/GDGwE3hgp:NjdF0pnqJy4qsFajwiHoDG9h
    MD5:F03298C90AB58E72A04E1AA310608B4C
    SHA1:4A22DBBEAA8CF660522BBF68C8FF029A10AAE017
    SHA-256:AF419AE180755DCDEE1903EDC604F9B1587DE3E7B392247C9089C5F679A760E4
    SHA-512:6AEC6DB0B8E7D22402E0A2A924A8E5C8505F3C85227AC67E6171AA0D6AEB6F4582D84FD0924090D98F859ECC92008C0C26D6EFFD60705A4A5C709A54B8445D96
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............."...0..L..........Zj... ........@.. ..............................].....`..................................j..O....................V..p...........Li..8............................................ ............... ..H............text...`J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................;j......H.......$...(;...........................................................0..Y.......(....(.......9......9.......o......9.....r...p(....-".r...p(....-@.r...p(....:....8.....(......,..o....(.........o....(............(......,=.o.....14.o......+...(....o....(......(....-...........o.........o....(.......{...i./.r'..p+....o....(....-....Zo....(.......Lr)..p...rK..p(....(......+1rO..p(....r...p..'...%.r...p.%.rU..p.( ...(.......*....4....X..q......................K........... ...

    C:\Windows\Installer\MSIF3D7.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):184240
    Entropy (8bit):5.876033362692288
    Encrypted:false
    SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
    MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
    SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
    SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
    SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIF3D7.tmp-\Newtonsoft.Json.dll

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):701992
    Entropy (8bit):5.940787194132384
    Encrypted:false
    SSDEEP:12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
    MD5:081D9558BBB7ADCE142DA153B2D5577A
    SHA1:7D0AD03FBDA1C24F883116B940717E596073AE96
    SHA-256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
    SHA-512:2FDF035661F349206F58EA1FEED8805B7F9517A21F9C113E7301C69DE160F184C774350A12A710046E3FF6BAA37345D319B6F47FD24FBBA4E042D54014BEE511
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................*^....`.....................................O.......................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

    C:\Windows\Installer\MSIF3D7.tmp-\sbdrvmgr.exe

    Download File
    Process:C:\Windows\System32\rundll32.exe
    File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
    Category:dropped
    Size (bytes):34984
    Entropy (8bit):6.000650459314047
    Encrypted:false
    SSDEEP:768:vpi8gAMeOlzzBbaERp8h3VGKrX1/LVtYcFSVc6KSDG2FhCZZ:xi8gAJbNlz9SVclBZZ
    MD5:C7EEAC397EC6B4EC895E89D0E43C652D
    SHA1:64D5F0E3F7170C99ABADDCC09C26A44A83513871
    SHA-256:70B980E8E365BDB1883DB597455901F7CD75D727B3FF65198FB184510DC1C251
    SHA-512:C21BFBEE9C507FD6ED1D9F04800597E3923CED33E963FDDE76E1DAB8FF5DA2B5E8AFB1B8729E952C18869A4626B6274ECD603A93FD24157D380D94800AA3C437
    Malicious:false
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X"..........."...0..Z............... .....@..... ..............................x.....`...@......@............... ..................................p............n...............x..8............................................................ ..H............text...aY... ...Z.................. ..`.rsrc...p............\..............@..@........................................H.......(3..tE..........................................................*.(<......*..0............R~...... ......r...p...............(...+}e...~............r...p......%...%...(.....(......... ..(&...-.r3..p......%.(.....(....8a...re..p......%..s.....(......~....( .......~#...(....,.r...p......%.(.....(....8....r...p......%...(..........~.......(....-.r/..p......%.(.....(....8............(.....o....(.....o....()...-.r...p......%.(.....(....8..........(....-.r...p......%.(.....(....+`.

    C:\Windows\Installer\SourceHash{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):49152
    Entropy (8bit):0.7763129054463621
    Encrypted:false
    SSDEEP:12:JSbX72FjAiAGiLIlHVRpsh/7777777777777777777777777vDHFLGOlCgHl0i8Q:JpQI58xGF
    MD5:3C9B8BBF9A5042D9120C175ABBFF30BE
    SHA1:33B392B536EEEA8C7009A92FB93E666C2FED27A6
    SHA-256:31C62A81846002537A33BB9CB253FB8AD40793BB539253864D653DCD3E6D341E
    SHA-512:098747F222BC3446FBE14BEC9DF84298EB3773BD8CEA7D07C1885D9ED750B2C7B8BEDCA9926C6180F23BB35F9B3ECEE91F1F4BC7415746B2748268AE33090156
    Malicious:false
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\inprogressinstallinfo.ipi

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):32768
    Entropy (8bit):1.4532408982925713
    Encrypted:false
    SSDEEP:48:PSRuGM+CFXJxT55UDIe8RgdSwAEkrCyuGpeSkdSyHHltCMowojQZCQZBt8xzMmaJ:6RGJT3dvRC7zn3IaCaQZa5kFvRCUWh
    MD5:A6D38A278D0A75E0EB429028A84E1F17
    SHA1:AA140C805D3B4253CF269EDAD34C9B2CC1AFFEBD
    SHA-256:E92652C75C08C00C3C3EF7C4D71D64A7EB85A86C547A2322C5934A872308011F
    SHA-512:1CF9FB451CC9999D2D28D1ADAB5DC000C34BC8C8E7E543C6DD3163804F40E4A3DB5E41FF394A1AFE9070F2B0B756FB391BF66BD4D5E5B70317B6C7159930A34F
    Malicious:false
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\{E1BB77DB-A6A4-46CF-B4AC-1B9051B2876F}\ScreenBeam.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MS Windows icon resource - 1 icon, 64x64, 32 bits/pixel
    Category:dropped
    Size (bytes):16958
    Entropy (8bit):2.3402736777188395
    Encrypted:false
    SSDEEP:96:a+Ngz9wjTeE7144BQ2DFFnEbHIcXExGErQa2Nvv4wG:acgz9qaE7144BQ2DPEzEMErQaAX4L
    MD5:D75CA2815FA84BC36C36D18B6AD9048F
    SHA1:5353AE1430AC909C25484047713712520C3A2AE2
    SHA-256:3B156EDE48A466BDEC4FF5F230B2841899DF2B0A4ED7A645CFF72F7DC3CBC318
    SHA-512:008A5D9B83143AC59ECF5CC2654C2597199052B0876225CF32102188F192DC7CAA87F3D7DC76E03C76AB682884198DD6A5CC3DC3AF6993DD9A7C47AB85832496
    Malicious:false
    Preview:......@@.... .(B......(...@......... ......@........................................._...................................................................................................................................................................................................................j...................................8...................................................................................................................................................................................................................................J.......................T................................................................................................................|bT.......................................................................................................................e...............5................................................................................................................pSD.L(..W5#.......................................

    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
    Category:dropped
    Size (bytes):432221
    Entropy (8bit):5.37516539830918
    Encrypted:false
    SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauc:zTtbmkExhMJCIpEr9
    MD5:778AE55EF2D8B6C3E531F6329CE08CDF
    SHA1:6D5C0D5DAAC5351E7642F1001BF27711E33FDEDF
    SHA-256:4775D77E43FE4E4B2AF9332FD046CA7B148E186875903E88FEB06F81E3405708
    SHA-512:15AC9AF69353725BBB7E2EF42D227BF4CD995877A8904CDE493A98489290ECF006BE592FEC2184ECA17FFAB105108B89154462A50225FA0FCAD6798BE1D1DF3A
    Malicious:false
    Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

    C:\Windows\Temp\~DF0C4B312EF578087D.TMP

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):81920
    Entropy (8bit):0.21924254656826458
    Encrypted:false
    SSDEEP:48:V0u2mzrdSwAEkrCyuCSkdSzdSwAEkrCyuGpeSkdSyHHltCMowojQZCQZBt8xzMmL:VWRRCU7RC7zn3IaCaQZa5kF9
    MD5:D49C7EF2B787BCA2756AAB558CE967B6
    SHA1:69B3384691DBF7D9094B2223D1148F01D646F577
    SHA-256:14975CC29F64D0E418A6585016FC1D4B69121BA94CF88768E0F785510C52EA01
    SHA-512:D3EFEAD8A3EBA4F9259D023DE1763A82B5EEE68FA2CEA71FDE08D1BA94900A4EE3B64AF152228861C1F967F7D093FA0D96D0AC1B7C8A1504FDF1882BE09F0A43
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Temp\~DF99EC5C40AC51398F.TMP

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):32768
    Entropy (8bit):1.4532408982925713
    Encrypted:false
    SSDEEP:48:PSRuGM+CFXJxT55UDIe8RgdSwAEkrCyuGpeSkdSyHHltCMowojQZCQZBt8xzMmaJ:6RGJT3dvRC7zn3IaCaQZa5kFvRCUWh
    MD5:A6D38A278D0A75E0EB429028A84E1F17
    SHA1:AA140C805D3B4253CF269EDAD34C9B2CC1AFFEBD
    SHA-256:E92652C75C08C00C3C3EF7C4D71D64A7EB85A86C547A2322C5934A872308011F
    SHA-512:1CF9FB451CC9999D2D28D1ADAB5DC000C34BC8C8E7E543C6DD3163804F40E4A3DB5E41FF394A1AFE9070F2B0B756FB391BF66BD4D5E5B70317B6C7159930A34F
    Malicious:false
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Temp\~DFC695A2655A0783B6.TMP

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Temp\~DFCCDDC1160D8C5674.TMP

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):32768
    Entropy (8bit):0.0826901541735271
    Encrypted:false
    SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOLclOgIACLD2qXyVky6lt1:2F0i8n0itFzDHFLGOlCgH
    MD5:8E243F7F44488F73E6F88018ACCC0120
    SHA1:508143FCB78F98D863728D18165F7521BE4FC450
    SHA-256:BD20F93864DFD602E4CF2D8A32BD2BA6AA1E1FBD20DE64784BDA63409181FE67
    SHA-512:557FDD2EB42435886E36E0A39B434DBA11D9B8807BF32E30C74CBFB1FAEBC01B369A85B185CB9C345521A3E71497695B920BE749A387096BEBC2991F1A9F686A
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {6EBE4205-4E27-4DB1-9068-3012795620A8}, Number of Words: 2, Subject: ScreenBeam Conference, Author: ScreenBeam Inc., Name of Creating Application: ScreenBeam Conference, Template: x64;1033, Comments: ScreenBeam Conference Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Jan 31 19:10:38 2024, Number of Pages: 200
    Entropy (8bit):7.970214572753853
    TrID:
    • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
    File name:ScreenBeam_Conference_Windows_1.0.5.9.msi
    File size:102'135'296 bytes
    MD5:a770cb1544e4ce49e254dcc8b0a92ff9
    SHA1:1ec5c384f1e1700692642933f3bc6ed97f1e703f
    SHA256:e8fa77eca6f7a5db3b7ad7fe0ecf363db990ddd4359579500fbc56eba67c06de
    SHA512:1b4ebf4ceba32cff2fc410dd632e0576aa82e657fbbc9ccd9e780d8075a738ed03848048f62ac6f357ce095edbdab316077b57a2ce7cfe9816ae785d3423e8b6
    SSDEEP:3145728:SDe0/dkW72De0/+T94dMnW5DzmufvsRCHJ97C:SDe0OWSDe0Xd4W13fvsRC77
    TLSH:5E283321B58AC03AFA7F50725839EAA6567D7E600B3284DBA3D87A7E0D715C15332F13
    File Content Preview:........................>............................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A..

    File Icon

    Icon Hash:2d2e3797b32b2b99

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:04:01:53
    Start date:13/08/2024
    Path:C:\Windows\System32\msiexec.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ScreenBeam_Conference_Windows_1.0.5.9.msi"
    Imagebase:0x7ff6458d0000
    File size:69'632 bytes
    MD5 hash:E5DA170027542E25EDE42FC54C929077
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:1
    Start time:04:01:54
    Start date:13/08/2024
    Path:C:\Windows\System32\msiexec.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\msiexec.exe /V
    Imagebase:0x7ff6458d0000
    File size:69'632 bytes
    MD5 hash:E5DA170027542E25EDE42FC54C929077
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:2
    Start time:04:01:54
    Start date:13/08/2024
    Path:C:\Windows\SysWOW64\msiexec.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 0E3DF5012F3B4169CA96DD45D36CF523 C
    Imagebase:0x750000
    File size:59'904 bytes
    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:6
    Start time:04:02:40
    Start date:13/08/2024
    Path:C:\Windows\System32\svchost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
    Imagebase:0x7ff6eef20000
    File size:55'320 bytes
    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
    Has elevated privileges:true
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:7
    Start time:04:02:58
    Start date:13/08/2024
    Path:C:\Windows\System32\msiexec.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\MsiExec.exe -Embedding 83970C7A15921B07EA6C6C5B0F912C8C C
    Imagebase:0x7ff6458d0000
    File size:69'632 bytes
    MD5 hash:E5DA170027542E25EDE42FC54C929077
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:8
    Start time:04:02:58
    Start date:13/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5938703 98 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Imagebase:0x7ff7a78a0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:9
    Start time:04:02:59
    Start date:13/08/2024
    Path:C:\Users\user\AppData\Local\Temp\MSI9DCB.tmp-\DefMic.exe
    Wow64 process (32bit):true
    Commandline:"DefMic.exe" --def
    Imagebase:0xfe0000
    File size:28'784 bytes
    MD5 hash:F03298C90AB58E72A04E1AA310608B4C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:10
    Start time:04:02:59
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:11
    Start time:04:03:00
    Start date:13/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIA388.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5940125 108 ByomCustomAction!ByomCustomAction.CustomActions.VerifyDriverBusy
    Imagebase:0x7ff7a78a0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:12
    Start time:04:03:00
    Start date:13/08/2024
    Path:C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe
    Wow64 process (32bit):true
    Commandline:"DefMic.exe" --list
    Imagebase:0x400000
    File size:28'784 bytes
    MD5 hash:F03298C90AB58E72A04E1AA310608B4C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:13
    Start time:04:03:00
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:14
    Start time:04:03:01
    Start date:13/08/2024
    Path:C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe
    Wow64 process (32bit):false
    Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Imagebase:0x2051b4a0000
    File size:34'984 bytes
    MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:15
    Start time:04:03:01
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:16
    Start time:04:03:01
    Start date:13/08/2024
    Path:C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\DefMic.exe
    Wow64 process (32bit):true
    Commandline:"DefMic.exe" --list
    Imagebase:0xe30000
    File size:28'784 bytes
    MD5 hash:F03298C90AB58E72A04E1AA310608B4C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:17
    Start time:04:03:01
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:18
    Start time:04:03:02
    Start date:13/08/2024
    Path:C:\Users\user\AppData\Local\Temp\MSIA388.tmp-\sbdrvmgr.exe
    Wow64 process (32bit):false
    Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Imagebase:0x1f144360000
    File size:34'984 bytes
    MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:19
    Start time:04:03:02
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:20
    Start time:04:03:09
    Start date:13/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIC74E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5949281 136 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Imagebase:0x7ff7a78a0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:21
    Start time:04:03:09
    Start date:13/08/2024
    Path:C:\Users\user\AppData\Local\Temp\MSIC74E.tmp-\DefMic.exe
    Wow64 process (32bit):true
    Commandline:"DefMic.exe" --def
    Imagebase:0x700000
    File size:28'784 bytes
    MD5 hash:F03298C90AB58E72A04E1AA310608B4C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:22
    Start time:04:03:09
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:23
    Start time:04:03:10
    Start date:13/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSICBD3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5950437 146 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses
    Imagebase:0x7ff7a78a0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:24
    Start time:04:03:10
    Start date:13/08/2024
    Path:C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\DefMic.exe
    Wow64 process (32bit):true
    Commandline:"DefMic.exe" --list
    Imagebase:0xa60000
    File size:28'784 bytes
    MD5 hash:F03298C90AB58E72A04E1AA310608B4C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:25
    Start time:04:03:11
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:26
    Start time:04:03:11
    Start date:13/08/2024
    Path:C:\Users\user\AppData\Local\Temp\MSICBD3.tmp-\sbdrvmgr.exe
    Wow64 process (32bit):false
    Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Imagebase:0x1a6d8a30000
    File size:34'984 bytes
    MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:27
    Start time:04:03:11
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:28
    Start time:04:03:12
    Start date:13/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID346.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5952328 172 ByomCustomAction!ByomCustomAction.CustomActions.RemoveDriver
    Imagebase:0x7ff7a78a0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:29
    Start time:04:03:12
    Start date:13/08/2024
    Path:C:\Users\user\AppData\Local\Temp\MSID346.tmp-\sbdrvmgr.exe
    Wow64 process (32bit):false
    Commandline:"sbdrvmgr.exe" --remove "ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5"
    Imagebase:0x28fc7960000
    File size:34'984 bytes
    MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:30
    Start time:04:03:12
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:32
    Start time:04:03:17
    Start date:13/08/2024
    Path:C:\Windows\SysWOW64\msiexec.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 8C4DFE4B0FD77B464A03913D859715A5
    Imagebase:0x750000
    File size:59'904 bytes
    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:false

    General

    Target ID:33
    Start time:04:03:17
    Start date:13/08/2024
    Path:C:\Windows\System32\msiexec.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\MsiExec.exe -Embedding E7D2AB119D1112766403D568BA232170
    Imagebase:0x7ff6458d0000
    File size:69'632 bytes
    MD5 hash:E5DA170027542E25EDE42FC54C929077
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:false

    General

    Target ID:34
    Start time:04:03:18
    Start date:13/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Windows\Installer\MSIE9D2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5958140 141 ByomCustomAction!ByomCustomAction.CustomActions.GetSBUCRunningProcesses
    Imagebase:0x7ff7a78a0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:35
    Start time:04:03:18
    Start date:13/08/2024
    Path:C:\Windows\Installer\MSIE9D2.tmp-\DefMic.exe
    Wow64 process (32bit):true
    Commandline:"DefMic.exe" --list
    Imagebase:0x300000
    File size:28'784 bytes
    MD5 hash:F03298C90AB58E72A04E1AA310608B4C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:36
    Start time:04:03:18
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:37
    Start time:04:03:19
    Start date:13/08/2024
    Path:C:\Windows\Installer\MSIE9D2.tmp-\sbdrvmgr.exe
    Wow64 process (32bit):false
    Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Imagebase:0x23f74c20000
    File size:34'984 bytes
    MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:38
    Start time:04:03:19
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:39
    Start time:04:03:20
    Start date:13/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Windows\Installer\MSIF3D7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5960671 168 ByomCustomAction!ByomCustomAction.CustomActions.WaitForUnpairDeviceApp
    Imagebase:0x7ff7a78a0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:40
    Start time:04:03:26
    Start date:13/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Windows\Installer\MSIC34.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5966937 176 ByomCustomAction!ByomCustomAction.CustomActions.StopSBUCProcesses
    Imagebase:0x7ff7a78a0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:41
    Start time:04:03:27
    Start date:13/08/2024
    Path:C:\Windows\Installer\MSIC34.tmp-\DefMic.exe
    Wow64 process (32bit):true
    Commandline:"DefMic.exe" --list
    Imagebase:0x2f0000
    File size:28'784 bytes
    MD5 hash:F03298C90AB58E72A04E1AA310608B4C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:42
    Start time:04:03:27
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:43
    Start time:04:03:28
    Start date:13/08/2024
    Path:C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe
    Wow64 process (32bit):false
    Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Imagebase:0x21732100000
    File size:34'984 bytes
    MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:44
    Start time:04:03:28
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:45
    Start time:04:03:28
    Start date:13/08/2024
    Path:C:\Windows\Installer\MSIC34.tmp-\DefMic.exe
    Wow64 process (32bit):true
    Commandline:"DefMic.exe" --list
    Imagebase:0x570000
    File size:28'784 bytes
    MD5 hash:F03298C90AB58E72A04E1AA310608B4C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:46
    Start time:04:03:28
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:47
    Start time:04:03:29
    Start date:13/08/2024
    Path:C:\Windows\Installer\MSIC34.tmp-\sbdrvmgr.exe
    Wow64 process (32bit):false
    Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Imagebase:0x2bdac290000
    File size:34'984 bytes
    MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:48
    Start time:04:03:29
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:49
    Start time:04:03:30
    Start date:13/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Windows\Installer\MSI1A8D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5970578 228 ByomCustomAction!ByomCustomAction.CustomActions.SaveDefaultAudioSetting
    Imagebase:0x7ff7a78a0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:50
    Start time:04:03:30
    Start date:13/08/2024
    Path:C:\Windows\Installer\MSI1A8D.tmp-\DefMic.exe
    Wow64 process (32bit):true
    Commandline:"DefMic.exe" --def
    Imagebase:0xa40000
    File size:28'784 bytes
    MD5 hash:F03298C90AB58E72A04E1AA310608B4C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:51
    Start time:04:03:31
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:52
    Start time:04:03:32
    Start date:13/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Windows\Installer\MSI2339.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5972890 238 ByomCustomAction!ByomCustomAction.CustomActions.SetIsInstallingTrue
    Imagebase:0x7ff7a78a0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:53
    Start time:04:03:34
    Start date:13/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Windows\Installer\MSI2A31.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5974609 445 ByomCustomAction!ByomCustomAction.CustomActions.IsDriverBusy
    Imagebase:0x7ff71e800000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:54
    Start time:04:03:35
    Start date:13/08/2024
    Path:C:\Windows\Installer\MSI2A31.tmp-\DefMic.exe
    Wow64 process (32bit):true
    Commandline:"DefMic.exe" --list
    Imagebase:0x560000
    File size:28'784 bytes
    MD5 hash:F03298C90AB58E72A04E1AA310608B4C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:55
    Start time:04:03:35
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:56
    Start time:04:03:36
    Start date:13/08/2024
    Path:C:\Windows\Installer\MSI2A31.tmp-\sbdrvmgr.exe
    Wow64 process (32bit):false
    Commandline:"sbdrvmgr.exe" --status install ScreenBeamVirtualAudio_aafa5613-1d56-4309-9c3a-c3911d766be5
    Imagebase:0x2ccef050000
    File size:34'984 bytes
    MD5 hash:C7EEAC397EC6B4EC895E89D0E43C652D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:57
    Start time:04:03:36
    Start date:13/08/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:58
    Start time:04:03:37
    Start date:13/08/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Windows\Installer\MSI3619.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5977656 460 ByomCustomAction!ByomCustomAction.CustomActions.DisableCampfilters
    Imagebase:0x7ff7a78a0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    Disassembly

    Reset < >

      Executed Functions

      Function 00007FFD9B4B12C0 Relevance: 2.2, Strings: 1, Instructions: 904COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 2B_I
      • API String ID: 0-979045943
      • Opcode ID: 0b1a669025587c57c446342f335ac10754784e2f74a267b34cff120ed6c12d2e
      • Instruction ID: 72354c10f6d12e04ff7b54f84371dcd8ef5c115b7985e0b65ab4757bea1a816b
      • Opcode Fuzzy Hash: 0b1a669025587c57c446342f335ac10754784e2f74a267b34cff120ed6c12d2e
      • Instruction Fuzzy Hash: 50528A63B1F6D50FEB3996AC586417C6BA2EF85364B1940FBE088871FBE814AD01E741
      Function 00007FFD9B4B1518 Relevance: .5, Instructions: 488COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5d27c2b4da8fc6fa8f20f1049794a63c0e242c18c40ac63ad01a3ea196ea595c
      • Instruction ID: 31f36849928245aef88d5f73021f82de070309302cc8ce84eef54fd2f6a035d1
      • Opcode Fuzzy Hash: 5d27c2b4da8fc6fa8f20f1049794a63c0e242c18c40ac63ad01a3ea196ea595c
      • Instruction Fuzzy Hash: 86E16672B1F6C90FE7799AAC546917C6B92EF85314B1900BFD089C71EBDC14AD02D781
      Function 00007FFD9B4B20FA Relevance: .3, Instructions: 346COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 39d2121aabdaaededb29ce602bbc78d222a15b7262e258b31628c21b0935e749
      • Instruction ID: 00d07047f76f4a06ec723ce9b374f6a552908dae647252bb044cbbe24777b689
      • Opcode Fuzzy Hash: 39d2121aabdaaededb29ce602bbc78d222a15b7262e258b31628c21b0935e749
      • Instruction Fuzzy Hash: D6A12917B1E1A60AE319B7BDB4665F83F61EF8523870842F7D0DD8F0D7DC08688A8291
      Function 00007FFD9B4B449D Relevance: .2, Instructions: 226COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: afd474ff3c5abe1619a0506c23c55817cab322c1293e39f2bd3a258f73df1fc7
      • Instruction ID: 4bdefe2ab8ecc1be433659c0582cae1dab6a62acbbb5ec04181b96b6e65d40bf
      • Opcode Fuzzy Hash: afd474ff3c5abe1619a0506c23c55817cab322c1293e39f2bd3a258f73df1fc7
      • Instruction Fuzzy Hash: 41613412B0EA6A0FFBB952A814753BD26D1EF45318F1600BED258C71E3EC0CAD469781
      Function 00007FFD9B4B410E Relevance: .2, Instructions: 201COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6da9080337f75b2846abf645b20feb9358b92cfb54635ab13d6cf2e05584d42a
      • Instruction ID: acc6023ccc795f44015cb1b448674bb571d9a399992f0923139bff7480b8b75c
      • Opcode Fuzzy Hash: 6da9080337f75b2846abf645b20feb9358b92cfb54635ab13d6cf2e05584d42a
      • Instruction Fuzzy Hash: 84516270B18A098FEB58EF6C94566A973E1FF58308F10417DD01ECB29BDE39E9458B81
      Function 00007FFD9B4B2C25 Relevance: .2, Instructions: 196COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 01c83c7c808542ad5bf9f07ba3d4c9648edcbddace693b2926e8ec9f1b62d025
      • Instruction ID: 24f282181a196c22054b295ad42bf68901169c02eb4c1c8dda0cec889513f897
      • Opcode Fuzzy Hash: 01c83c7c808542ad5bf9f07ba3d4c9648edcbddace693b2926e8ec9f1b62d025
      • Instruction Fuzzy Hash: B6515711B0F7AE0FEBBA56BC54352AD2FE0EF4A254F0601BAC159CB1E3ED0C594A9301
      Function 00007FFD9B4B34E1 Relevance: .2, Instructions: 188COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b75030a254e2048678f709323b476f363b436da71dce116761b383fe63e18376
      • Instruction ID: cdc0524f149bdbf64136d492b6216d8119f6fad4d974444facc7cec99679a7c9
      • Opcode Fuzzy Hash: b75030a254e2048678f709323b476f363b436da71dce116761b383fe63e18376
      • Instruction Fuzzy Hash: 3151AB30B18A1D8FEB94EF6CD859AE977E1FF58315F05017AE409D72A2CA36E841CB40
      Function 00007FFD9B4B1D90 Relevance: .2, Instructions: 158COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 41d108602980fd77d3ce8665b6731c26c72924b8020da62d60009b9032186997
      • Instruction ID: 242a6a03ce27c60657c77e858a7fa00611e0e956eadc2f1327f4712c3be48db6
      • Opcode Fuzzy Hash: 41d108602980fd77d3ce8665b6731c26c72924b8020da62d60009b9032186997
      • Instruction Fuzzy Hash: 29414911E2FBAA0FF7AA977848756A83BA1DF56254B0601FBC148CB0F3ED4C5D468742
      Function 00007FFD9B4B1C51 Relevance: .2, Instructions: 154COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 48c0bb14ffdb01ab90d8a334046564356b892a8c96d3bc58ef685b46452ac271
      • Instruction ID: 1d5adb0db4673064f94400c73d7ad186b8f77c666749876ff84aadbccdf03b87
      • Opcode Fuzzy Hash: 48c0bb14ffdb01ab90d8a334046564356b892a8c96d3bc58ef685b46452ac271
      • Instruction Fuzzy Hash: 7A41D33091E7C94FDB2A9BA958645B97FB0EF13329F0401BFD089C21A3CA582416C746
      Function 00007FFD9B4B39B9 Relevance: .1, Instructions: 81COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1118082ed71dfd0ca5946c17e3989fdb8dffff6d40d4998fac474641d68afe52
      • Instruction ID: e6bcbfaa099dc57f3555f5ee57378bd3ccc350fc730ef1d3973244b9cce91c68
      • Opcode Fuzzy Hash: 1118082ed71dfd0ca5946c17e3989fdb8dffff6d40d4998fac474641d68afe52
      • Instruction Fuzzy Hash: 9B212B3060968F8FEB55EF3994252AA7BA1FF45304F1641B6D458CB2A2C979DA00DF01
      Function 00007FFD9B4B3168 Relevance: .0, Instructions: 47COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f14fdccdeb1b91b64197b96a4158ca94c38593c210c95f9a2cf1cbefce8e943f
      • Instruction ID: 5fd56e2cdba77fee29d982ccd8e4105f27dfa6289c23d63f15cb53f4bdc19382
      • Opcode Fuzzy Hash: f14fdccdeb1b91b64197b96a4158ca94c38593c210c95f9a2cf1cbefce8e943f
      • Instruction Fuzzy Hash: 11F06211B1AC7E05F27611EA16652BD2185AB4522CFA60536DA2DC61F2DC08EA522D51
      Function 00007FFD9B4B48A1 Relevance: .0, Instructions: 43COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 35baa69565f93a6523d70c6eac3605b48d4c30392ee9ffc930abd1d0c72f8ac5
      • Instruction ID: d12b09b476ddea94841a616c60746dde3cc51730efe31a9749493595ddaa695d
      • Opcode Fuzzy Hash: 35baa69565f93a6523d70c6eac3605b48d4c30392ee9ffc930abd1d0c72f8ac5
      • Instruction Fuzzy Hash: D9F0FF1450E2D94FDB62977C5870AA67FE49F03328B0940EEE0D8C60E3E8881986C382
      Function 00007FFD9B4B27D7 Relevance: .0, Instructions: 29COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c176c493c913130632a958d06bd99830177f7ebe8e1f3a7ff2efe9b86cb88668
      • Instruction ID: 482f06afbf8c7f7d01d337c2106e2a8d71e3c13c79eb3284e2e96b3e8398fbe8
      • Opcode Fuzzy Hash: c176c493c913130632a958d06bd99830177f7ebe8e1f3a7ff2efe9b86cb88668
      • Instruction Fuzzy Hash: CCE07D3260F94C5BCB10EA9A7C604CA3F98FF8D318B01012AF48CC3251E2125511C755
      Function 00007FFD9B4B0271 Relevance: .0, Instructions: 5COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
      • Instruction ID: 06401d89036e6c46b20f7c1a37fce2788aa04f350aaf19392997c2e569a891a5
      • Opcode Fuzzy Hash: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
      • Instruction Fuzzy Hash:

      Non-executed Functions

      Function 00007FFD9B4B3751 Relevance: .3, Instructions: 305COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000008.00000003.2317196314.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_8_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a1d8b6a8aba25a9587bb7b91f2d3c42d13df3a867581885a2a6afadcc401b49c
      • Instruction ID: 3c63fb5898763f515a7ea67617a74148ed52a769168fe1bffc857f6f62e13636
      • Opcode Fuzzy Hash: a1d8b6a8aba25a9587bb7b91f2d3c42d13df3a867581885a2a6afadcc401b49c
      • Instruction Fuzzy Hash: F9917A2160E6D90FE766977D98746753FE0EF53328B0A01FBD1D8C70A3E908A846CB42

      Executed Functions

      Function 01801538 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q$$^q
      • API String ID: 0-355816377
      • Opcode ID: 6ac9fed7319d8809a60fb82ec3eedd59a1e4772be1b33ddddc341e8e99e2c21e
      • Instruction ID: 11cb244e3eca411825213103ee539e466f1603e2061ea741bd81891e0ecc165f
      • Opcode Fuzzy Hash: 6ac9fed7319d8809a60fb82ec3eedd59a1e4772be1b33ddddc341e8e99e2c21e
      • Instruction Fuzzy Hash: 7021B131A0070DCFCF159F68DC48999F774FF84314B0986AEE5096B226EB31E988CB90
      Function 01801529 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q
      • API String ID: 0-388095546
      • Opcode ID: d47ddb789ff75f917d82d7c30581d8c81f38f970d3d4a3f49a78badcbf8f64b7
      • Instruction ID: 71daf4658b7375bcd204db943cdc40a2908ec2a5b28cdd0268cb3f430a6ffed5
      • Opcode Fuzzy Hash: d47ddb789ff75f917d82d7c30581d8c81f38f970d3d4a3f49a78badcbf8f64b7
      • Instruction Fuzzy Hash: 7621B13190070DCFCF129F78CC589A6BB74FF45314B0986A9E5456B162EB31E584CB90
      Function 01800848 Relevance: .2, Instructions: 192COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 791df24d1664427b01c1a1c416b57c280c4fc33b866f2c4891f4695355f4c40d
      • Instruction ID: 3bc3d34b2137b4a1780211a3192c6d308489c2022261323da9c3436da8410233
      • Opcode Fuzzy Hash: 791df24d1664427b01c1a1c416b57c280c4fc33b866f2c4891f4695355f4c40d
      • Instruction Fuzzy Hash: C9619F30A003198FDB56DF78D8547AEBBB2BF85748F048169E405DB396DB349D89CB82
      Function 01800E08 Relevance: .2, Instructions: 186COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4a64b8744d5a80cfd1bbb97505b1faf6c9b86fb76f27d7724a3a92e56464c7cf
      • Instruction ID: 8c7ffaa896d0fd916f502ed8afe8ecf8ee24c0d7b93e47051c589ef9fb87ec54
      • Opcode Fuzzy Hash: 4a64b8744d5a80cfd1bbb97505b1faf6c9b86fb76f27d7724a3a92e56464c7cf
      • Instruction Fuzzy Hash: D941D62254D3C84FC743977C58A02A87FB1DE93368B0A04EBD084CF1E7D9649D8AC362
      Function 018010BC Relevance: .1, Instructions: 142COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 31631db1e8df9f2a348c4896624377e32a1dc8f7d98321d599e9ecadb1ba3959
      • Instruction ID: 26582455d167fd381fab158dfbcb0f0d28d9269d44614a496e75a5f065e34147
      • Opcode Fuzzy Hash: 31631db1e8df9f2a348c4896624377e32a1dc8f7d98321d599e9ecadb1ba3959
      • Instruction Fuzzy Hash: 6C515BB1E0020C9FDB55DFA9C958BEEBBF6AF48314F108029E505EB290DB359A45CB90
      Function 018012EB Relevance: .1, Instructions: 142COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6adbec6ce03b0d89f1fcfeeeb9d073d1f03de99c7df51caf6351c39d1c82ce1f
      • Instruction ID: 96775e5085465efb6e105bc378bd84cba798802623bfdb94911244735297f6ef
      • Opcode Fuzzy Hash: 6adbec6ce03b0d89f1fcfeeeb9d073d1f03de99c7df51caf6351c39d1c82ce1f
      • Instruction Fuzzy Hash: 2C514F32E50B0AA6E710DBA5CC45A99F372FFD9700F61CB15F6483B191EBB0A1D4C681
      Function 018012F0 Relevance: .1, Instructions: 139COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 38a2004685545e1450030d89faacfdcf178eee9a4c485e64ab5075437b698988
      • Instruction ID: 9fb29ff7ca56842eaf6ae00b8ec513c19eab1897d9a5a308f3e9b2b9e198b7d7
      • Opcode Fuzzy Hash: 38a2004685545e1450030d89faacfdcf178eee9a4c485e64ab5075437b698988
      • Instruction Fuzzy Hash: DA512E32E50B0AA6E710DBA5CC45A99F372FFD9700F61CB15F6483B191EBB0A1D4CA81
      Function 01801B08 Relevance: .1, Instructions: 121COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0533b0fb5b53a1ded2bd0853afb3ff50a080a28547f9624a2853d2df522f15ac
      • Instruction ID: 078ff8dcbaa97a0c9a395bfbbafe80ab8695bb9e8c980efe7bcfbca8ed5c697b
      • Opcode Fuzzy Hash: 0533b0fb5b53a1ded2bd0853afb3ff50a080a28547f9624a2853d2df522f15ac
      • Instruction Fuzzy Hash: A1419132E00B4E9ACB01DFB9C85449DF7B6FF85310B11C65AE549B7155EB30E685C780
      Function 01801C74 Relevance: .1, Instructions: 99COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8c2952492a0ad81841ad16a16c58430b995129177a5ebd598db47714dbb669d1
      • Instruction ID: 27b7530a9ed744003d9efdf49e26d4ae41aa7d5afa35a7650d6b3c4fc489f0a0
      • Opcode Fuzzy Hash: 8c2952492a0ad81841ad16a16c58430b995129177a5ebd598db47714dbb669d1
      • Instruction Fuzzy Hash: B14115B1D0031DCACB11DFAAC984ADEFBB5AF48314F20812AD419BB241D774AA45CF90
      Function 0180118C Relevance: .1, Instructions: 96COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0355aea8f785c2b0f7b0d978038089a50c4893235ffe3a571cfcddbebc0c155c
      • Instruction ID: 3c31d839ef651b40bd1bb4e57c2eb59fc645c214831862878db94b695249c3d2
      • Opcode Fuzzy Hash: 0355aea8f785c2b0f7b0d978038089a50c4893235ffe3a571cfcddbebc0c155c
      • Instruction Fuzzy Hash: 2C4105B1D0120C9BDB55CFA9C998BDEBBB5AB48314F10802AE414EB291DB749A45CF51
      Function 018017C9 Relevance: .1, Instructions: 94COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: af30100239839e3f8aca94e458e633ab20a4ebce3b634b9d530ae3f16975d366
      • Instruction ID: f3b82b736bd78ce3cdeee432840fcb77646a9fce0ed8e0ecfcf2c62ff5cdb4eb
      • Opcode Fuzzy Hash: af30100239839e3f8aca94e458e633ab20a4ebce3b634b9d530ae3f16975d366
      • Instruction Fuzzy Hash: 70318032E0060EABDB01DEB9D8944DEF7B2FF84310F11C62AE504A7251EB30E6858791
      Function 01801C80 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7abe2ed64aefc56d6ea5c74b9a59315eeba6f6fa4e707d8ce25bfb2e210f3af5
      • Instruction ID: 3c7d8f2dc0b73e684edf98dc58fd8aaa65b12437d4c478bbb6f9435e65c39608
      • Opcode Fuzzy Hash: 7abe2ed64aefc56d6ea5c74b9a59315eeba6f6fa4e707d8ce25bfb2e210f3af5
      • Instruction Fuzzy Hash: C241F3B1D0035DCACB10DFAAC984ADEFBB5BF48314F20812AD419BB244DB74AA45CF90
      Function 01801674 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 02e8b47b7623d7253ab53f0b8c68550ffdf13d2486dc483b57a8390f336aef53
      • Instruction ID: fa6629e37164580dd375702a2150404baa6cadcaa49577aafbf3c8afa89cd7d7
      • Opcode Fuzzy Hash: 02e8b47b7623d7253ab53f0b8c68550ffdf13d2486dc483b57a8390f336aef53
      • Instruction Fuzzy Hash: 714126B1D0124C9FDB15DFA9C984BDEBFB5AF48314F14802AE405EB294DB349A45CF91
      Function 01801198 Relevance: .1, Instructions: 88COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6acc92defc67ecb5f34aa05102bfac683289197cc26d1fd50a0e95bcacaf755b
      • Instruction ID: 533dc73209329f73928725644ab1e091dd196b14bdfa67171572cdcd98cb278d
      • Opcode Fuzzy Hash: 6acc92defc67ecb5f34aa05102bfac683289197cc26d1fd50a0e95bcacaf755b
      • Instruction Fuzzy Hash: 7531F2B1D0124C9BDB15CFAAC994BDEBBB5AF48314F10802AE408EB290DB749A45CF91
      Function 01801680 Relevance: .1, Instructions: 87COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a18576f77f7807e35681bc8a83b8516b14122618e575ee77343b33cd553c361f
      • Instruction ID: 7c5c5d468ef81b8855addb6005781c4af23a589a89d68148da9d0afda98a7361
      • Opcode Fuzzy Hash: a18576f77f7807e35681bc8a83b8516b14122618e575ee77343b33cd553c361f
      • Instruction Fuzzy Hash: AC3115B1D0124C9FDB15CFAAC984BDEBFB5AF48314F14802AE405EB294DB349A45CF91
      Function 018019F5 Relevance: .1, Instructions: 78COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 764aba82bd314fb2ef79ef33e708bc7dd56d5003cfac276dbb5bb991ef68e89b
      • Instruction ID: e2e4cad2a634205c21047aae373fd100a44a619554fa03afec2d454118a2a3df
      • Opcode Fuzzy Hash: 764aba82bd314fb2ef79ef33e708bc7dd56d5003cfac276dbb5bb991ef68e89b
      • Instruction Fuzzy Hash: 9A31D5B1C0025D9FDB65CF99C888ADEBFF5AF48324F148019E419E7291C7359985CB94
      Function 01800830 Relevance: .1, Instructions: 73COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b4609833d4604f6be9af395d1e22609f0c43effa11cf1364685bd44712057537
      • Instruction ID: 3638839c9114370f4b3f1512decf67cdefbca97404d53ea99d99f198e77c05d7
      • Opcode Fuzzy Hash: b4609833d4604f6be9af395d1e22609f0c43effa11cf1364685bd44712057537
      • Instruction Fuzzy Hash: 6621A4356003594BDF5786688C103AE7BB2BBC5788F0441AAF549DB396DB399E4AC382
      Function 018018E4 Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8259f9c0ed43976b5a0e5c6c439f850d43ef392ccad986b18c81d68523ab6912
      • Instruction ID: bb23da611e94e70fad0076d455dd2483139ce8d747f585907750ea289808519f
      • Opcode Fuzzy Hash: 8259f9c0ed43976b5a0e5c6c439f850d43ef392ccad986b18c81d68523ab6912
      • Instruction Fuzzy Hash: D93108B1D0025C9FCB10CF9AC884BDEBFB4AF08324F14802AE445E7290CB749945CB90
      Function 01801A00 Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cb429f8747d211d78235465ca22d4cb03a50501553a5beea7b100716d17a9724
      • Instruction ID: 3e4c32a2aed2f27aae35314110485c65a7ccb6ecf96f543564a33ae494adb1b2
      • Opcode Fuzzy Hash: cb429f8747d211d78235465ca22d4cb03a50501553a5beea7b100716d17a9724
      • Instruction Fuzzy Hash: D031C7B1D0025C9FDB14DF99D884BDEBFF5AF48324F148029E419E7250C7759985CB90
      Function 018018F0 Relevance: .1, Instructions: 67COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ee1b0a7747cc23b808226d8df7242ef3637f892d89548cdfc8116ac5cd945c47
      • Instruction ID: 25f29c8e23d19ec0c0fcc6d6e9f5abfe4a2e62036cbe44bf9327f63905218569
      • Opcode Fuzzy Hash: ee1b0a7747cc23b808226d8df7242ef3637f892d89548cdfc8116ac5cd945c47
      • Instruction Fuzzy Hash: 1221C3B1D0025C9FDB54DFAAD884BDEBFB8AF08324F24802AE459E7250CB749945CB90
      Function 01801028 Relevance: .1, Instructions: 61COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 43f3f8179f6827dde8eba6aac0048f8f9ae164d5dcbe0c0faeeeb7ce15949ce8
      • Instruction ID: 27966a022f654147d92d0e4398e38f0ec5056ff42fdda964c57940f3539da800
      • Opcode Fuzzy Hash: 43f3f8179f6827dde8eba6aac0048f8f9ae164d5dcbe0c0faeeeb7ce15949ce8
      • Instruction Fuzzy Hash: 92112331B042895FCB57CA79EC1456ABBA6DBC1364B00C4BED049C7292EB319D05CB40
      Function 018010C8 Relevance: .0, Instructions: 32COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8ba497775918317c7574286b9840eb0fa84e3141b40bc31128ef8f155f2d4778
      • Instruction ID: 53db082f747f108b5fe982521e2f7d1918c0978b251c0f154aedf71d7dd3c8a6
      • Opcode Fuzzy Hash: 8ba497775918317c7574286b9840eb0fa84e3141b40bc31128ef8f155f2d4778
      • Instruction Fuzzy Hash: 2BF0823170010DABCF15DAA5D8589EFBBBBEFC8310F008039D605A7294EA32DA1587E1
      Function 0180161F Relevance: .0, Instructions: 30COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: da4b2c52f338516010bc044db2dc64fe43c5a99c66be6c6bfcdd8fb5eb2d9cf2
      • Instruction ID: e731af86c5985165fb71565865482b5a1a992576f268ae503020bf81af43ecde
      • Opcode Fuzzy Hash: da4b2c52f338516010bc044db2dc64fe43c5a99c66be6c6bfcdd8fb5eb2d9cf2
      • Instruction Fuzzy Hash: FEF0A731A0524DABCB41DE748D595AFBBAADB81304B0AC4ADD40DD7145EA31DB019391
      Function 01800B40 Relevance: .0, Instructions: 21COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c24cb3ca54a08aa94a068d61e0823ec795f2093433d3b5774d9a7b1051d8da2d
      • Instruction ID: 2452e5e77f63c66d2ce8040472393c472b43a116d92c064b127a3fb8867b12f7
      • Opcode Fuzzy Hash: c24cb3ca54a08aa94a068d61e0823ec795f2093433d3b5774d9a7b1051d8da2d
      • Instruction Fuzzy Hash: 5CD05B323548181B45D6A65C6990A9BC69AD9C57647040136B104DB29ACF608E4143D1
      Function 018008FF Relevance: .0, Instructions: 15COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000009.00000002.2316104622.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_9_2_1800000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: dcfa56c07375b3c269d798450b14c87bbc887497da301455984881abbbc0e5b9
      • Instruction ID: 4f0c3269f70de92119fa2ea9dcefc9afb9c454f99dc2cb82f82d98becc97dd42
      • Opcode Fuzzy Hash: dcfa56c07375b3c269d798450b14c87bbc887497da301455984881abbbc0e5b9
      • Instruction Fuzzy Hash: DAD067357401198FCF01EFA8D9446DC77B0EB88715F000169E109DB261D77599558B51

      Executed Functions

      Function 00007FFD9B4C12C0 Relevance: 2.2, Strings: 1, Instructions: 906COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 2A_I
      • API String ID: 0-941469806
      • Opcode ID: 35c73f87c1fd655fe8047e4b9ca23909e4a68ad370e00345bd33786f29f3ea7b
      • Instruction ID: b930cd74cd4b9c53d37566d6b6e37c3ccc5f0b9a07b2f5c5c1bee913c5660622
      • Opcode Fuzzy Hash: 35c73f87c1fd655fe8047e4b9ca23909e4a68ad370e00345bd33786f29f3ea7b
      • Instruction Fuzzy Hash: 83525C63B0FAC40FF73956AC58251B96BD2EF85754B1900FFE089871FBE815AD02A345
      Function 00007FFD9B4C1518 Relevance: .5, Instructions: 489COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c1c607d6ac987c46c1c2837a58f5564b1adc64d47e5d86dc9acbd3a92da5edf0
      • Instruction ID: 48b051678b1fd41d09dff03eae1dfccda40bee82067924f66a0d246c7fda67fd
      • Opcode Fuzzy Hash: c1c607d6ac987c46c1c2837a58f5564b1adc64d47e5d86dc9acbd3a92da5edf0
      • Instruction Fuzzy Hash: 3BE15862B0FBC90FE77966AC14291B96BD2EF86714B1901FFE089871F7EC15AD029341
      Function 00007FFD9B4C39B9 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 0
      • API String ID: 0-4108050209
      • Opcode ID: 788d3cf1b2ef2307e9b26d59576ecc079f513aa1e0ca1e8c92de17119091888b
      • Instruction ID: 14e3f486fa4fd69a287e6dca4f8929895a5863b0d60b8388d3d0e10096cfce8c
      • Opcode Fuzzy Hash: 788d3cf1b2ef2307e9b26d59576ecc079f513aa1e0ca1e8c92de17119091888b
      • Instruction Fuzzy Hash: 5C31B360A1E6C95FD312A7B8086A1BA7FE0DF4B614B1904EDD4DACB1B3DD289506D302
      Function 00007FFD9B4C487B Relevance: .4, Instructions: 400COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: dd2455a277eb04b217d83e5e0fb262da82cbe24110702a79980216e820b7b78b
      • Instruction ID: 16c948310a4eff61c20f1110575f1067e0de64076d403eb0e19445215f120fbc
      • Opcode Fuzzy Hash: dd2455a277eb04b217d83e5e0fb262da82cbe24110702a79980216e820b7b78b
      • Instruction Fuzzy Hash: B7D12720B1EA850FD71DAB7854765F9BBE1EF99704B1500FDE09EC72E3CE28A5029345
      Function 00007FFD9B4C21D7 Relevance: .4, Instructions: 366COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4dac940308fb8e33151ec167b2d803b191205bcb91daee33fd02e2c3501f9f38
      • Instruction ID: 057936fc9515385d9414d2f2da9a011a6b25d109806a5f273bb3b8bbc8103543
      • Opcode Fuzzy Hash: 4dac940308fb8e33151ec167b2d803b191205bcb91daee33fd02e2c3501f9f38
      • Instruction Fuzzy Hash: 1DB13321B1E9890FE719BB7854265FD7BD1EF85718B1501FEE08ACB1E7CE18A5028385
      Function 00007FFD9B4C48F5 Relevance: .4, Instructions: 350COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3e355402babd9001b00b3ece199c173e5a08d8d9b30b462ec5f862e53e905f5c
      • Instruction ID: 50a1f15d6ba9c7fda6421735c94cd33b4cb32a6b82e382f6f924642779d77936
      • Opcode Fuzzy Hash: 3e355402babd9001b00b3ece199c173e5a08d8d9b30b462ec5f862e53e905f5c
      • Instruction Fuzzy Hash: 2DB12520B2DA890FD71DBB7854365F9B7D1EF99708B5401BDE09EC72E3CE28A5029385
      Function 00007FFD9B4C22E5 Relevance: .3, Instructions: 322COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2a3d422f895ace30ce131f81fc2e04204bcce4b7cee0a2083faa15ddea694ade
      • Instruction ID: f45217c660bfaded16f2caa69507ee3800b253afa49a73aa576dca5f04f65d05
      • Opcode Fuzzy Hash: 2a3d422f895ace30ce131f81fc2e04204bcce4b7cee0a2083faa15ddea694ade
      • Instruction Fuzzy Hash: 43A1F561B1E9890FE719BB7854355FC7BD1EF99B08B1500FEE04AC71E7CE1899029385
      Function 00007FFD9B4C4DED Relevance: .3, Instructions: 319COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 74cdd20a0750111067e1c6393f981fc440538fdb1c079f5ce4982465a6af81d1
      • Instruction ID: 1b4f6b104c31d62b479a000bd77844585fd302417f7d88db29acaa46896b756b
      • Opcode Fuzzy Hash: 74cdd20a0750111067e1c6393f981fc440538fdb1c079f5ce4982465a6af81d1
      • Instruction Fuzzy Hash: C6A13721B1E9890FE729BB7854365FD7BD1EF95B08B1500FEE04AC71E7CE2899029385
      Function 00007FFD9B4C4949 Relevance: .3, Instructions: 319COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ba7f84a4dc7e4f44b8877d3979416e9dd084c3e578d3ee8991dca709ba51678a
      • Instruction ID: 989cd560c5a706b0678667046e49dc160b9b79d98a7850b41728946319aaa502
      • Opcode Fuzzy Hash: ba7f84a4dc7e4f44b8877d3979416e9dd084c3e578d3ee8991dca709ba51678a
      • Instruction Fuzzy Hash: 95A11620B1DA850FD719BB7854365F9B7D1EF99708B5401BDE05EC72E3CE28A5029386
      Function 00007FFD9B4C2258 Relevance: .3, Instructions: 312COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fc7a6e98a446117572a45792dfec4bea58e3bffa1615a6f7188d43bfa927996b
      • Instruction ID: 8ddd677510bacc16b17bbf4f4791d7652ff7c49c6f4a2c6335674b8e155a1241
      • Opcode Fuzzy Hash: fc7a6e98a446117572a45792dfec4bea58e3bffa1615a6f7188d43bfa927996b
      • Instruction Fuzzy Hash: 69913831B1E9890FE719BB7854365FD7BD1EF95B08B1500BEE04AC71E7CE2899029385
      Function 00007FFD9B4C4E75 Relevance: .3, Instructions: 254COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 012e37ac1d9d34da3ba3c39be5a389c1523cca314d50bc02a1d7dee45a51a1be
      • Instruction ID: 7781fa94057232b502f63d7fc44f67a0e7d25ab38efc06b44d0272050bb642aa
      • Opcode Fuzzy Hash: 012e37ac1d9d34da3ba3c39be5a389c1523cca314d50bc02a1d7dee45a51a1be
      • Instruction Fuzzy Hash: 6F810820B1E9890FE719BB7854365FCBBD1EF95B08B5540FEE04AC71D7CE28A5029385
      Function 00007FFD9B4C3D5A Relevance: .2, Instructions: 238COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c8a3474a8945d8f09e7aeeb0a1cf4d72a058f94b90cf44df183cb89492b8ad9a
      • Instruction ID: 750be27ff6f5198eb542c1aec74f2bd0e596d6f65cdd5b5c13bedea2bcdeb330
      • Opcode Fuzzy Hash: c8a3474a8945d8f09e7aeeb0a1cf4d72a058f94b90cf44df183cb89492b8ad9a
      • Instruction Fuzzy Hash: 3B618910B0EA8A1FE7A5B3B814762F96FC1DF85618F1505FEE049C71E3DD1C68469302
      Function 00007FFD9B4C4EC9 Relevance: .2, Instructions: 222COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 95dae02cbfc11cc2e0eabdcac96fc2fe8d9bcb70bbfec4d48c8491f6d5267d56
      • Instruction ID: 93eff4c64edcfb0ac5f199ac69bd6ecc22deb299632b5c23dd4dcc30d3032b30
      • Opcode Fuzzy Hash: 95dae02cbfc11cc2e0eabdcac96fc2fe8d9bcb70bbfec4d48c8491f6d5267d56
      • Instruction Fuzzy Hash: 9461F620B1D9890FE719BB7854365FCBBD1EF89B08B5500FEE04AC71E7CE28A5029385
      Function 00007FFD9B4C310E Relevance: .2, Instructions: 218COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c26e86557d8d438ff25dd164ad48425d5b673049132406c4236f9851a3100819
      • Instruction ID: 87b1f5728c9ca81f0cee8181748cbacfbb9371d32692ed66b113b0f42fd1ead4
      • Opcode Fuzzy Hash: c26e86557d8d438ff25dd164ad48425d5b673049132406c4236f9851a3100819
      • Instruction Fuzzy Hash: 90515712F1EA9E0FE7B666B808361F93BC1DF8AA14B0601B6D41DC72E3DC186D025342
      Function 00007FFD9B4C225D Relevance: .2, Instructions: 202COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0ae581dc87818e2393d9bc97e79e626ebdf509c4d9eb86f0510180d9c2cc2f56
      • Instruction ID: 1d8ded412545d74d6ed0c2dea26b62dd9b043766c886b7ce402b30184be030cc
      • Opcode Fuzzy Hash: 0ae581dc87818e2393d9bc97e79e626ebdf509c4d9eb86f0510180d9c2cc2f56
      • Instruction Fuzzy Hash: 96516B23B0EA5A0FE759BBBCA8625F57BD0EF8522470901FBD499C70A7ED0968474381
      Function 00007FFD9B4C3B2F Relevance: .2, Instructions: 201COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0205166cc3a99e6324d2f7ae84aba23be9e8235458d4b76ba43be40065a80f88
      • Instruction ID: 90d46bdd68fa5300f11b43b15dea1e8c8cbede8d603c8b1a32ae64eabe61e1c2
      • Opcode Fuzzy Hash: 0205166cc3a99e6324d2f7ae84aba23be9e8235458d4b76ba43be40065a80f88
      • Instruction Fuzzy Hash: 00510B71A0E5C91FD712E7B8446A1FEBFE0DF4721071845EEC899CB1A3C828A44BD381
      Function 00007FFD9B4C34E1 Relevance: .2, Instructions: 194COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2bf8aab3b39e6aad989cba0a87d96caf2e2f98aacefadb9fa613200ba3a46e7f
      • Instruction ID: 20656eb2e559ff6e9c95fa8abbdd3d93a8d7587c2ffbe88d3f5f7174529728ba
      • Opcode Fuzzy Hash: 2bf8aab3b39e6aad989cba0a87d96caf2e2f98aacefadb9fa613200ba3a46e7f
      • Instruction Fuzzy Hash: 1B51C131A0DA4C8FDB65EFACD8599E97BE0FF59304B1400BEE449C32A2DA35A841CB41
      Function 00007FFD9B4C1D90 Relevance: .2, Instructions: 159COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b574d75e28dc61a7441ee0b046f8cfdc8ff7777a1fdd1220691329bfdabe0eac
      • Instruction ID: 5e331cdb217816f9202645fccbf50d981a9dbad58ef214b60b48d4ba51934783
      • Opcode Fuzzy Hash: b574d75e28dc61a7441ee0b046f8cfdc8ff7777a1fdd1220691329bfdabe0eac
      • Instruction Fuzzy Hash: 0D411611E0EB8A0FE7AA667848756F53FA1DF56654B0601FBC058CB0E3ED4C69468342
      Function 00007FFD9B4C1C51 Relevance: .2, Instructions: 154COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1e10695742589c4159a5c93268e8f42fc803213b020c6ae9a1c6a938ac7b56a4
      • Instruction ID: ace3c78345a2b124d9931b384f1a3011989fb42bcc4000df4a027ff8e82fa987
      • Opcode Fuzzy Hash: 1e10695742589c4159a5c93268e8f42fc803213b020c6ae9a1c6a938ac7b56a4
      • Instruction Fuzzy Hash: 1C41D53191E7CD4FDB2AABA958655F57FA0EF13329F0401BFE089C31A3CA582516C746
      Function 00007FFD9B4C51FD Relevance: .1, Instructions: 139COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b527309f9b3937515410cce41a82a3cb7b010dd41fdca3b196586eb11a164150
      • Instruction ID: dcc8455ea03acf79725fd39e9618b3b77cc80f57984341600a6c5adde3cf4270
      • Opcode Fuzzy Hash: b527309f9b3937515410cce41a82a3cb7b010dd41fdca3b196586eb11a164150
      • Instruction Fuzzy Hash: D6312A12B1FA8E0FE7B5B6BC14762F92BC1DF95A68B1600BAD04DC71E3ED089D465342
      Function 00007FFD9B4C41AD Relevance: .1, Instructions: 122COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 630b6a2dd56a241bca83a15b11bb51440e28fa3e9c83d9357c39439ad7ebb419
      • Instruction ID: 7e42fe379dbc5572a317a1bc2e4c30e3aadc9e67cbe409557688a6a333ed31d3
      • Opcode Fuzzy Hash: 630b6a2dd56a241bca83a15b11bb51440e28fa3e9c83d9357c39439ad7ebb419
      • Instruction Fuzzy Hash: 9B312570E0A61C4FE764FBA888665F97BE1EF89B10B0542BFD449D32A2CD246802C791
      Function 00007FFD9B4C2C25 Relevance: .1, Instructions: 96COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fee2d332b3bcc9061f532ab440e251e179f875e338c4b13f42d619baae66fd84
      • Instruction ID: 21240b2b1b79aa9dfe719424baced82e864a2befeca26cdf45b87294abe55ab4
      • Opcode Fuzzy Hash: fee2d332b3bcc9061f532ab440e251e179f875e338c4b13f42d619baae66fd84
      • Instruction Fuzzy Hash: 0C214812F0FAAA0FE7BA72B854751F92B91AF46A24B0602FAC058CA1E7DD4859435381
      Function 00007FFD9B4C02E0 Relevance: .1, Instructions: 94COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2d15c7e6fc81097b2d6d3c43d217edb92bcbc46b631ff103f2c7c3f58a9cd948
      • Instruction ID: c6a97c990623cd203792a3ecd4086098a91607ae7d45ad641f8a90def2bbdcf1
      • Opcode Fuzzy Hash: 2d15c7e6fc81097b2d6d3c43d217edb92bcbc46b631ff103f2c7c3f58a9cd948
      • Instruction Fuzzy Hash: 1C214670E0961C4FD764FBAD88566FA7BE0EF89710F0101BEE40AD32A2CE246811CB81
      Function 00007FFD9B4C5491 Relevance: .1, Instructions: 79COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c6ad8dbfbd48a11705e04179d7395783e8dfd2a8c6e301b7eb0130aa43127ab0
      • Instruction ID: a136cab4bdf85e041670aaceba622d63715e33adaef16398d7af28958688ac04
      • Opcode Fuzzy Hash: c6ad8dbfbd48a11705e04179d7395783e8dfd2a8c6e301b7eb0130aa43127ab0
      • Instruction Fuzzy Hash: ED21F63050E6CD4FDB66AF6848766B93FE0EF06304B0500EFE098C70A3DA689944C382
      Function 00007FFD9B4C3ECA Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ee3333cb779c3400df87ee4637ad6909fe48f533345ffaa7463aad81a8680cd3
      • Instruction ID: efc567e0773385aab0b680280441cb4a60123cb7e3445bb06f1b11a084753f08
      • Opcode Fuzzy Hash: ee3333cb779c3400df87ee4637ad6909fe48f533345ffaa7463aad81a8680cd3
      • Instruction Fuzzy Hash: FA11B420B1D50A46E794BB6854A66F961C2EFC4B18FA15938E00FC22E6CE3CB9415702
      Function 00007FFD9B4C3168 Relevance: .0, Instructions: 47COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 73787e7e3e31795cfc448f24f5629eb6e8174edfbc58c290e68c6c57ed3907f9
      • Instruction ID: 69a373947f70b9382f0535e97c47426ae39bf1484c867d53b63bdbef7c475865
      • Opcode Fuzzy Hash: 73787e7e3e31795cfc448f24f5629eb6e8174edfbc58c290e68c6c57ed3907f9
      • Instruction Fuzzy Hash: A4F08611B1FC5F09F27731EC16B62F961C1EB45A2CFA61535D82DC61F2DC28FA522542
      Function 00007FFD9B4C27D7 Relevance: .0, Instructions: 29COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bf1a68f9c1d3a87a85940ac658332253110b7e66b33c94fbe019d704371cff47
      • Instruction ID: 05d1d47d63551489a07c923460a289d40ad1160d32cc02cd4fd414d417ae563d
      • Opcode Fuzzy Hash: bf1a68f9c1d3a87a85940ac658332253110b7e66b33c94fbe019d704371cff47
      • Instruction Fuzzy Hash: D2E07D3360F94C5BCB10EA9A7CA04CA3F98FB8D318B01012AF48CC3251E2525511C351
      Function 00007FFD9B4C3CAE Relevance: .0, Instructions: 13COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000B.00000003.2343719642.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_11_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 72c44e97a83cb295c0991e1defceb879c013a03840f3963314d460f78b96c672
      • Instruction ID: a8901fe10d5b634fd4e8a01b87519a29f7f138819d0ec0d38a020103757add8a
      • Opcode Fuzzy Hash: 72c44e97a83cb295c0991e1defceb879c013a03840f3963314d460f78b96c672
      • Instruction Fuzzy Hash: B3C08C33F1800E8A8F20AAD8E4020FEF3B0EB4432AF004133C62AD2100D6256122AFC0

      Executed Functions

      Function 00D917F8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q$$^q
      • API String ID: 0-355816377
      • Opcode ID: 27945f5207ce7b8874677850fedee351ff49900684e19014081712c1bf894eaf
      • Instruction ID: a2aa475e8a5aeaec05eaf151f2c1de26e270c21eee5defca44557d17bc6caef6
      • Opcode Fuzzy Hash: 27945f5207ce7b8874677850fedee351ff49900684e19014081712c1bf894eaf
      • Instruction Fuzzy Hash: 05218031D0070EDFCF15AFA8D844899F7B5FF45314B0586AAD4096B225EB31E899CBA1
      Function 00D917E9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q
      • API String ID: 0-388095546
      • Opcode ID: 2005e89389f3eb313b3e81f9f67d4809dd71afa1bf511399dfbbce7dc5e464b7
      • Instruction ID: e2dcc46c76d235cbf0dddee9a671c49f81ea51b1dfedda5dcf21cfb64f401103
      • Opcode Fuzzy Hash: 2005e89389f3eb313b3e81f9f67d4809dd71afa1bf511399dfbbce7dc5e464b7
      • Instruction Fuzzy Hash: 8121E231D0074ADFDF11AF78C8184A9BB71FF45300B098AAED4496F222EB31D895CBA1
      Function 00D90848 Relevance: .2, Instructions: 184COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ca14a88607c73054c68be9387f385456ffd9f433c1586910f9e12679f56e00bd
      • Instruction ID: ccb9001e4c26c2c6c79b6cd1207980e49269e285c33a72b50f7b7d979c87deb1
      • Opcode Fuzzy Hash: ca14a88607c73054c68be9387f385456ffd9f433c1586910f9e12679f56e00bd
      • Instruction Fuzzy Hash: C361AD30A00309CFDF05EFB4E9546AEBBB2BF88704F188569D405AB365DB759C46CBA1
      Function 00D915A2 Relevance: .1, Instructions: 140COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 793593ada678cef0c2b1e971693fbbb909ed7ae60ed12fefe510f8dd01c06a43
      • Instruction ID: 9b04916035c257aa8c22b9b26d65f99c427b23dc6f2102eb6573f6bbd5b314f6
      • Opcode Fuzzy Hash: 793593ada678cef0c2b1e971693fbbb909ed7ae60ed12fefe510f8dd01c06a43
      • Instruction Fuzzy Hash: E0516D32E50B06A6E710DFA4CC4579AF371FF99700F61CB1AE6583B191EBB0A1D4C641
      Function 00D915B0 Relevance: .1, Instructions: 139COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 111bb4c079d7d30c70c8c6ad734dbf95d588263aebf73b23bef5fb3b2950e8fb
      • Instruction ID: 108106f352d47a4aa46e4c043f26e6bfaeeca6c62de52cb0d37edc522baa7b16
      • Opcode Fuzzy Hash: 111bb4c079d7d30c70c8c6ad734dbf95d588263aebf73b23bef5fb3b2950e8fb
      • Instruction Fuzzy Hash: 22514E32E50B0AA6E710DBA5CC45A9AF371FF99700F61CB16F6583B191EBB0A1D4C681
      Function 00D91DC8 Relevance: .1, Instructions: 116COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ad0bd566b5eec48bb15d8ac2b29063d832205dd4a1114c360585d6eddaab2063
      • Instruction ID: c11646e28a66c17d8c42f92404e6cbe8bd90bcdf0956769c560016a52e97ad61
      • Opcode Fuzzy Hash: ad0bd566b5eec48bb15d8ac2b29063d832205dd4a1114c360585d6eddaab2063
      • Instruction Fuzzy Hash: 6B417436E0074A9ACF01DFB9C8505DDF7B1FF94304B15C61AE955BB211EB30A696CB90
      Function 00D90F01 Relevance: .1, Instructions: 106COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a8476c24f6cb7e002428f46acc04c73ec4805da48f85c243e299f28d35af6f8b
      • Instruction ID: 4b6f7ec1a155794a01bea901cbc887b38bde436db55f3ae6c6ddb37569af7d80
      • Opcode Fuzzy Hash: a8476c24f6cb7e002428f46acc04c73ec4805da48f85c243e299f28d35af6f8b
      • Instruction Fuzzy Hash: 7631D61160D7C40FC712977C64647B9BFA29F83358F1945EAC1C58B6A7C9158C4AC761
      Function 00D91029 Relevance: .1, Instructions: 105COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2abb69561c4c477044334c210c8be3a124e5a57be7b001d312669f76b329c2dc
      • Instruction ID: 6ed2d1c95002279b97a2334babd8a332853a8dbca6b7ef3e8a116ca74648a16f
      • Opcode Fuzzy Hash: 2abb69561c4c477044334c210c8be3a124e5a57be7b001d312669f76b329c2dc
      • Instruction Fuzzy Hash: 48414F34B0060A9FCF04DBB5D954AAEBBB3FFC8304F14C529D119A7264EB75A946CB60
      Function 00D91F34 Relevance: .1, Instructions: 93COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ad51cfd520797ce15a92eb81c97ee9f16b38476f2693a8b7bd890d89e3f441ec
      • Instruction ID: 636e6acffb6cee1819d71bba6e65de876aacd2ce6aa2f61e7ae43f518039cffa
      • Opcode Fuzzy Hash: ad51cfd520797ce15a92eb81c97ee9f16b38476f2693a8b7bd890d89e3f441ec
      • Instruction Fuzzy Hash: C141F2B1D0035D9ECB10CFA9C994ADEFBB5BF48304F24812AD459BB254D7716A49CFA0
      Function 00D91A89 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1e268e370bdd4eda784eba0163abe7b0f367ceb07cfd51b25ca6f7c530d7151e
      • Instruction ID: 606f0bd90f83ac25d900ecd124017313ef70f8d77030f053d030d9f106ff1fae
      • Opcode Fuzzy Hash: 1e268e370bdd4eda784eba0163abe7b0f367ceb07cfd51b25ca6f7c530d7151e
      • Instruction Fuzzy Hash: 0C31B336E0160AAADF00DFB9D8905DEF7B2FF95310F11C66AE544A7220FB30A581C7A0
      Function 00D91F40 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c50d8f2461e5bc18fe89894d784d0fd8c435ad980d0c97090482dcc4d65423e6
      • Instruction ID: f1a5d52e1b0cc983e02e43af89389c76b823194779353bb47fb0f3e8c5f2d60a
      • Opcode Fuzzy Hash: c50d8f2461e5bc18fe89894d784d0fd8c435ad980d0c97090482dcc4d65423e6
      • Instruction Fuzzy Hash: 8241D4B1D0035D9ACB10CFAAC984ADEFBB5BF48304F20852AD419BB254D7756A49CF90
      Function 00D911E4 Relevance: .1, Instructions: 90COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: adcd863af0df2ca13faca7189caf828d0aead2a76f33b3309027f499cf5cc073
      • Instruction ID: a86ecb369a8280f251451729e471c567b719b812e3ddb5a9a4b8288880e62885
      • Opcode Fuzzy Hash: adcd863af0df2ca13faca7189caf828d0aead2a76f33b3309027f499cf5cc073
      • Instruction Fuzzy Hash: E14112B1D01248DFCF14DFA9D995BDEBFB6AF48304F14802AE414AB2A0CB745945CFA5
      Function 00D91934 Relevance: .1, Instructions: 90COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d9d781c20a5449f95a8bc962526caebfee841396fdde5967502f3d4fcc71cdb2
      • Instruction ID: 820e8f2c49fcd2c9d983cdf88c3bc89129478addfeff36fe1ed71d4b6ef14411
      • Opcode Fuzzy Hash: d9d781c20a5449f95a8bc962526caebfee841396fdde5967502f3d4fcc71cdb2
      • Instruction Fuzzy Hash: E64115B1D01248DFCB14CFA9D995BDEBFB5AF48304F14802AE415BB291CB745946CF60
      Function 00D911F0 Relevance: .1, Instructions: 88COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 853483facbdb384a9fabaaefc9237aa542e85cf49b7273e214b8406ee43b04ed
      • Instruction ID: 6432f336ba02ea9d2b50bdee87c30219cc5b8f74f253fc8d5ea723740182a57f
      • Opcode Fuzzy Hash: 853483facbdb384a9fabaaefc9237aa542e85cf49b7273e214b8406ee43b04ed
      • Instruction Fuzzy Hash: 8F3103B1D01248DFCF14DFA9D995BDEBBB6AF48300F14802AE405BB250CB745945CFA4
      Function 00D91940 Relevance: .1, Instructions: 87COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 446e67a71b0c25e6e64f1b94880769507c51f166d5fb42dcf6459918dde35708
      • Instruction ID: daa90fd567e851ea5925e895b3400160f12798d7cc2a25bae4d02cfd02885edd
      • Opcode Fuzzy Hash: 446e67a71b0c25e6e64f1b94880769507c51f166d5fb42dcf6459918dde35708
      • Instruction Fuzzy Hash: F63102B1D01258DFCB14DFAAD984BDEBBB5AF48304F14802AE419BB290DB745946CFA0
      Function 00D91CB4 Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3e9cb89c5efaf216be1753534cf7539c0a4e031d8a13e191ba55bcff22ea49e8
      • Instruction ID: 226816e2af72b874abe26d99f9bcf6fe9758ba6efc740e9400fdc30a3d15bd89
      • Opcode Fuzzy Hash: 3e9cb89c5efaf216be1753534cf7539c0a4e031d8a13e191ba55bcff22ea49e8
      • Instruction Fuzzy Hash: 8A3112B1D002589FCB20CFA9D894BDEBFF5AF48314F24812AE459BB250C7759885CFA0
      Function 00D91CC0 Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4b41dea6523fa2f31cea60e6a23d8c78d3a83a4fbdb15ce12f5dff7077749974
      • Instruction ID: 89ac070d5eac8ff80cdba10132157314b45213cb8d48a1b3d84a602c7d635183
      • Opcode Fuzzy Hash: 4b41dea6523fa2f31cea60e6a23d8c78d3a83a4fbdb15ce12f5dff7077749974
      • Instruction Fuzzy Hash: 4031D4B1D002589FDB24DFA9D484BDEBFF5AF48310F24802AE419BB250C7759985CBA0
      Function 00D90830 Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 73b86048839c0ec9cccb7f69b0749c7c6e2616e567b43232fdd3b2fb389290ad
      • Instruction ID: 03ded2bcf03f2290e2caa1a916a5bd8e87fb80f0c3b2d64f5811828053f9be5f
      • Opcode Fuzzy Hash: 73b86048839c0ec9cccb7f69b0749c7c6e2616e567b43232fdd3b2fb389290ad
      • Instruction Fuzzy Hash: 5D21A8356043414FDF16A774D8106AE7FB66FC9704F09459AC8499B3A6DB39CC06CBD2
      Function 00D91BA4 Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a1e13bd448544567039b9f645836bc34df55f5ad39be4a9ac48f64d1c788cb8d
      • Instruction ID: eaf3abfa8414a1b914365722b147cf2a222cf065c151839dbdff117a1f315698
      • Opcode Fuzzy Hash: a1e13bd448544567039b9f645836bc34df55f5ad39be4a9ac48f64d1c788cb8d
      • Instruction Fuzzy Hash: 5431E2B5D002589FCB10CFA9D494BDEBFB4AF48314F24806AE459BB250CB755886CBA4
      Function 00D91BB0 Relevance: .1, Instructions: 67COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: de9ace1eab45a20c7ec3b8014611ac31ac931d5e37e99b93cde0772a4b28eccf
      • Instruction ID: 24891c069f0202132cc3e33931d9b824b1a50e84f9a9fa5b4dff2967dd3d48d4
      • Opcode Fuzzy Hash: de9ace1eab45a20c7ec3b8014611ac31ac931d5e37e99b93cde0772a4b28eccf
      • Instruction Fuzzy Hash: 0421D2B1D00258DFCB14CFAAD484BDEFFB8AF48310F24802AE419BB250CB755885CBA0
      Function 00D91188 Relevance: .0, Instructions: 27COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6ccd9e964ef1303d633ae49fcaacb2632526db1f20cb1c6397cc90dcd0c62d73
      • Instruction ID: c785f4f5d62dbc7e26797ffa3b496babba2608ce08c84910788522ad4ddeaf34
      • Opcode Fuzzy Hash: 6ccd9e964ef1303d633ae49fcaacb2632526db1f20cb1c6397cc90dcd0c62d73
      • Instruction Fuzzy Hash: 03F0A034A05148AFCB00CFB49950FAEBFE6DF94304F04C1A8D5458B261D9318A02DB90
      Function 00D918E0 Relevance: .0, Instructions: 26COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 06083e60ac4b4defd9cb57595a757a82f7686ed601b6ee2f3a9c2b73c89fa93f
      • Instruction ID: 4d53eb096b54e391b5863d2400a21ef1fef42a4dd84ecbb9adb257d3e56563b1
      • Opcode Fuzzy Hash: 06083e60ac4b4defd9cb57595a757a82f7686ed601b6ee2f3a9c2b73c89fa93f
      • Instruction Fuzzy Hash: 34F0E535701149AFCB00CFB49960B6A7FA6DBC6308B09C0EDD148CF252EA308A02A760
      Function 00D90AD8 Relevance: .0, Instructions: 25COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3172f7db05716438630dda1ef9c27b2d2bc96641a017b5755fa2d1aaeaf7fbde
      • Instruction ID: ef53af86461828973aee0133aed56978d6f2986b4d87b3f6d2b2c55ba82f86ce
      • Opcode Fuzzy Hash: 3172f7db05716438630dda1ef9c27b2d2bc96641a017b5755fa2d1aaeaf7fbde
      • Instruction Fuzzy Hash: AFF0F830D0120CEFCB40EFB8E94599DBBB1EB88300F5085B9D505A7354EA316B459F40
      Function 00D91198 Relevance: .0, Instructions: 23COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8e6d5cd8499ca4a3e5a5dc2c83617c375b13d1aca0b7490ea45b265bd488c1d6
      • Instruction ID: 8498a725b14896b37596ba68194155924cd7fcff6b0a5ab907795d48eac83307
      • Opcode Fuzzy Hash: 8e6d5cd8499ca4a3e5a5dc2c83617c375b13d1aca0b7490ea45b265bd488c1d6
      • Instruction Fuzzy Hash: ACE09231B0110DBBCB00DFB0C900D6EBBEADB84304740C068D50487250EE31DA019B90
      Function 00D90B3A Relevance: .0, Instructions: 18COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7258bb65cd8e23e42b410fd97d1f7e61df6e8f57d6fd14ccaf6a8b834b07a80c
      • Instruction ID: b2e51794fec85ccaffe659f63f1ee92d6dc86b8b56c3a79e23f982c48d352b18
      • Opcode Fuzzy Hash: 7258bb65cd8e23e42b410fd97d1f7e61df6e8f57d6fd14ccaf6a8b834b07a80c
      • Instruction Fuzzy Hash: 4FD0C2226089800FC745A73C7150399AB92EFC1310F45427AE00447299CF5088458AE6
      Function 00D909B5 Relevance: .0, Instructions: 15COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000C.00000002.2333343951.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_12_2_d90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f029a0012f04a80d0fe0f7469b6e0ae79b830403db9f1d83fe3c42a3485537e6
      • Instruction ID: 62ceafbbce189e0623ea0078fcfc28e7fa22b6e5223d8bdcd301047b9c76dafb
      • Opcode Fuzzy Hash: f029a0012f04a80d0fe0f7469b6e0ae79b830403db9f1d83fe3c42a3485537e6
      • Instruction Fuzzy Hash: 10D09E35740219CFCF00EFA8D5445DC77B0EF88715F000069E109DB270D7759855CBA1

      Executed Functions

      Function 00007FFD9B3F0808 Relevance: .8, Instructions: 780COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000E.00000002.2336489381.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_7ffd9b3f0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 870ccb0a77161e7fde6447bc4beb71cd39aae3b78c6cf389a15f25a2d7f65f22
      • Instruction ID: dcfc70c1fde0afadf9cce1d5e74648ad72f3629bb90c2ab474e2da5e3c3a4fc3
      • Opcode Fuzzy Hash: 870ccb0a77161e7fde6447bc4beb71cd39aae3b78c6cf389a15f25a2d7f65f22
      • Instruction Fuzzy Hash: 54322A62B0EA890FF765EF6C98617756B92EF85754F1500BED04CC72EBDC29AE018342
      Function 00007FFD9B3F0548 Relevance: 3.8, Strings: 3, Instructions: 3COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 0000000E.00000002.2336489381.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_7ffd9b3f0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID: <N_I$=N_I$?N_I
      • API String ID: 0-2015509518
      • Opcode ID: 01483f1ce5b02438c5425164890f8d077a94d3706c46eb6db3c73b65fc816610
      • Instruction ID: e2f466db791276dd9fbe61c1466a2f6da7c5322ee7bf375e6a1ca98c8c282d56
      • Opcode Fuzzy Hash: 01483f1ce5b02438c5425164890f8d077a94d3706c46eb6db3c73b65fc816610
      • Instruction Fuzzy Hash: 10900201519092059605367420394E45F215F02114A0886E1D0DD0D0C7484420C18144
      Function 00007FFD9B3F0FA8 Relevance: .3, Instructions: 263COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000E.00000002.2336489381.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_7ffd9b3f0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 27025687245a91731d06522baf4f3e27305c94cf130acc9d4701cfbbb67a863d
      • Instruction ID: 9896bce37960193b7d2700fe5ff54e70556e2339318b0d74e412e164965c0702
      • Opcode Fuzzy Hash: 27025687245a91731d06522baf4f3e27305c94cf130acc9d4701cfbbb67a863d
      • Instruction Fuzzy Hash: AB71B553B0FEC60BF37695DC3CB12246F91EB826A0B4901FFD4C8861FBE8599A058391
      Function 00007FFD9B3F135A Relevance: .1, Instructions: 98COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000000E.00000002.2336489381.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_14_2_7ffd9b3f0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8fd3c692a9f919da6ef1d4338de947b73eb3b4b9c4a134c927d87efd8a1b242c
      • Instruction ID: b8ecd6a1204ae94baa5773326f958ed67dc425e5957b56c8af13130342e21ee1
      • Opcode Fuzzy Hash: 8fd3c692a9f919da6ef1d4338de947b73eb3b4b9c4a134c927d87efd8a1b242c
      • Instruction Fuzzy Hash: 6321B631A0DA0C9FEB18EBA8D855AE9BBE0FF55320F00422FD049D3652DB756846CB81

      Executed Functions

      Function 030217F8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q$$^q
      • API String ID: 0-355816377
      • Opcode ID: 5d4e594bb5d310148675a28504b6fa0396fd15a786204c03e3a2c65c3a37e64e
      • Instruction ID: fc84533e6cde21a7284e13e5bea7a57f493bf147afb77c79fb6559735db1b4cd
      • Opcode Fuzzy Hash: 5d4e594bb5d310148675a28504b6fa0396fd15a786204c03e3a2c65c3a37e64e
      • Instruction Fuzzy Hash: ED219131D00719CFCF149F69D844899FBB4FF85314B058AAEE8196F221EB31E998CB91
      Function 030217E9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q
      • API String ID: 0-388095546
      • Opcode ID: 82d5b36d965cf57d4012f7692eb542effa03a0d05d6fb608fb738fc95d07ee33
      • Instruction ID: 28ab2cb3fde3ad151eeb46c37894cd26bb10fd776441c249bf4519e6332e01ed
      • Opcode Fuzzy Hash: 82d5b36d965cf57d4012f7692eb542effa03a0d05d6fb608fb738fc95d07ee33
      • Instruction Fuzzy Hash: 9D21D131D00759CFCF159F78C8544A9BBB0FF85300B098AAEE8456F222EB35D994CB90
      Function 03020848 Relevance: .2, Instructions: 188COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1cecf39f0791bf0c7150bc04c566e76911afbfddcd030d17c25cd8613930b42a
      • Instruction ID: 44a4f71de39c3e7ca332cd6d71cb28aa88891a3503581ba0c139c37bb5be6520
      • Opcode Fuzzy Hash: 1cecf39f0791bf0c7150bc04c566e76911afbfddcd030d17c25cd8613930b42a
      • Instruction Fuzzy Hash: B061ED30A01316CFCF15DBB5C5146AEBBB2FF89704F4484A9E8069B350DB359C8ACB82
      Function 030215A1 Relevance: .1, Instructions: 144COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 178e99ace492b14fe076680f01250cfa39b8bc85ea46b289c5a589452ce60e0d
      • Instruction ID: 600983f0bb8e251e942d5a0c1ca2ecd38b1d8555560102265231c2b2984be3e9
      • Opcode Fuzzy Hash: 178e99ace492b14fe076680f01250cfa39b8bc85ea46b289c5a589452ce60e0d
      • Instruction Fuzzy Hash: C6518132E50B06A6E710DBA5CC45699F371FFEA700F61CB16F6583B191EBB0A1D4C681
      Function 030215B0 Relevance: .1, Instructions: 139COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b570b34bb3a5e7443aea9195d25ad36624219681dea8babb13e67100fb8f6a5c
      • Instruction ID: df25038cfa71557adb9869952fc91c42f9461788243f2ba82802f09443eb166b
      • Opcode Fuzzy Hash: b570b34bb3a5e7443aea9195d25ad36624219681dea8babb13e67100fb8f6a5c
      • Instruction Fuzzy Hash: 55515032E50B0AA6E710DBA5CC45699F371FFE9700F61CB16F6583B191EBB0A1D4C681
      Function 03021DC8 Relevance: .1, Instructions: 118COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9c84e073839e6f7b1589e0db435dca51985bfe44b75749f8e3ed64aa82f2afd5
      • Instruction ID: 425642967c4b9cee7cc1ee6a55dd59abe862951afd9cf078610326819e6e9321
      • Opcode Fuzzy Hash: 9c84e073839e6f7b1589e0db435dca51985bfe44b75749f8e3ed64aa82f2afd5
      • Instruction Fuzzy Hash: A9419432E0074A9ACF05DFB9C8504DDFBB6FF95300B11CA5AD559BB215EB30A596CB80
      Function 03021029 Relevance: .1, Instructions: 109COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: db900a395d285db6739dab12df0fecab494f35aa1700f57c21282ec0f2e9056a
      • Instruction ID: 21acd4f45eaee1bae098bd0797398e39a51c5f5f303becb913972b98f3e40a51
      • Opcode Fuzzy Hash: db900a395d285db6739dab12df0fecab494f35aa1700f57c21282ec0f2e9056a
      • Instruction Fuzzy Hash: 51418F30F4060A9FCF08DB76C9945AEFBB3EFC4304B40C968D10A97255EB31A906CB51
      Function 03021F34 Relevance: .1, Instructions: 97COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 51b8cf6ab95dd75c8cf84b1150c7f10f6ba8a336898d41249f9d691069067ae8
      • Instruction ID: 0a7e6a0f108d187567d2b11cdb8a6d47978fa3ea558f57781c71756cd46df03c
      • Opcode Fuzzy Hash: 51b8cf6ab95dd75c8cf84b1150c7f10f6ba8a336898d41249f9d691069067ae8
      • Instruction Fuzzy Hash: 5A4113B1C103598ACB10CFEAC584ADEFFB5AF99300F24852AD419BB215DB756A49CF90
      Function 03021A89 Relevance: .1, Instructions: 93COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c26529a55385e21d5952ea98a61efc03a5916bc34154de43ca966e843d2ca48e
      • Instruction ID: dec5a00dac6701fcf63fe6bd781137127cf9a5ccf98f35b641aa0102639a513b
      • Opcode Fuzzy Hash: c26529a55385e21d5952ea98a61efc03a5916bc34154de43ca966e843d2ca48e
      • Instruction Fuzzy Hash: C031B532E0164AAADB05DFB9D8804DEFBB6FFD4300F11C66AE545A7211FB30A595C790
      Function 03021934 Relevance: .1, Instructions: 92COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: aab935626fec83644b0024989313c4369900624c6525c860beafc845b3428ed2
      • Instruction ID: f954bdcfee91edc8e2a036d407fed4773d7eac180cfc147509914fffaf4712fd
      • Opcode Fuzzy Hash: aab935626fec83644b0024989313c4369900624c6525c860beafc845b3428ed2
      • Instruction Fuzzy Hash: D34124B1D022589FCB24DFAAC595BDEBFF5AF48300F14802AE419AB251CB355946CF50
      Function 030211E4 Relevance: .1, Instructions: 92COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b92f7487f79286fb4076418c712a5c967a4d5bdc8a35d330f41d44e92c22ca1c
      • Instruction ID: bcc604feb82726988005e4597742811853e8a4232dac95b7ace5f6fa4168ad3a
      • Opcode Fuzzy Hash: b92f7487f79286fb4076418c712a5c967a4d5bdc8a35d330f41d44e92c22ca1c
      • Instruction Fuzzy Hash: 334124B1D01258DFCB18DFAAC594BDEBFF6AF48300F24802AE409AB250CB755949CF90
      Function 03021F40 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 002405e226d11a8c790c26e1baa9c6d87b723583a0efcb39038fdb190b32ecc0
      • Instruction ID: 178853e45ab5eac149f078035abf6df56d86414ef9bf8bcced46eabc2286387d
      • Opcode Fuzzy Hash: 002405e226d11a8c790c26e1baa9c6d87b723583a0efcb39038fdb190b32ecc0
      • Instruction Fuzzy Hash: 9041E3B1C013598ACB10CFE9C984ADEFBB9AF48300F20851AD419BB211D7756A49CF90
      Function 030211F0 Relevance: .1, Instructions: 88COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b92f9794e2c88a3a5a9a8165ddd74625ed2199ca80f8a225a2a3ae810a323658
      • Instruction ID: 944dfd208152230b5465023574bfec8fee23315f5ab078bea2fe75351342edd3
      • Opcode Fuzzy Hash: b92f9794e2c88a3a5a9a8165ddd74625ed2199ca80f8a225a2a3ae810a323658
      • Instruction Fuzzy Hash: E43102B1D01258DFCB14DFAAC994BDEBFF6AF48300F24802AE419AB250CB755945CF90
      Function 03020F43 Relevance: .1, Instructions: 87COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a05424b8b9c1d42c593963043c1c25ef3413cf7097dbbe4fa21c896efc425a2f
      • Instruction ID: e8d371fdd74bb5ec20b92d508e7449310d29ae8ab192c067743d19f9dca1e57e
      • Opcode Fuzzy Hash: a05424b8b9c1d42c593963043c1c25ef3413cf7097dbbe4fa21c896efc425a2f
      • Instruction Fuzzy Hash: F111EB212493C40FD716A37D94601FEBFA7CFC2254F4C48AAC146CB66BCD559C4AC361
      Function 03021940 Relevance: .1, Instructions: 87COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3780c5ad405cefc78249ea5504364064b1c54371a90b3f43ba73d577bb23079d
      • Instruction ID: 11eb3b94b90373938862b204fb66771f196221ea3b688e4c4edaa86e1381b7c2
      • Opcode Fuzzy Hash: 3780c5ad405cefc78249ea5504364064b1c54371a90b3f43ba73d577bb23079d
      • Instruction Fuzzy Hash: 7631F2B1D02258DFCB14DFAAC984BDEBFF5AF48304F14802AE419AB254DB755945CF90
      Function 03020830 Relevance: .1, Instructions: 73COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e7de43d2c002bb55f9f291a0623577d2708bfdabaac22d00b2043f4d7893a578
      • Instruction ID: e0f96d5f7ffa117c5070bd29622c5bb827b97c3dc1d2ca5a756af214aac281fa
      • Opcode Fuzzy Hash: e7de43d2c002bb55f9f291a0623577d2708bfdabaac22d00b2043f4d7893a578
      • Instruction Fuzzy Hash: 2C2108346013614BDF16DB71C8102AE7FF3AFC5744F4941AAC84997355DB3A8C8AC382
      Function 03021BA4 Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 017bff84bfc6d57a5ffd96fd57c8486679087f8f15986f1e231b3ef2b7568eb6
      • Instruction ID: d3bc30b20cefc0432af45933932244c41218cf19c9c29c88a87e6374613a72e1
      • Opcode Fuzzy Hash: 017bff84bfc6d57a5ffd96fd57c8486679087f8f15986f1e231b3ef2b7568eb6
      • Instruction Fuzzy Hash: 0D31E2B1C01258DFCB14DFAAD485BDEBFB5AB48310F24802AE419BB244CB755885CF90
      Function 03021CB4 Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6eb16e04d8f4e46f8b67dbabd6354988de6eb5aa0dff65d2a1ad71fad6deeabf
      • Instruction ID: 8260ec3967f0014cee87b0a75e64bee918e3481a9ba36b2f898a330b7f3787a6
      • Opcode Fuzzy Hash: 6eb16e04d8f4e46f8b67dbabd6354988de6eb5aa0dff65d2a1ad71fad6deeabf
      • Instruction Fuzzy Hash: 1531E3B1C01258DFDB24DFA9D584BDEBFF9AF48310F24802AE419BB250CB759985CB90
      Function 03021CC0 Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bc965b2a2478e26ceb03ff69155a363e3b4edd620c96c5e6ed701f3da108eace
      • Instruction ID: 6510e708f5af7d0c554cb3fcfd2a68dea21ba817d69a6d21e4b09bcb74414e31
      • Opcode Fuzzy Hash: bc965b2a2478e26ceb03ff69155a363e3b4edd620c96c5e6ed701f3da108eace
      • Instruction Fuzzy Hash: 5D31D2B1D01258DFCB24DFA9D484BDEFFF9AF48310F24802AE419AB250CB756985CB90
      Function 03021BB0 Relevance: .1, Instructions: 67COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1f0aed3ee8331f562bb2a5a6fb22fc1a6a1dd96fc0f2d7fadf1820d2364ec74f
      • Instruction ID: ea1dfca44ae7c6cf532648dce88c3cc1a45b0acb2e0ea134a34a647a734e21ae
      • Opcode Fuzzy Hash: 1f0aed3ee8331f562bb2a5a6fb22fc1a6a1dd96fc0f2d7fadf1820d2364ec74f
      • Instruction Fuzzy Hash: 9C21D2B1D01258DFCB14DFAAD485BDEBFF8AF48310F24802AE419BB240CB755845CB90
      Function 03021188 Relevance: .0, Instructions: 31COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1accbd2e1a04e9be7e5c83a5d911ae3c704054f90692b81cfe29554334eb5a6c
      • Instruction ID: cbefa7259f36ccfbd729122cc1a2c43842611d11cda3e3eeb855628e455ce081
      • Opcode Fuzzy Hash: 1accbd2e1a04e9be7e5c83a5d911ae3c704054f90692b81cfe29554334eb5a6c
      • Instruction Fuzzy Hash: 1DF02730A09189AFCB05DBB088A18EEBFB7CF82244784C4D8D444CB216D9368A07CB40
      Function 030218E0 Relevance: .0, Instructions: 30COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2f0031119dff6231f646a158e94e5f800d86943c78a01c9a563f341cd1d3fb93
      • Instruction ID: aba73c97f2126e079e368c81631936c16fed03e0b5a8eea46728bc3334ab752c
      • Opcode Fuzzy Hash: 2f0031119dff6231f646a158e94e5f800d86943c78a01c9a563f341cd1d3fb93
      • Instruction Fuzzy Hash: CFF02730A451C56FCB04CB7588918AD7FB7CFC2204309C4DDC049CB106D9368D07D700
      Function 03020AD8 Relevance: .0, Instructions: 25COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ac8baaec05d5ad7fb31390130555001187ddb3393820e6a02f709400ed1d0d08
      • Instruction ID: 8dc90a3194ff13ca1479ed44ab8e73d914664a6e4d257e8f218ddf787a076de7
      • Opcode Fuzzy Hash: ac8baaec05d5ad7fb31390130555001187ddb3393820e6a02f709400ed1d0d08
      • Instruction Fuzzy Hash: 12F0F870E81209EFCF40EFB8E94559DBBB1EB84204F9095A9D805AB210EB316E958F41
      Function 03021198 Relevance: .0, Instructions: 23COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a64795e2195f21b10657773cb3100322428437642febc57f3df8616dc52cdca4
      • Instruction ID: df1195738d6ee1688faf4437136bb8978558da555acfd98713886ddc12446882
      • Opcode Fuzzy Hash: a64795e2195f21b10657773cb3100322428437642febc57f3df8616dc52cdca4
      • Instruction Fuzzy Hash: 27E09A31B41209AB8B04DFB4C90086EBBABDB80308B80C4A8E5098B214EA32DA019B90
      Function 03020B39 Relevance: .0, Instructions: 20COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8b0f2bcd8ab95ca8627063380a927e277467d8eede62a0caaabae08969470548
      • Instruction ID: 1c2d6d8f3e4e94efd1e71be2492f3b7404d6f5e70bf52c2e01cfe831aaa42c2b
      • Opcode Fuzzy Hash: 8b0f2bcd8ab95ca8627063380a927e277467d8eede62a0caaabae08969470548
      • Instruction Fuzzy Hash: F8E027237946640FC653577C78501ED7FD1CDC510074942ABCD459B36DCD506D46C7C5
      Function 030209B5 Relevance: .0, Instructions: 15COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000010.00000002.2340006133.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_16_2_3020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f6ca6c673ed84fa803f83f1510a8d9a753824a4cd272cbad60e326c837d0fc75
      • Instruction ID: a83361b287a4598cad1242280f8c06d747096f0a7643942d16989d38132efd00
      • Opcode Fuzzy Hash: f6ca6c673ed84fa803f83f1510a8d9a753824a4cd272cbad60e326c837d0fc75
      • Instruction Fuzzy Hash: C8D09E35740229CFCF00EFA8D5445DC77B0EF98715F000069E109DB270D7759855CB51

      Executed Functions

      Function 00007FFD9B3E0828 Relevance: 1.3, Instructions: 1303COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000012.00000002.2343538378.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_18_2_7ffd9b3e0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d4793f1a0f9a440bc45f4e0c35654505104fa346f2f2e15a42141aca72f047e7
      • Instruction ID: 2a3ea7701576e40490d98fad47655fe401c26585681900bf4874bae2c7ba9d8e
      • Opcode Fuzzy Hash: d4793f1a0f9a440bc45f4e0c35654505104fa346f2f2e15a42141aca72f047e7
      • Instruction Fuzzy Hash: 34924831B1EB8A1FE765EBB848626B97BD1EF85310F1504BFC089CB1E7D9286D468341
      Function 00007FFD9B3E0FA8 Relevance: .3, Instructions: 263COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000012.00000002.2343538378.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_18_2_7ffd9b3e0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d468e9391c7e190f14e074d0c0be16f43400f86fa22de245deed775e18cd6bd6
      • Instruction ID: 5478a51bcde3bc92ee1a56b34b03f414dbc69c93d18d98665c44a84cbbd52beb
      • Opcode Fuzzy Hash: d468e9391c7e190f14e074d0c0be16f43400f86fa22de245deed775e18cd6bd6
      • Instruction Fuzzy Hash: 1B71DA5370FEC60BF376959C28612256F91DBC666071901FFE0C88B1FFE859AE4A8391
      Function 00007FFD9B3E135A Relevance: .1, Instructions: 98COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000012.00000002.2343538378.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_18_2_7ffd9b3e0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 34ca230072e4230f4b26120cea88c11fcda72180061687daaddb7a716bd27997
      • Instruction ID: 799cfa78c2031ba7a04387ad4a7c256d2a40fe439d8c2577853732e98312060b
      • Opcode Fuzzy Hash: 34ca230072e4230f4b26120cea88c11fcda72180061687daaddb7a716bd27997
      • Instruction Fuzzy Hash: 8921B631A0CA1C9FDB18EFA8D849AE97BE1FF55320F00422FD049D3652DB756846CB81
      Function 00007FFD9B3E0E47 Relevance: .0, Instructions: 37COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000012.00000002.2343538378.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_18_2_7ffd9b3e0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 758be780faaa9ac6c490a9cca18df111ec704ccdc67ed7ad8625377960461c09
      • Instruction ID: fec2fa38e5ac516adc44ed3ff06ec7d526c111b464fb95703959606a28b08117
      • Opcode Fuzzy Hash: 758be780faaa9ac6c490a9cca18df111ec704ccdc67ed7ad8625377960461c09
      • Instruction Fuzzy Hash: D4F0B430A1DA084FD714EFA8A8134E9BBD0EF44364B2405BFE00EC71A6D93A95838682

      Executed Functions

      Function 00007FFD9B4D12C0 Relevance: 2.2, Strings: 1, Instructions: 913COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 2@_I
      • API String ID: 0-970971737
      • Opcode ID: c9458d96bf3b6515c761f203ae5d428d95362f3393dac5015f2fcc4b48a4340e
      • Instruction ID: 9177356a1f744526de20fe1ab44caed95b2818f6336ae1878f2b4c171118cd70
      • Opcode Fuzzy Hash: c9458d96bf3b6515c761f203ae5d428d95362f3393dac5015f2fcc4b48a4340e
      • Instruction Fuzzy Hash: 4552F662B0F6C50FEB7586AC68251286F92EFD5764B1902FBE49CC71FBE814BD01A341
      Function 00007FFD9B4D1518 Relevance: .5, Instructions: 496COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 214367a3d721bb7a6c1e86b7ae6689db0b742570fb330865677fc90068a1c0d4
      • Instruction ID: 6f1b19cf08e6a758aabbe0489b951148ee4f5496bde64015dce3c023fd98e1bb
      • Opcode Fuzzy Hash: 214367a3d721bb7a6c1e86b7ae6689db0b742570fb330865677fc90068a1c0d4
      • Instruction Fuzzy Hash: 40E15962B0FA890FE7798AAC64251786FA2EF85754B1902FBD48DC72FBDC14AD019341
      Function 00007FFD9B4D20FA Relevance: .3, Instructions: 348COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e9f0e68e39071071b1404a4d1fd7a0cab42b9996da6f7b8435e2a02cd0ba0a14
      • Instruction ID: d50137718becc34e9db9d163c152e3b96bfc34ed3c3c5860e800d8f1df928919
      • Opcode Fuzzy Hash: e9f0e68e39071071b1404a4d1fd7a0cab42b9996da6f7b8435e2a02cd0ba0a14
      • Instruction Fuzzy Hash: CBA11723B1E5A50AE719B7BCB4665E53FA1EF8523870942F7D0DDCF0E7DC08648A8291
      Function 00007FFD9B4D449D Relevance: .2, Instructions: 233COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 909324e5286fc539bbf3850955a768f7ab04cf1b1a3a5117ef2e1e28445dcb81
      • Instruction ID: 1bdf7e315da7a89a16348af0b685669991e53ae3c65ceaa70cc553abb160a4cb
      • Opcode Fuzzy Hash: 909324e5286fc539bbf3850955a768f7ab04cf1b1a3a5117ef2e1e28445dcb81
      • Instruction Fuzzy Hash: 39612521B0EA5A0FE7B552A814752B92AD1EFC9218F1602BED449C71E3DD1CBD469381
      Function 00007FFD9B4D410E Relevance: .2, Instructions: 217COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9e05d4cb8a649a652ca8dc638565b88cd1294ab7278b9bd7bdd687f12992e438
      • Instruction ID: 3b1f9560996d4535c48cbdef854b3a5596c4d3cb335f0f61ba1674b349b4ea52
      • Opcode Fuzzy Hash: 9e05d4cb8a649a652ca8dc638565b88cd1294ab7278b9bd7bdd687f12992e438
      • Instruction Fuzzy Hash: DF61B230B18A498FDB59EF2C846166873F1FF99304B1001BED41ECB2A7DE36A946C781
      Function 00007FFD9B4D34E1 Relevance: .2, Instructions: 196COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5b230a9f8b75fea9c274eead99dc901df26bacc6579714c948d1f813b791ee8d
      • Instruction ID: 10433bdd9d3470111ce586ab1b517a314497a3161c0457d64108dbb3f9c6d6dc
      • Opcode Fuzzy Hash: 5b230a9f8b75fea9c274eead99dc901df26bacc6579714c948d1f813b791ee8d
      • Instruction Fuzzy Hash: 1451AE30B18A0C8FEB95EF6CD854AE977F1FF59315B1501AAE409D72A2DA36E841CB40
      Function 00007FFD9B4D1D90 Relevance: .2, Instructions: 160COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d4a659c457080b75262ab4a46546a6f0afac9e83e1dc91094e27d2b587901b15
      • Instruction ID: 82c20188a662aa044cd83eac96fba08ed273a66012559187e025a773d70596e0
      • Opcode Fuzzy Hash: d4a659c457080b75262ab4a46546a6f0afac9e83e1dc91094e27d2b587901b15
      • Instruction Fuzzy Hash: A9412911E0EB8A0FE36A576848756A43BA1DF96254B0502FFC85CCB0F3ED5C6D468342
      Function 00007FFD9B4D1C51 Relevance: .2, Instructions: 154COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fc426f9a2d991f61c75ddd6ba0aa0da468e02150a427e48177c7a5347ba006f2
      • Instruction ID: da2081f12c1d638d7562ce176d420481ecb91f045888639f2444abaed4ccf892
      • Opcode Fuzzy Hash: fc426f9a2d991f61c75ddd6ba0aa0da468e02150a427e48177c7a5347ba006f2
      • Instruction Fuzzy Hash: 6441E53091E7CD4FDB2A9BA958656F57FA0EF53329F0402BFD089C31A3CA582416C746
      Function 00007FFD9B4D2C25 Relevance: .1, Instructions: 96COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 138da15b15ebbf00c5565867bcef903aa146b3aada2aa44d6297b091fa99fac9
      • Instruction ID: 62c6c3e379cf803b10a991ae769b1c0805b789a4f22740074f2f8f4f249310ba
      • Opcode Fuzzy Hash: 138da15b15ebbf00c5565867bcef903aa146b3aada2aa44d6297b091fa99fac9
      • Instruction Fuzzy Hash: 92213811F0FA5A0FE7BA52F894351A92B919F86A10B4602FAC058C61E7DD087D475382
      Function 00007FFD9B4D39B9 Relevance: .1, Instructions: 89COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f0128e83f7ac7cb370efb898b474b003c5a50ac7217fc86d483893fa8346f6a5
      • Instruction ID: 3986b6934bce82b18937c2c51d0642baf0836686547bac61cd3a6c410da2395b
      • Opcode Fuzzy Hash: f0128e83f7ac7cb370efb898b474b003c5a50ac7217fc86d483893fa8346f6a5
      • Instruction Fuzzy Hash: E321D63060E68E8FE752DF28C8616A57BB1FF86304F1645E6D419CB2B2CA36E941D711
      Function 00007FFD9B4D3168 Relevance: .0, Instructions: 47COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6a7816c68f9dad99311dbe62cae80dee6fbb3fef8f8e75f62992409293fca59d
      • Instruction ID: ac17b969a190f487d2e843dddbcbc3c8262dcc65c0cc1863365fe96c7f1c2a37
      • Opcode Fuzzy Hash: 6a7816c68f9dad99311dbe62cae80dee6fbb3fef8f8e75f62992409293fca59d
      • Instruction Fuzzy Hash: 50F06D11B1B85F05F27622E826B52BD21C1ABC9668FA60735D82DC62F2DC08BA526542
      Function 00007FFD9B4D48A1 Relevance: .0, Instructions: 43COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6389342c0fdfbf2dd514584fae341fae7df3c15c9ea7f2f3561fecbdb2f94b0f
      • Instruction ID: 72e0c4457877b3051c34a943b35562eda7f00d221fcbae4b1b91c1ba4e102aca
      • Opcode Fuzzy Hash: 6389342c0fdfbf2dd514584fae341fae7df3c15c9ea7f2f3561fecbdb2f94b0f
      • Instruction Fuzzy Hash: 6BF0282460F1C54FDB6397BC58705617FE4DF4321870941EFE0D8C60E3D4882985C382
      Function 00007FFD9B4D27D7 Relevance: .0, Instructions: 29COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 11617800857e77627b51f0491a5dc58bd7c7569440622708fe8dc0d5f1ba7d90
      • Instruction ID: 28f7f46956245ecab9446cdfec7821fe6e50520edb3c9a357d0981b9bfa8a95a
      • Opcode Fuzzy Hash: 11617800857e77627b51f0491a5dc58bd7c7569440622708fe8dc0d5f1ba7d90
      • Instruction Fuzzy Hash: 7EE07D3260F94C5BCB10EA9AAC604CA3B98FBDD318B01022BF48CC3251E2125511C351
      Function 00007FFD9B4D0271 Relevance: .0, Instructions: 5COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000014.00000003.2419197905.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_20_3_7ffd9b4d0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
      • Instruction ID: 06401d89036e6c46b20f7c1a37fce2788aa04f350aaf19392997c2e569a891a5
      • Opcode Fuzzy Hash: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
      • Instruction Fuzzy Hash:

      Executed Functions

      Function 01081538 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q$$^q
      • API String ID: 0-355816377
      • Opcode ID: 8b81e9e70dad898f5bee5b2fcf237d077427aa352c1d5e4fa5a62b2a1ec844d2
      • Instruction ID: 6b253bd517a2b74427355ee3848f8b07280a776ea1429d9d4dd09e7d2e755232
      • Opcode Fuzzy Hash: 8b81e9e70dad898f5bee5b2fcf237d077427aa352c1d5e4fa5a62b2a1ec844d2
      • Instruction Fuzzy Hash: E821E531D00709CFCF11AF78D8448A9F7B4FF44304B0986AED5896B226EB31E495CBA0
      Function 010810BC Relevance: 1.4, Strings: 1, Instructions: 143COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: 3
      • API String ID: 0-1842515611
      • Opcode ID: 453f29c535d140cabc8d3a71da0c90078634be0a9bbd6f5ca35ba147003b040c
      • Instruction ID: 3c3dc8b9f109ffb2f595526f5a6e74233266390916e6744c6012dd085570692c
      • Opcode Fuzzy Hash: 453f29c535d140cabc8d3a71da0c90078634be0a9bbd6f5ca35ba147003b040c
      • Instruction Fuzzy Hash: 80517CB1E042089FDF14DFA9D554BDEBFF6AF48310F10806AE588EB2A4DB359946CB50
      Function 01081529 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q
      • API String ID: 0-388095546
      • Opcode ID: 4fed04b38451224563e8f297b8d2789fa71a8052410c82ce8489ab22f626b09e
      • Instruction ID: 7988caac34e5ff049d20ea25362ba8c5d3d7bdac9dd31e8713716b0a351afbc4
      • Opcode Fuzzy Hash: 4fed04b38451224563e8f297b8d2789fa71a8052410c82ce8489ab22f626b09e
      • Instruction Fuzzy Hash: 3A21A331904749CFCF11AF78C8548A5FBB0FF45300B0986AAD4856B222EB31E595CB91
      Function 01080848 Relevance: .2, Instructions: 190COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 503f55fdccc3da7a4465e7cd4b1543d3259b361c1bf552309411b55911db1d82
      • Instruction ID: d7a07228f7dc774a6657a9aa493d79c74dda3956457ad4de5f0e41bee3d6302e
      • Opcode Fuzzy Hash: 503f55fdccc3da7a4465e7cd4b1543d3259b361c1bf552309411b55911db1d82
      • Instruction Fuzzy Hash: 3661A030A04305CFDF15EFB8D8546AEBBB2FF85704F008569E58697368DB71984ACB91
      Function 010812E1 Relevance: .1, Instructions: 147COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a9cc1644ad1e2cbf2c72ba19653ab4f2aa9b4fbe27a54c008a69f580f36d8a62
      • Instruction ID: 77b441573b8e2f7137425e079eea98f9f85d7a5dcb4f543d8cb99a39a8bb04f0
      • Opcode Fuzzy Hash: a9cc1644ad1e2cbf2c72ba19653ab4f2aa9b4fbe27a54c008a69f580f36d8a62
      • Instruction Fuzzy Hash: 88517032E50B06AAE710DBA5CC45699F372FFDA700F61CB16F6483B191EBB0A1D4C691
      Function 010812F0 Relevance: .1, Instructions: 139COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3a08abfa8659c9f462f342ac94e8391da43d63390b0cb43868b99642da24050a
      • Instruction ID: 8c2f5ff79c1796b30c128567a02a2dc605bd517819214f8678d459bf02c3d29f
      • Opcode Fuzzy Hash: 3a08abfa8659c9f462f342ac94e8391da43d63390b0cb43868b99642da24050a
      • Instruction Fuzzy Hash: F6517032E50B0AA6E710DBA5CC45699F372FF99700F61CB16F6483B191EBB0A1D4C681
      Function 01080ED8 Relevance: .1, Instructions: 134COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d070af038a82ee3c50b440c102220c2fa2b8b086644887667ff5516d51f32508
      • Instruction ID: 9d8b0ba86bf13f7a0430ee687097d31c065b9a55b3cd04f117c98411ad4b2ca0
      • Opcode Fuzzy Hash: d070af038a82ee3c50b440c102220c2fa2b8b086644887667ff5516d51f32508
      • Instruction Fuzzy Hash: 8121B52524D7C44FC312A77DA4601ADBFA6CFC6310B0A84EBD2C58B6BBC9549D89C362
      Function 01081B08 Relevance: .1, Instructions: 119COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e62e1255b1d0c7753f1a6edf29c8aca9106e6b15beb9d266a15e0bc41ec2ee16
      • Instruction ID: 63f5fde4f52e65fa7ff11942153a8eb93f6d928959579966c414c89b95baba9e
      • Opcode Fuzzy Hash: e62e1255b1d0c7753f1a6edf29c8aca9106e6b15beb9d266a15e0bc41ec2ee16
      • Instruction Fuzzy Hash: CF416232E0474A9ACB01EFF9C8544DDF7B1FF85300B11C65AE555B7215EB30A586CB90
      Function 01081C74 Relevance: .1, Instructions: 97COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1d0654ce084e6c82b571693ac96f822cb2c3216d78333664d9c93608f7ba1298
      • Instruction ID: 84cbc4204cbf40c2c9a95a315a64a4a4fa851d919841aa3f9c69ec7b90db976d
      • Opcode Fuzzy Hash: 1d0654ce084e6c82b571693ac96f822cb2c3216d78333664d9c93608f7ba1298
      • Instruction Fuzzy Hash: 6141F4B1D0435DDECB10EFAAC544ADEFBB5AF48300F20812AD459BB254D771AA45CF90
      Function 0108118C Relevance: .1, Instructions: 96COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c825342422a3e397efd93e2402da099d8db206d4b368282e3e1b52e9da13ec27
      • Instruction ID: 305b83c0fc6ed2e469c8feafe6b2b0e0ceb756f6dfb1d7485bdcfadb1fe20bba
      • Opcode Fuzzy Hash: c825342422a3e397efd93e2402da099d8db206d4b368282e3e1b52e9da13ec27
      • Instruction Fuzzy Hash: EB4115B1D04208DFDB14DFAAC594BDEBFF5AF48314F10802AE444AB254DB745945CF90
      Function 010817C9 Relevance: .1, Instructions: 94COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3b8721e48822ca32abbd0eace70ee2c6cef02034741e25453867b5ea170e1870
      • Instruction ID: 9f6ccc1642647ebc1240f9f01a491656dcf1a837c927db565187d4f85036be1f
      • Opcode Fuzzy Hash: 3b8721e48822ca32abbd0eace70ee2c6cef02034741e25453867b5ea170e1870
      • Instruction Fuzzy Hash: 07319232E1470AABDB01EFB9D8545DEF7B2FF84300F11C66AE584A7211EB30A585C791
      Function 01081674 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5e1c7d8971212d867f5a6c05d8e1efdc6bcbc5899a3fe34c71ed32c47a869eae
      • Instruction ID: d312eda492a3eaefc3f08824c2e54ae118bf9212c053c69c44e7332b1f385969
      • Opcode Fuzzy Hash: 5e1c7d8971212d867f5a6c05d8e1efdc6bcbc5899a3fe34c71ed32c47a869eae
      • Instruction Fuzzy Hash: 204133B1D042489FDB24EFAAC894BDEBFF5AF48304F10806AE444AB250DB345946CF94
      Function 01081C80 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4fa836e099d102c57ba594e1865aaeee636e6a791f7e2595f702932d16d2feaf
      • Instruction ID: 533b9ed6cb03879e5ce7dd5be2d487bf6965a51962ca6534837474abb8524179
      • Opcode Fuzzy Hash: 4fa836e099d102c57ba594e1865aaeee636e6a791f7e2595f702932d16d2feaf
      • Instruction Fuzzy Hash: 6441F4B1D0035DCECB10EFAAC544ADEFBB5AF48300F20812AD459BB244D7716A45CF94
      Function 01081198 Relevance: .1, Instructions: 88COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f8139a5974b47e1889ef142b0b8a9c1eb59645587c82fe90638c8dbf5e9c7a1c
      • Instruction ID: 425a7267f0075316bc3b66e455656716a27a97c066af40c8d0169025aad26122
      • Opcode Fuzzy Hash: f8139a5974b47e1889ef142b0b8a9c1eb59645587c82fe90638c8dbf5e9c7a1c
      • Instruction Fuzzy Hash: 403114B1D04208DFDB14DFAAC994BDEBFF5AF48314F20802AE498AB254DB745946CF90
      Function 01081680 Relevance: .1, Instructions: 87COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 18d118cfbd420a9ea2aff8b2d78a12a3d6cb20444d1c5e5a2a86520261788a1d
      • Instruction ID: 90b36122ea62d23ef9000cf6ee60140e54ec7cca208ae26a5198c29c9be13ac9
      • Opcode Fuzzy Hash: 18d118cfbd420a9ea2aff8b2d78a12a3d6cb20444d1c5e5a2a86520261788a1d
      • Instruction Fuzzy Hash: 333133B0D002589FDB14EFAAC984BDEBFF5AF48304F10802AE449AB250CB345946CF94
      Function 010819F5 Relevance: .1, Instructions: 77COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b2b84f9ae2a295c1e3fdf5718d9c0aaa84203c9c5ce4b66928e3b3b54ecf9497
      • Instruction ID: 514a29a6a4fc1f779794395dc89bd7f42824a0a3bb799f7acc47cd3316dc7949
      • Opcode Fuzzy Hash: b2b84f9ae2a295c1e3fdf5718d9c0aaa84203c9c5ce4b66928e3b3b54ecf9497
      • Instruction Fuzzy Hash: 173105B1C04248DFCB20DFAAD484BDEFFF8AF48310F24802AE459AB244C7746845CBA4
      Function 01080830 Relevance: .1, Instructions: 73COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: da119fc2d809e944bb04fa9b8f7cfc604e3c471b29decb3f43ace2f8cab464a4
      • Instruction ID: fc2769062457c567629e7b11ceeb5834ceb01b8d117897ccfdcd2e6f305970fb
      • Opcode Fuzzy Hash: da119fc2d809e944bb04fa9b8f7cfc604e3c471b29decb3f43ace2f8cab464a4
      • Instruction Fuzzy Hash: E221C6316093418BDB26AB79C8143AE7BF2AFC5604F0545AAD9C59736DEB35980BC382
      Function 010818E4 Relevance: .1, Instructions: 71COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: dfc9d490ae1a5ad7eb3041b0997c196c67b49f4a946d2553f95752e9e3665186
      • Instruction ID: 107247a9a46da09b5bf4e1ba886cd4ffcc470ce3948bb2fcc234dd6ef0732f75
      • Opcode Fuzzy Hash: dfc9d490ae1a5ad7eb3041b0997c196c67b49f4a946d2553f95752e9e3665186
      • Instruction Fuzzy Hash: 1831F9B1C04258DFDB14DFAAD484BDEBFF8AF08310F24806AE499B7254CB745945CB94
      Function 01081A00 Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: de81d9ae261a5926bfe6db604b0faf458455d46051f8081337af6b151c777dcd
      • Instruction ID: 471ec3ee6145f60d1c2d5bb9e228fd16f90fe69b37f4e9c3d879fe37860be992
      • Opcode Fuzzy Hash: de81d9ae261a5926bfe6db604b0faf458455d46051f8081337af6b151c777dcd
      • Instruction Fuzzy Hash: 5331F4B1D042589FDB24DFAAD484BDEFFF8AF48310F24802AE458AB250CB745845CF94
      Function 010818F0 Relevance: .1, Instructions: 67COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5a4d1ede06848520e14fa7072e1f8cc4008c3507bb73838a6e86e31e2c89667f
      • Instruction ID: 009fefda436b4b82dc7992cdd60e88ef0edcfc44d8ce268ae67b3bb1a8e20b47
      • Opcode Fuzzy Hash: 5a4d1ede06848520e14fa7072e1f8cc4008c3507bb73838a6e86e31e2c89667f
      • Instruction Fuzzy Hash: 6721D3B1D04258DFDB14DFAAD484BDEBFF8AF08310F24802AE499BB254CB745845CB94
      Function 01081028 Relevance: .1, Instructions: 54COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0cb34bee6475163eb69d739cdd5c361fa29826070e3be93fe3f41e753459ca50
      • Instruction ID: e9380f744cc322f5c754c730dec9cde83b6ecd76bbad154aaa41e3f430593590
      • Opcode Fuzzy Hash: 0cb34bee6475163eb69d739cdd5c361fa29826070e3be93fe3f41e753459ca50
      • Instruction Fuzzy Hash: 9F1104317087459FC711DB7AE8105AEBBA2DFC1300B00C9BFE449C73A9EA319806CB10
      Function 010810C8 Relevance: .0, Instructions: 32COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0151e545624419b7dcfbf5af6817fcfa17ca8c0abf480454526f230d20cbf97a
      • Instruction ID: 19bfaff662289915fcef78a0739cb134175046668081afc4815bfd1e20eaccb7
      • Opcode Fuzzy Hash: 0151e545624419b7dcfbf5af6817fcfa17ca8c0abf480454526f230d20cbf97a
      • Instruction Fuzzy Hash: 8EF0893170410D6BCF15EAA5D8159FEBBAADF84300F018439E64197394DE32991687E1
      Function 0108161F Relevance: .0, Instructions: 30COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3569889cb8f2bbebcdcfdfd89553132bd863c1ec7516e86e3e078967a534df17
      • Instruction ID: 19c1263a7bac9b5d439fc25f24dbd778880000b9a4fe6b161de18eeea098e59e
      • Opcode Fuzzy Hash: 3569889cb8f2bbebcdcfdfd89553132bd863c1ec7516e86e3e078967a534df17
      • Instruction Fuzzy Hash: B2F0A731A0524DAFC701DFB589556AABBEADF81304B06C4AAE449DB146ED31DE0293A1
      Function 01080B39 Relevance: .0, Instructions: 20COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: caf8f73e07c4ce1dee22120fee94d4f5928b49404980ba3dffa74c179e08419f
      • Instruction ID: 35020952d9d4b47211c5d85d08a5d100d77dab055e5a7655d68fd39b5d479b26
      • Opcode Fuzzy Hash: caf8f73e07c4ce1dee22120fee94d4f5928b49404980ba3dffa74c179e08419f
      • Instruction Fuzzy Hash: EDE0CD22388A504FC3036B6C6450069AB92CDC121075B41FFD6449736ECD185C4A43B1
      Function 010808FF Relevance: .0, Instructions: 15COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000015.00000002.2418409079.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_21_2_1080000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: baaf993f41b08165710cc16641a8134a13a06c5ad04955bae411c3e422517bea
      • Instruction ID: 5fa383d01c51b11a257d205ef428df81f12e2efa4f20b1957fe80fe4d5b2b521
      • Opcode Fuzzy Hash: baaf993f41b08165710cc16641a8134a13a06c5ad04955bae411c3e422517bea
      • Instruction Fuzzy Hash: 4ED09E35744119CFCF00EFA8D5545DC77B0EF88725F000169E109DB274D7759855CB51

      Executed Functions

      Function 00007FFD9B4C12C0 Relevance: 2.2, Strings: 1, Instructions: 909COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 2A_I
      • API String ID: 0-941469806
      • Opcode ID: 974a779783c9c340e3dd09e1ee0b1346869c87872643356a85313c291c2e9347
      • Instruction ID: 94bdb1da8b8697c114e174651824a234bc6eadd963b5ed8785eed7c956e724d6
      • Opcode Fuzzy Hash: 974a779783c9c340e3dd09e1ee0b1346869c87872643356a85313c291c2e9347
      • Instruction Fuzzy Hash: 10524C62B0FAC40FF73956AC58251B96BD2EF86754B1900FFE089871FBE815AD02A345
      Function 00007FFD9B4C1518 Relevance: .5, Instructions: 491COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e20c85e422c3bea730cbec7a1ae7b7a06fe50dbf276c3d890773bc951c0eec1b
      • Instruction ID: 1c4e437cba65708a6838f80d9d3b4f3dc08615093d149471cd0553380c470ae8
      • Opcode Fuzzy Hash: e20c85e422c3bea730cbec7a1ae7b7a06fe50dbf276c3d890773bc951c0eec1b
      • Instruction Fuzzy Hash: C2E15962B0FBC80FE779A6AC14291B96BD2EF46714B1901FFE089871F7EC15AD029341
      Function 00007FFD9B4C2A70 Relevance: .3, Instructions: 305COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fecce849db55302b9feb92b19b1ed555ad80e8198dc98e1b0d2724966998d11c
      • Instruction ID: ce4a5826ebe6aa5029abc2d0dca1796df6f7519a56d495bb371c5f143414f7c3
      • Opcode Fuzzy Hash: fecce849db55302b9feb92b19b1ed555ad80e8198dc98e1b0d2724966998d11c
      • Instruction Fuzzy Hash: 16815911B0FA9A0FE7B9AAFC58711F52B91DF86A54B0A41FBD04CC71F7EC4869069341
      Function 00007FFD9B4C40E5 Relevance: .3, Instructions: 255COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e3b6ee60aad1874912cd138627b61e26a1dbf3b001a26a7e06c68ff3851ccf1a
      • Instruction ID: 613a199b15138cf4ddbf86c2923948057416aa43254a3f90ce933c2370e48872
      • Opcode Fuzzy Hash: e3b6ee60aad1874912cd138627b61e26a1dbf3b001a26a7e06c68ff3851ccf1a
      • Instruction Fuzzy Hash: 3B717710B0EA8A0FE765B7B854766F96BC1EF46658F1541BEE089C72E3CD0C69419382
      Function 00007FFD9B4C5066 Relevance: .3, Instructions: 253COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 81f066c4ee541a4da74316ce4c2202ae21b0a691c7dba98c4e4942f0dab6a21b
      • Instruction ID: 55b35a78ec9909052a6bbc39cb8b863476acaa53a45f02b50b02757c062c9582
      • Opcode Fuzzy Hash: 81f066c4ee541a4da74316ce4c2202ae21b0a691c7dba98c4e4942f0dab6a21b
      • Instruction Fuzzy Hash: 6F814B20B1EA850FD719BB7854364F9B7E1EF59704B5801FEE08EC72E7DE28A5029385
      Function 00007FFD9B4C310E Relevance: .2, Instructions: 219COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d5ebfcbaeb0200b4db5d64be575e3a9ac82b315661deb78b60813efa052328f9
      • Instruction ID: 221883cbe63abaafcb51f08dd6fe0a9d2d01b5eaec830fa3a59a3ee298526ee7
      • Opcode Fuzzy Hash: d5ebfcbaeb0200b4db5d64be575e3a9ac82b315661deb78b60813efa052328f9
      • Instruction Fuzzy Hash: 91515711F1EA9E0FE7B666B808371F93BD1DF8AA54B4601B6D41DC72E3DC186D025342
      Function 00007FFD9B4C4E6A Relevance: .2, Instructions: 215COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bcc5cc4d572fb0c1a83262d4c7287a2a4fbc3c07217a0b01d0a1d8632cc9453c
      • Instruction ID: 8cd951825ca200bc82fa3eb3a9e061c34b7c6120c95521588188b0e90b393921
      • Opcode Fuzzy Hash: bcc5cc4d572fb0c1a83262d4c7287a2a4fbc3c07217a0b01d0a1d8632cc9453c
      • Instruction Fuzzy Hash: 03610920A1F6C51FE71AA77844366FD7FE1EF97604F0940EEE08A8B1E7CE5859069341
      Function 00007FFD9B4C34E1 Relevance: .2, Instructions: 196COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ffcac237a8907b6053012cefc16f417b679c8585f6f4ee85adafd7e800da0ee9
      • Instruction ID: e9b56ff27be63124b7170fc2eebf92d5bedd0f9083b734bd118f82e9a5ea529a
      • Opcode Fuzzy Hash: ffcac237a8907b6053012cefc16f417b679c8585f6f4ee85adafd7e800da0ee9
      • Instruction Fuzzy Hash: 9E51B430A0DA4C8FDB65EF6CD8699E97BE0FF59304B0500BAE449C72A2DA35A841CB41
      Function 00007FFD9B4C2258 Relevance: .2, Instructions: 190COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 46bd5b06b9daaf85a07a230f03a85f80b55b70ca5bf893a339be5237da81fab3
      • Instruction ID: 54e0e4eda44c29f3f13e9f49c858558230efd09fbfc44bd6c990c2c8f04bbb22
      • Opcode Fuzzy Hash: 46bd5b06b9daaf85a07a230f03a85f80b55b70ca5bf893a339be5237da81fab3
      • Instruction Fuzzy Hash: 9B514B23F0E65A0FE7597BBC68621F57BD0EF41224B0902BBD499C70E7ED0969874381
      Function 00007FFD9B4C580D Relevance: .2, Instructions: 166COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1cf21a69b751216e3931fcf939743ec339846810a6be38536d9cc28f91a46876
      • Instruction ID: ac89896c83f366851dbfa61db74fd79ba0b372bff765a1ce6017ea22c77eecab
      • Opcode Fuzzy Hash: 1cf21a69b751216e3931fcf939743ec339846810a6be38536d9cc28f91a46876
      • Instruction Fuzzy Hash: 2B413812B0FA8A0FEBA5B67C14761F93BD1DF89A24B1944FED049C72E3DD089D069341
      Function 00007FFD9B4C4CCA Relevance: .2, Instructions: 162COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8fc86de235d1fff1bb27f07ffd3ba754985638aafc5199f94b53958815021413
      • Instruction ID: 40613aa29ecb03620b7b2003367e6573afc20ad7e2968150a8affa6fb27d7046
      • Opcode Fuzzy Hash: 8fc86de235d1fff1bb27f07ffd3ba754985638aafc5199f94b53958815021413
      • Instruction Fuzzy Hash: 8651D520A0EAC91FD712E7B859764FE7FE0EF5B61070D44EED4C98B2A7C81859079382
      Function 00007FFD9B4C1D90 Relevance: .2, Instructions: 160COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a0ff32e236aaa3937f0191b4d08074c4caf43f8602af2f36dedd8fd5339dd7fc
      • Instruction ID: 1a985dbc9b9a805252803411470d0b315d1aae5e9e3f486340614a8e6eac54ce
      • Opcode Fuzzy Hash: a0ff32e236aaa3937f0191b4d08074c4caf43f8602af2f36dedd8fd5339dd7fc
      • Instruction Fuzzy Hash: 31410511A0FB8A0FE7AAA67848756F53BA1EF56654B0601FBC048CB1E3ED4C69468342
      Function 00007FFD9B4C0288 Relevance: .2, Instructions: 159COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4e4a4700d2f4a180559367820402566f6321ec554d56ae1a1dd0f8c0a470a310
      • Instruction ID: ede42ac9c3e56c8c082f0dc5cc2eab45f2e6038b370ebe8b790c05cd8b82de3f
      • Opcode Fuzzy Hash: 4e4a4700d2f4a180559367820402566f6321ec554d56ae1a1dd0f8c0a470a310
      • Instruction Fuzzy Hash: 5241CC21B0F6890FE379A6AC5C716B53BE1EF8671072541BFD08CC72E7CE1869069381
      Function 00007FFD9B4C55EB Relevance: .2, Instructions: 155COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5e390f006c5edfb81e66ab32e019133a033665c78fb1600d89323e00763063ef
      • Instruction ID: eec223ed65d1cb00835cab07393bb4d7831518696b8a41d1f8a98d12fce6c7dd
      • Opcode Fuzzy Hash: 5e390f006c5edfb81e66ab32e019133a033665c78fb1600d89323e00763063ef
      • Instruction Fuzzy Hash: 29410821B0EAC80FDB19BB7854360FC7BE1EF5961875904FED04E8B1D7CE29A5069385
      Function 00007FFD9B4C1C51 Relevance: .2, Instructions: 154COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1e10695742589c4159a5c93268e8f42fc803213b020c6ae9a1c6a938ac7b56a4
      • Instruction ID: ace3c78345a2b124d9931b384f1a3011989fb42bcc4000df4a027ff8e82fa987
      • Opcode Fuzzy Hash: 1e10695742589c4159a5c93268e8f42fc803213b020c6ae9a1c6a938ac7b56a4
      • Instruction Fuzzy Hash: 1C41D53191E7CD4FDB2AABA958655F57FA0EF13329F0401BFE089C31A3CA582516C746
      Function 00007FFD9B4C3B30 Relevance: .2, Instructions: 151COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ff41717561a4c38def914717d258603877d7516bde8028d856dc82805a413148
      • Instruction ID: 48aede9855b60d7165ca96330f916fad0c85fb71db796265190ae6090ef3de3f
      • Opcode Fuzzy Hash: ff41717561a4c38def914717d258603877d7516bde8028d856dc82805a413148
      • Instruction Fuzzy Hash: 0051387091EAC95FE712FB7485724F97FE0EF0A314B1944FCC4898B1A7CA28A902DB01
      Function 00007FFD9B4C454D Relevance: .1, Instructions: 123COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f77199d81dc748126d507e22d8ff2fc6eb1cef0d945f2b8177d4f2a4e407a5b4
      • Instruction ID: 2a38c01ed314ab3f2e2f41252e7787a1b1650a005c869940caeecbd0dc0e92f9
      • Opcode Fuzzy Hash: f77199d81dc748126d507e22d8ff2fc6eb1cef0d945f2b8177d4f2a4e407a5b4
      • Instruction Fuzzy Hash: F8315671E0E69C0FD765FBBC88665F97BE0EF4A710B0901BED049D33A2CD2869019790
      Function 00007FFD9B4C3F5D Relevance: .1, Instructions: 118COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c97030a72a98719c72010295d10018f71546178c9a49dc5869286a340766ae20
      • Instruction ID: b40d6de363d4d9428aaf89a2696fb880e39220e6e053ecabe322398e003c88f8
      • Opcode Fuzzy Hash: c97030a72a98719c72010295d10018f71546178c9a49dc5869286a340766ae20
      • Instruction Fuzzy Hash: DF31187060EAC81FE752B7B8597B1F97FE0EF4A11470C44EAC889C72A7C92959079341
      Function 00007FFD9B4C4F55 Relevance: .1, Instructions: 103COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0c406a8dfa62786fa13fb2973be78e35ba3bcff484d396499c44964f28f24cdc
      • Instruction ID: 8cae794fa26802ad5f6292de40fb21d7b7a84f0984e7cc6147d3d61ded9dedf6
      • Opcode Fuzzy Hash: 0c406a8dfa62786fa13fb2973be78e35ba3bcff484d396499c44964f28f24cdc
      • Instruction Fuzzy Hash: 1331C410B2D9850BE71DB7784036AFD67D2EF95308F4980BDF04A872E7CF589506A245
      Function 00007FFD9B4C02E0 Relevance: .1, Instructions: 96COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 742818b5105811763687d0b374019150db5476877188107053b48e6ae101ab0c
      • Instruction ID: 3b4d01301ab92076528f69eb1cf91ec6b1f58defa19ee152e0c1a5e4347b68cf
      • Opcode Fuzzy Hash: 742818b5105811763687d0b374019150db5476877188107053b48e6ae101ab0c
      • Instruction Fuzzy Hash: 2C210670E0A65C4FD764FBBC88569FA7BE0EF49710F0941BEE449D33A2CE2869019791
      Function 00007FFD9B4C5AF1 Relevance: .1, Instructions: 82COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4ab672fc4ade6a83ef5fed0cd01a8d34d99e488a00aa08544be40a00050283d1
      • Instruction ID: b9294a2fb720e8cf2046e04151de0b39b7b3004a25671dd93b0ae6e54cda9ecf
      • Opcode Fuzzy Hash: 4ab672fc4ade6a83ef5fed0cd01a8d34d99e488a00aa08544be40a00050283d1
      • Instruction Fuzzy Hash: 4521D63091E6CD4FDBA6AF6848616F93FB0EF06304F1500FBE498C7093DA689955C792
      Function 00007FFD9B4C426A Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: dfa5605720e45e6ad66920257003ab36c733040726cb372ac9a2d9a89dd323af
      • Instruction ID: a00fb3517a7f36a947133ef3587793575699c1c496897e2cd8220e65b8b3e833
      • Opcode Fuzzy Hash: dfa5605720e45e6ad66920257003ab36c733040726cb372ac9a2d9a89dd323af
      • Instruction Fuzzy Hash: 78116D20B1D50946E758BB6894A67FD61C1EFC4758F61593DE41FC22F5CD2CE9405282
      Function 00007FFD9B4C4FA9 Relevance: .1, Instructions: 70COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9c3c61b416284fc34a2807d19995eed71ed3ebb2a75dcc6cb5efd6f613348127
      • Instruction ID: ed478b70068dc5da271017f1a71bcade80429f96a286202ae57b7202ff32f22a
      • Opcode Fuzzy Hash: 9c3c61b416284fc34a2807d19995eed71ed3ebb2a75dcc6cb5efd6f613348127
      • Instruction Fuzzy Hash: 6C118110B2D9C90AEA1EB7684075BFD66D2EF95304F8A40BCF04E872E7CF5C9506A349
      Function 00007FFD9B4C3168 Relevance: .0, Instructions: 47COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 73787e7e3e31795cfc448f24f5629eb6e8174edfbc58c290e68c6c57ed3907f9
      • Instruction ID: 69a373947f70b9382f0535e97c47426ae39bf1484c867d53b63bdbef7c475865
      • Opcode Fuzzy Hash: 73787e7e3e31795cfc448f24f5629eb6e8174edfbc58c290e68c6c57ed3907f9
      • Instruction Fuzzy Hash: A4F08611B1FC5F09F27731EC16B62F961C1EB45A2CFA61535D82DC61F2DC28FA522542
      Function 00007FFD9B4C3A55 Relevance: .0, Instructions: 43COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 94547ec82913be0537f37d7870188db38f27d7fb91b4c3fa1775a2697b23d056
      • Instruction ID: 66843396f0fc2407faecc87c320407670da1824d3d2ccc480f4e6be30ea6114a
      • Opcode Fuzzy Hash: 94547ec82913be0537f37d7870188db38f27d7fb91b4c3fa1775a2697b23d056
      • Instruction Fuzzy Hash: A9F0F46070D9C94FD349FB78457A6B6BBD1EF1E21070846EDD49ECB2E7DE2898828301
      Function 00007FFD9B4C27D7 Relevance: .0, Instructions: 29COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bf1a68f9c1d3a87a85940ac658332253110b7e66b33c94fbe019d704371cff47
      • Instruction ID: 05d1d47d63551489a07c923460a289d40ad1160d32cc02cd4fd414d417ae563d
      • Opcode Fuzzy Hash: bf1a68f9c1d3a87a85940ac658332253110b7e66b33c94fbe019d704371cff47
      • Instruction Fuzzy Hash: D2E07D3360F94C5BCB10EA9A7CA04CA3F98FB8D318B01012AF48CC3251E2525511C351
      Function 00007FFD9B4C4DBE Relevance: .0, Instructions: 13COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000017.00000003.2438359029.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_23_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 72c44e97a83cb295c0991e1defceb879c013a03840f3963314d460f78b96c672
      • Instruction ID: 1076fd378c65c1e0a62298b13a50bcd28bd062a728fdaf1e331e052d7ce5a2b1
      • Opcode Fuzzy Hash: 72c44e97a83cb295c0991e1defceb879c013a03840f3963314d460f78b96c672
      • Instruction Fuzzy Hash: 06C08C33F1800E8AAF20AAD8A4010FEF3B0EB4432AF004133D62AD2500D62461225BD0

      Executed Functions

      Function 012717F8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q$$^q
      • API String ID: 0-355816377
      • Opcode ID: c096f22e0742aca1f6a171c57bc3bed6196a9e6c99fac660edfae47645c5df92
      • Instruction ID: 2a10ed8dcd055c017968a0c56d7f1aab7e663da3decbc434bc2140706af6b920
      • Opcode Fuzzy Hash: c096f22e0742aca1f6a171c57bc3bed6196a9e6c99fac660edfae47645c5df92
      • Instruction Fuzzy Hash: B921F331D1070ECFDF11AF68D84489AF7B4FF45300B0586AED5086B222EB31E894CB90
      Function 012717E9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q
      • API String ID: 0-388095546
      • Opcode ID: 6981fec1796e387f6e1556dcc30e735cfd02df96e65702f32ad5d3dd96f319b2
      • Instruction ID: 9efa1d6f5946ce5df0e6b2ea75f3e147a967c3f280bc0ebd6c28cd7918ba796b
      • Opcode Fuzzy Hash: 6981fec1796e387f6e1556dcc30e735cfd02df96e65702f32ad5d3dd96f319b2
      • Instruction Fuzzy Hash: 5D210331D1074ACFDF12AF78C8544AAFB71FF45301B0586AED549AB222EB31D994CB91
      Function 01270848 Relevance: .2, Instructions: 188COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1a5c2905799458b1ce1dd977791f9ab9d370db9d99494b1273ba2b0f9afcd7c1
      • Instruction ID: 7185d313148a4d2c529126a60c43752676bc47cbf9a2f96a896c30543f5c4f26
      • Opcode Fuzzy Hash: 1a5c2905799458b1ce1dd977791f9ab9d370db9d99494b1273ba2b0f9afcd7c1
      • Instruction Fuzzy Hash: 4461BE30A1030ACFDF15EBB8D8546AEBBB2BF86704F008569EA0597355DB719C4ACB45
      Function 012715A1 Relevance: .1, Instructions: 144COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 58bb08a0ac4d3655f6423add86bca3d0b30b7475a29f9f63e2b701e2407eda79
      • Instruction ID: 48220179a5dcdc8366c021f17dccd1e754b25c6db29a4727919df684684f4992
      • Opcode Fuzzy Hash: 58bb08a0ac4d3655f6423add86bca3d0b30b7475a29f9f63e2b701e2407eda79
      • Instruction Fuzzy Hash: CE517132D50B46A6E710DBA5CC45799F371FFAA700F61CB1AF6483B191EBB0A1D4C641
      Function 012715B0 Relevance: .1, Instructions: 139COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 720a1cf847df2b7766855cfeaa2cc181de960ff0483d2fac0f1b4a12cae6878a
      • Instruction ID: 0a712ea3240a6f5c876d860e018b1dd81eed5c9319603af66152c13f78e7d01c
      • Opcode Fuzzy Hash: 720a1cf847df2b7766855cfeaa2cc181de960ff0483d2fac0f1b4a12cae6878a
      • Instruction Fuzzy Hash: 95515032E50B0AA6E710DBA5CC45799F371FFAA700F61CB16F6583B191EBB0A1D4C681
      Function 01271DC8 Relevance: .1, Instructions: 118COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5d178145f2376c68919b9da93deba559296368a6f045d2e460c67055f7122922
      • Instruction ID: 05a894e434ee786c3b2a7bcbec4d1e202c3da76631d467d945f2f229170489c6
      • Opcode Fuzzy Hash: 5d178145f2376c68919b9da93deba559296368a6f045d2e460c67055f7122922
      • Instruction Fuzzy Hash: D9418232E1074A9BCB01DFB9C8504DEF7B1FF85300B11CA6AE555B7115EB30A595CB90
      Function 01271029 Relevance: .1, Instructions: 109COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 619257f6213daac1404803bea143b6703cd13b02a94c1b552f96ba31577ab7b2
      • Instruction ID: e82671c7492141713db776ae8144bdd904f8d4fe25c1a25250f1ff92528d48ee
      • Opcode Fuzzy Hash: 619257f6213daac1404803bea143b6703cd13b02a94c1b552f96ba31577ab7b2
      • Instruction Fuzzy Hash: 01418F30B0064A9FCB18DB79D955AAEFBF3BFC4304B00C539D509A7269EB34A906CB50
      Function 01271F34 Relevance: .1, Instructions: 97COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2b629899975c8841db4e3dd331f3db46742f37a275e90d2d2abaea7782ce71f6
      • Instruction ID: 814909521c08beb505e57cf02bbc2f27af83ddb0c333fff20ee0aebf924ffa40
      • Opcode Fuzzy Hash: 2b629899975c8841db4e3dd331f3db46742f37a275e90d2d2abaea7782ce71f6
      • Instruction Fuzzy Hash: 814102B1D10359CFCB10CFAAC995ADEFBB5AF58300F20812AE459BB240D7706A49CF94
      Function 01271A89 Relevance: .1, Instructions: 93COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5d0a6ba8f6d8e20bbab4d47e1b8895ebcee9b199b4b7545616531d54c29c2421
      • Instruction ID: 382f86d89eff57d6962a969369efa96ab6fe15e1be0af11ac00d8aa7ed58a0c9
      • Opcode Fuzzy Hash: 5d0a6ba8f6d8e20bbab4d47e1b8895ebcee9b199b4b7545616531d54c29c2421
      • Instruction Fuzzy Hash: 4831B532E1170AAADB01DFB9D8904EEFBB2FF94300F11C66AE545A7251FB30A595C790
      Function 01271934 Relevance: .1, Instructions: 92COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 66aaadc895400f2adedfca4d2f67d6c955ce4879bfa51003de3d21137db8f623
      • Instruction ID: 71755e8cf99168cf64330e6a9023764d2b58b05c6dbaf1e222bea5c2b29d3d8d
      • Opcode Fuzzy Hash: 66aaadc895400f2adedfca4d2f67d6c955ce4879bfa51003de3d21137db8f623
      • Instruction Fuzzy Hash: 044120B1D01248DFCB14DFAAC995BEEBFF5AF48300F14802AE409AB290CA345946CF95
      Function 012711E4 Relevance: .1, Instructions: 92COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 65732b106af6bdac81281b485ba1fb8bdeba7e9ab10e0f83e3b57b1ba5194df9
      • Instruction ID: c7f7122882fdf5efa22c4c8919e52d68837dd093902c85e279b68eb9b7162c85
      • Opcode Fuzzy Hash: 65732b106af6bdac81281b485ba1fb8bdeba7e9ab10e0f83e3b57b1ba5194df9
      • Instruction Fuzzy Hash: 754132B1D01258DFCB14CFAAC995BDEBFF6AF48300F14802AE418AB250CB305946CF95
      Function 01271F40 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9f4abd74b8dd205618823c1eceef462570fdde9707b8d8fdca0ac957dd2f51ee
      • Instruction ID: 6f9853acfcb49f4b9dba668b983b85853695b5bedbdd01bdebb3935e956d22ad
      • Opcode Fuzzy Hash: 9f4abd74b8dd205618823c1eceef462570fdde9707b8d8fdca0ac957dd2f51ee
      • Instruction Fuzzy Hash: 4B41F3B1D1035DCBCB10CFAAC984ADEFBB5AF58300F20812AE419BB244D7706A49CF94
      Function 01270F45 Relevance: .1, Instructions: 89COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d5bc48ac4cba74dbee646414dc554016e46847df0a75680e07d8c93bebe5b313
      • Instruction ID: 1a040257876c24776dbc722b10c36753ea4f8bf3b70f0ac8f6dc6f46564fee75
      • Opcode Fuzzy Hash: d5bc48ac4cba74dbee646414dc554016e46847df0a75680e07d8c93bebe5b313
      • Instruction Fuzzy Hash: AD11C32125D7840FC312A33CA47117EBFA68FC2351B0944AFD2858B2A7CD649C4EC367
      Function 012711F0 Relevance: .1, Instructions: 88COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d4b87d60ea9253a7f4e13f7b0e171d04742fe945c4c97c26d5a4883cb7e6be38
      • Instruction ID: ef8b51cda8d08a1fea7372eac9eea8b525a177abb3fcb95a1f6c53c427a0b482
      • Opcode Fuzzy Hash: d4b87d60ea9253a7f4e13f7b0e171d04742fe945c4c97c26d5a4883cb7e6be38
      • Instruction Fuzzy Hash: 813112B1D012589FDB14DFAAC994BDEBBF6AF48300F10802AE418AB250CB705945CF94
      Function 01271940 Relevance: .1, Instructions: 87COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 969b2c9325221d69da636e7a66add2b84bb354498e87892993f506518eb0e11b
      • Instruction ID: 94722ed82b70d73b7b48b634bc72b76e186acbc8d420597eb369889cb6d0cede
      • Opcode Fuzzy Hash: 969b2c9325221d69da636e7a66add2b84bb354498e87892993f506518eb0e11b
      • Instruction Fuzzy Hash: A53112B1D11248DFDB14DFAAC984BDEBFF5AF48304F10802AE919AB250DB746946CF94
      Function 01270830 Relevance: .1, Instructions: 73COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cbfb4ba6e8fd610821df7564fa5f0c0eadafeba4992d344827b49f58c7095e33
      • Instruction ID: c789685f986f57a883e04e67502e0e0a62e12ecc56fc30243f4ae94ca9021aba
      • Opcode Fuzzy Hash: cbfb4ba6e8fd610821df7564fa5f0c0eadafeba4992d344827b49f58c7095e33
      • Instruction Fuzzy Hash: 4021F334A103528BDF16AB7888103BF7BB2AFC6604F04455ADA4997399DB358C0EC386
      Function 01271BA4 Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6700a12015426c1a379908d8ae44ca241702c9f3e8d8239fb5b3462319968bb0
      • Instruction ID: 6723d441ae02d9c0ef0312823551b96281aea74c24393b9eca8fcae33b061bf3
      • Opcode Fuzzy Hash: 6700a12015426c1a379908d8ae44ca241702c9f3e8d8239fb5b3462319968bb0
      • Instruction Fuzzy Hash: 3931DFB1C102589FDB14CFAAD495ADEBFB8AF48310F24802EE459AB240CB755886CB95
      Function 01271CB4 Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8e5e75c89972963be179b0d45c26227557c7e457a910a9f41d00aeef73e2d0e3
      • Instruction ID: 734a66b67c6e9e15eb944bf7b026d2816a2d666b3afc61d03c0805553f19484a
      • Opcode Fuzzy Hash: 8e5e75c89972963be179b0d45c26227557c7e457a910a9f41d00aeef73e2d0e3
      • Instruction Fuzzy Hash: 543102B1C102589FDB24DFA9C594ADEBFF5AF48310F24812AE418AB254C7349845CF94
      Function 01271CC0 Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8f2cb7bbcbda3a6ddd9bedf32f0f2eb3d9cf6c263ddc8bb04790ce2833bdccd3
      • Instruction ID: 7bbf94aed94118fb12f105946126c6320611065ddcbe8c3ddcfd9e2c88c1fac8
      • Opcode Fuzzy Hash: 8f2cb7bbcbda3a6ddd9bedf32f0f2eb3d9cf6c263ddc8bb04790ce2833bdccd3
      • Instruction Fuzzy Hash: 9131F4B1C10258DFDB24DFA9C484ADEBFF4AF48310F24802AE419AB254C774A845CF94
      Function 01271BB0 Relevance: .1, Instructions: 67COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 657016baeac42c749a36f0ca24e333635bb6aa46283e7a203b450edeb1d11af8
      • Instruction ID: 9ac18cb33e4246094a87016751a698cf7b89e867a65da908fd69a82d41706d8f
      • Opcode Fuzzy Hash: 657016baeac42c749a36f0ca24e333635bb6aa46283e7a203b450edeb1d11af8
      • Instruction Fuzzy Hash: 0021CEB1D10258DFDB14DFEAD485BDEBFF8AF48310F24802AE419AB240CB756985CB95
      Function 01271188 Relevance: .0, Instructions: 31COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 25607eef26d562b0a9c663b7936b49f852cbab715f9e6e132a1c5db7dcfb097f
      • Instruction ID: 2587ffc08abd94d42cd19c706c703030c08dd66fa8af7d349de4c2955f178f6e
      • Opcode Fuzzy Hash: 25607eef26d562b0a9c663b7936b49f852cbab715f9e6e132a1c5db7dcfb097f
      • Instruction Fuzzy Hash: 32F02730E09288BFCB01CBB48C6287EBFB69F41200305C1EED444CB162D9308A0BD751
      Function 012718E0 Relevance: .0, Instructions: 30COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0ab5b4b55ac8c5554095013a549d84e5ea9c3ac6353c54015d3bded2f3709358
      • Instruction ID: 50c36d2a599f6a3b46d2ba26f4f688a18917ad2968fdb9c0c12514fbff984e64
      • Opcode Fuzzy Hash: 0ab5b4b55ac8c5554095013a549d84e5ea9c3ac6353c54015d3bded2f3709358
      • Instruction Fuzzy Hash: C1F0EC30B09245AFCB05CF789D6287E7FB69F86308705C1EED449DB257D9308E0AA751
      Function 01270AD1 Relevance: .0, Instructions: 28COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f5a36a6e776c8c97dc039c489e333f0896f2a331f1a86d94aaf38946fcf65f7b
      • Instruction ID: 50debdc7c8dd6d4f199854932d6a5aed99e8f94998c5cb987577e58d65e5ac4e
      • Opcode Fuzzy Hash: f5a36a6e776c8c97dc039c489e333f0896f2a331f1a86d94aaf38946fcf65f7b
      • Instruction Fuzzy Hash: F2F01730D01248EFCF01EBB8E96559CBFB0EF49705B5046A9D905E3225EA302A59AB41
      Function 01270AD8 Relevance: .0, Instructions: 25COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 97eeda56df40d5acc6aa80102a14fa59b74e2b8e4a13813c72ea523563fbf76a
      • Instruction ID: c63d1cd784947c24ab9834a4eeb4e435638c655a6c2910175219a1b6933423cb
      • Opcode Fuzzy Hash: 97eeda56df40d5acc6aa80102a14fa59b74e2b8e4a13813c72ea523563fbf76a
      • Instruction Fuzzy Hash: C4F0F83090124CEFCB44FFB8E95559CBFB1EB48705F5046B9D905E7215EA306F48AB40
      Function 01271198 Relevance: .0, Instructions: 23COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: eaef662dc46875f6f37527d55167404bceea08965cbeae3d3bc2dfeb9671a6fa
      • Instruction ID: ff99dcfebfae19c688210e731a9c0e612d816e1fcb90d7d5f5381347ee4ac046
      • Opcode Fuzzy Hash: eaef662dc46875f6f37527d55167404bceea08965cbeae3d3bc2dfeb9671a6fa
      • Instruction Fuzzy Hash: 22E0DF31B0110DBBCB14DFB4DD10C6EBBEEDF84304740C1A8E908CB211EA31EA05AB90
      Function 01270B39 Relevance: .0, Instructions: 20COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c6756116c4aa9ac97ca601dd657e670c09966ec52faaa85e4f5db2fed0bb4d6a
      • Instruction ID: dc24f0412dd9f62944e9c973e4a7cd3954b5a248adcd52127ecbc7982359f39f
      • Opcode Fuzzy Hash: c6756116c4aa9ac97ca601dd657e670c09966ec52faaa85e4f5db2fed0bb4d6a
      • Instruction Fuzzy Hash: CBE0C21138CB950FC303A7AC64B005ABBE28EC6B11B4901ABD244CB26AED549E4983D2
      Function 012709B5 Relevance: .0, Instructions: 15COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.2434930718.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_1270000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9da00dde79129ef7a44d441055f82ecab4cb262550ab56b5a51b973b0f1f6bdc
      • Instruction ID: e33b1359ecb7a07eb28e4a891d20db085e7281ca4133865d3100850aaeb9e44e
      • Opcode Fuzzy Hash: 9da00dde79129ef7a44d441055f82ecab4cb262550ab56b5a51b973b0f1f6bdc
      • Instruction Fuzzy Hash: CED09E35740119CFCF00EFA8D5445DC77B0EF89715F000169E209DB270D7B59855CB55

      Executed Functions

      Function 00007FFD9B3D0840 Relevance: 4.3, Strings: 3, Instructions: 519COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 0000001A.00000002.2437799315.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_26_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID: 87|$6|$6|
      • API String ID: 0-2542210095
      • Opcode ID: 688e08730d5379605d4d031416cb45ecc5481a02b91fcb61221749cbb8aa1778
      • Instruction ID: 4028dada9572fe7279e6782f314c177b22e0355c969011b9d199b6bdd7e41074
      • Opcode Fuzzy Hash: 688e08730d5379605d4d031416cb45ecc5481a02b91fcb61221749cbb8aa1778
      • Instruction Fuzzy Hash: 77E16B62A0FBC91FE372E6A818312666BA5DFC2750B1903FFD48CC71EBD81A5D068341
      Function 00007FFD9B3D0D5E Relevance: 3.8, Strings: 3, Instructions: 97COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 0000001A.00000002.2437799315.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_26_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID: 7|$(7|$07|
      • API String ID: 0-555926144
      • Opcode ID: debc5afd6fa94256619147d9b4f9e5cbdf644500d23b246ee2244d733ba85205
      • Instruction ID: 3097c5a90a72d0658ae1b901d78d9b01afc87427234b0830a21b80aaa6927b58
      • Opcode Fuzzy Hash: debc5afd6fa94256619147d9b4f9e5cbdf644500d23b246ee2244d733ba85205
      • Instruction Fuzzy Hash: 31315770A0E7495FE765EBB4442A6A97BE0EF45720F0500FEC44ECB2A2D92E5C4AC342
      Function 00007FFD9B3D0960 Relevance: .5, Instructions: 498COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001A.00000002.2437799315.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_26_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cf3ab0812fb0a15fdd8e0579f57cc5f3874920ce4e2eb50cac3c1eb801ab71af
      • Instruction ID: f2535866bcc0d028d7cfd3924c35ce8f9abd5dd8f2f8cf4260725c304fe8adcb
      • Opcode Fuzzy Hash: cf3ab0812fb0a15fdd8e0579f57cc5f3874920ce4e2eb50cac3c1eb801ab71af
      • Instruction Fuzzy Hash: 8FE12962B0FBC91FE376E6A858312667B95DFC6710B1502FFD48C871EBD81AAD068341
      Function 00007FFD9B3D0FA8 Relevance: .3, Instructions: 263COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001A.00000002.2437799315.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_26_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9f7277ddd368aaafcd0d39df5d0f1e0ac66c730e89dfc1577e70dd21e01478c1
      • Instruction ID: 43efa4e037c0ff0f4270dfcee8f23c57b7199b2da206fd972819cbf40e2080fa
      • Opcode Fuzzy Hash: 9f7277ddd368aaafcd0d39df5d0f1e0ac66c730e89dfc1577e70dd21e01478c1
      • Instruction Fuzzy Hash: 6171C793A0FAC50FF37695DC2C611265F9ADBD266071903FFE08C871FBD85A9E058291
      Function 00007FFD9B3D135A Relevance: .1, Instructions: 98COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001A.00000002.2437799315.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_26_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6b7561e96508ff3e67e7f2baf3e2d5f6aed1c96303bee2d41f1b4ed01871ce31
      • Instruction ID: 994c3d3726ce11e5a9d302155663aa3faac9ad4d4ede0f59d8eba4bf90abaa9b
      • Opcode Fuzzy Hash: 6b7561e96508ff3e67e7f2baf3e2d5f6aed1c96303bee2d41f1b4ed01871ce31
      • Instruction Fuzzy Hash: 4121963190CA5C9FEB18EBA8D855AE97BE0FF55321F00422FD049D3652DB756846CB81
      Function 00007FFD9B3D0CAE Relevance: .0, Instructions: 50COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001A.00000002.2437799315.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_26_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 72d0e004799b8845933b81c9ef2b2ed1e62caa4ac615a9202ffda76fc50dee2b
      • Instruction ID: 8cdbc880559cbfac7e8ef0dd5a44fce077484ed868790145fe1e66c2443cd84d
      • Opcode Fuzzy Hash: 72d0e004799b8845933b81c9ef2b2ed1e62caa4ac615a9202ffda76fc50dee2b
      • Instruction Fuzzy Hash: 2D014730B1E65E5FE3A1EB3888212A8B7D0EF49720B1105FEC44EC71E6DD1D6C498342
      Function 00007FFD9B3D0E47 Relevance: .0, Instructions: 37COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001A.00000002.2437799315.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_26_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c914334e30ae181b63e9c54eed99abd494feccb2d1847914717c7859a2698014
      • Instruction ID: 5d2c276aad688af1aa6f6761ab4cb3f94335cfc5bb3df58cdc1b52dacd54040c
      • Opcode Fuzzy Hash: c914334e30ae181b63e9c54eed99abd494feccb2d1847914717c7859a2698014
      • Instruction Fuzzy Hash: ADF0B430A0DA084FD714AF78A8124E97BE0EF44764B2405BFE00EC6196D93AD9828782

      Executed Functions

      Function 00007FFD9B4B12C0 Relevance: 2.2, Strings: 1, Instructions: 909COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 2B_I
      • API String ID: 0-979045943
      • Opcode ID: 3548399d0bdfcddcb6d90d23ff558d4a5bf4f9b7b15c0670dd5e9a50d30879ca
      • Instruction ID: 11e067891341da6e8c45b063100f4fe64c06db6e28d798b620289cf021b643ed
      • Opcode Fuzzy Hash: 3548399d0bdfcddcb6d90d23ff558d4a5bf4f9b7b15c0670dd5e9a50d30879ca
      • Instruction Fuzzy Hash: CB527A63B1F6D50FEB3596AC186517C6BE2EF85364B1940FBE088871FBE814AD02E741
      Function 00007FFD9B4B1518 Relevance: .5, Instructions: 491COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 26a6e249ab08b4ad2c9ac207e3048135a92d0ca20936a266ea5edf102cc3fb0a
      • Instruction ID: c7ff5bd35d906a600fb9171015abb960fd93f66dacf74738eee2dc501ed067f7
      • Opcode Fuzzy Hash: 26a6e249ab08b4ad2c9ac207e3048135a92d0ca20936a266ea5edf102cc3fb0a
      • Instruction Fuzzy Hash: 37E15662B1FAD90FE77996AC14691BC6BD2EF89314B1900FFD089871EBDC14AD02D742
      Function 00007FFD9B4B44FB Relevance: .5, Instructions: 498COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5b2c201620a7edabf9ed292bf61f7ccb02c24c00d2f652f89261e5644a67b73a
      • Instruction ID: 4e2ff061deed9b92962a55782674627fabbda9ac116d3b4dcbbea566c9e8b33d
      • Opcode Fuzzy Hash: 5b2c201620a7edabf9ed292bf61f7ccb02c24c00d2f652f89261e5644a67b73a
      • Instruction Fuzzy Hash: C7C15421B1EA990FE71DABB854265ED7BE1EF85314B0501FFE08ACB1E3CE1864079781
      Function 00007FFD9B4B2A70 Relevance: .4, Instructions: 372COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7331659586f277e8dea42f7b6f424aee56f43f7b6e6da1a81c851b842e6f1af2
      • Instruction ID: 6c8d20ae9cbbdd86cee5785105bad92b3ed629b087fa31733044146eaef1a0ae
      • Opcode Fuzzy Hash: 7331659586f277e8dea42f7b6f424aee56f43f7b6e6da1a81c851b842e6f1af2
      • Instruction Fuzzy Hash: 9FA14712B0FAAA0FE7799AFC68351AD2FD1DF8A254B0A41FBD15CC71E7DC0869068741
      Function 00007FFD9B4B46D5 Relevance: .3, Instructions: 256COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 563132fe0bde61768b4ef8f82125ccd535487884e60bf4e422f5cf1eb6640343
      • Instruction ID: 2feada00c71b7e67775a6e53459d1aaf929282cc8a347ca9e500038157f10c83
      • Opcode Fuzzy Hash: 563132fe0bde61768b4ef8f82125ccd535487884e60bf4e422f5cf1eb6640343
      • Instruction Fuzzy Hash: 65812720B1EA990FDB1DAB7844225BC7BD1EF49348B0545FDE05ECB1E7CE28A5039786
      Function 00007FFD9B4B3B82 Relevance: .2, Instructions: 234COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bfcde7760427c56063f0e6f89a2519442627fb55a0a5cd75c2091904cb00e6a9
      • Instruction ID: 276c6a6a0eff9e464f7ec3abeb0aa6cddd7c3f0e52428af63b0582d734dd7a25
      • Opcode Fuzzy Hash: bfcde7760427c56063f0e6f89a2519442627fb55a0a5cd75c2091904cb00e6a9
      • Instruction Fuzzy Hash: B8614811B0EA9A0FE7A563B804762BD7BD1DF85214F1501FFE48AC71E3DD0C99469B02
      Function 00007FFD9B4B4729 Relevance: .2, Instructions: 225COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0eaeba27f258b7f4b7346d29f087a2be33173e2cbd6ce30e79a82e1bfa07141b
      • Instruction ID: 8729f7cf763d57101ceacd82cf56cfce17139f910ac54353737dd3925a77038f
      • Opcode Fuzzy Hash: 0eaeba27f258b7f4b7346d29f087a2be33173e2cbd6ce30e79a82e1bfa07141b
      • Instruction Fuzzy Hash: CB612720B1DA990FDB1DAB7844225FC7BD1EF49348B0505FDE05ECB1E7CE28A9029786
      Function 00007FFD9B4B310E Relevance: .2, Instructions: 219COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ceb2e5283018dbdeb3e5863b8b2d037d1986bc9119b0347bb5eb3f7e21491a5b
      • Instruction ID: b0ad24f0af54b0061a27c80d4b6d4dad77e5eb13af606b132fad3a05173bf748
      • Opcode Fuzzy Hash: ceb2e5283018dbdeb3e5863b8b2d037d1986bc9119b0347bb5eb3f7e21491a5b
      • Instruction Fuzzy Hash: FF513411F1EAAE0FE77952BD08362BD3BC5DF8A254B4601BBD559C72E3DC08A9025B41
      Function 00007FFD9B4B2258 Relevance: .2, Instructions: 207COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2d9875dcb29c6fe7cbe7a5b0ef2f8e632070538f2643f9b01d54497bb714267e
      • Instruction ID: 3503f378a4450b6024eea3c2dc40b02d52668f5de2818c5b7e6b69515b602780
      • Opcode Fuzzy Hash: 2d9875dcb29c6fe7cbe7a5b0ef2f8e632070538f2643f9b01d54497bb714267e
      • Instruction Fuzzy Hash: 82515B23B1E55A0FE759BBBC68665F97BD0DF8532470841FBD499C7097DC08288B8391
      Function 00007FFD9B4B34E1 Relevance: .2, Instructions: 197COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 18e566d5915527b8aabb598fecc4be16da86721804fd8ba653d36b791a6c5d27
      • Instruction ID: 7ede4e1a02829bf743885d421143ba83e9ddb46bc8df099f2c790b9767953a1b
      • Opcode Fuzzy Hash: 18e566d5915527b8aabb598fecc4be16da86721804fd8ba653d36b791a6c5d27
      • Instruction Fuzzy Hash: DA51E130A0DA9C8FDB65EF7CD8599ED7BE0FF59305B0400AFE449C72A2DA25A841CB41
      Function 00007FFD9B4B1D90 Relevance: .2, Instructions: 160COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7b8175385b7bdf2950028067808508cefb1cc8a96983dc800c1ec87b6dec5d41
      • Instruction ID: 459df591fb0b431bb271d86f2ca246a40fc27aa26ea3729b871eb450ee5e3749
      • Opcode Fuzzy Hash: 7b8175385b7bdf2950028067808508cefb1cc8a96983dc800c1ec87b6dec5d41
      • Instruction Fuzzy Hash: EE412611E2FBAA0FE7AA977848756A83FE1DF56250B0601FBC148CB0E3ED4C5D468742
      Function 00007FFD9B4B4A5D Relevance: .2, Instructions: 157COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 75de5b696672a9c12ab16541ecd416cbe28425a7f6edad6a6a944b6f6600e54f
      • Instruction ID: 75a450a70111feea40f9d4ab8cfecc3e44f1f04da270eb2530d229c26a791350
      • Opcode Fuzzy Hash: 75de5b696672a9c12ab16541ecd416cbe28425a7f6edad6a6a944b6f6600e54f
      • Instruction Fuzzy Hash: 24414812B1FEAE0FE7A492BC14792BD27C1DF88365B1645BED24DC72E2EC089D065381
      Function 00007FFD9B4B1C51 Relevance: .2, Instructions: 154COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 48c0bb14ffdb01ab90d8a334046564356b892a8c96d3bc58ef685b46452ac271
      • Instruction ID: 1d5adb0db4673064f94400c73d7ad186b8f77c666749876ff84aadbccdf03b87
      • Opcode Fuzzy Hash: 48c0bb14ffdb01ab90d8a334046564356b892a8c96d3bc58ef685b46452ac271
      • Instruction Fuzzy Hash: 7A41D33091E7C94FDB2A9BA958645B97FB0EF13329F0401BFD089C21A3CA582416C746
      Function 00007FFD9B4B3FCD Relevance: .1, Instructions: 124COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6a440abc9456964a53b228ffec5e55c19e41dd578951b8f03944b4b612768b84
      • Instruction ID: 63865ef32cbaffe1e6bd5e1641c82d3e104a8dcb364d0bdf285a84a23d045f38
      • Opcode Fuzzy Hash: 6a440abc9456964a53b228ffec5e55c19e41dd578951b8f03944b4b612768b84
      • Instruction Fuzzy Hash: B7314C30E1E76C4FEB64EBBC84559ED7BF1EF89310B0501BBE109D72A2CD2469119B91
      Function 00007FFD9B4B03E8 Relevance: .1, Instructions: 109COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 14332f9859b61ba14be6688e397e18fd45f4e41f74636efd8ca96d34ab5774f7
      • Instruction ID: 02a83a277bb149e60bfb073266df87360d6431c1c942cea0f6f7b345410330f5
      • Opcode Fuzzy Hash: 14332f9859b61ba14be6688e397e18fd45f4e41f74636efd8ca96d34ab5774f7
      • Instruction Fuzzy Hash: 77214B12F1FBBA0FE32852BD24262B93BD1DF45254F0689FBD588CB1F6D808AD471681
      Function 00007FFD9B4B3A37 Relevance: .1, Instructions: 83COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 59f89635477bba07c1aeedd567d1172a5437b8328334a6fdb3e72d99ab29e1d1
      • Instruction ID: e2aaf5f3c2cbe30f9088cba1ebac405e9005349119c50a7d163340bb4b696593
      • Opcode Fuzzy Hash: 59f89635477bba07c1aeedd567d1172a5437b8328334a6fdb3e72d99ab29e1d1
      • Instruction Fuzzy Hash: AA21E470A1DAD94FD356EBB8846A1FA7FD0DF0A300B1845EED099CB1A7D9285843C742
      Function 00007FFD9B4B3CEA Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4bafb5148234eba6f377f6e30327a64e66950ce03006348e320b7eccbff3979a
      • Instruction ID: 572f11730b35fdf7243a48ba93f1e26f71f98c8892a2f7f75cb980dda819d2fc
      • Opcode Fuzzy Hash: 4bafb5148234eba6f377f6e30327a64e66950ce03006348e320b7eccbff3979a
      • Instruction Fuzzy Hash: 66112921B1D55E06E764A7A944B56BE71D2EFC4318F60193EF50FC22E6CD2CEA451A01
      Function 00007FFD9B4B3168 Relevance: .0, Instructions: 47COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f14fdccdeb1b91b64197b96a4158ca94c38593c210c95f9a2cf1cbefce8e943f
      • Instruction ID: 5fd56e2cdba77fee29d982ccd8e4105f27dfa6289c23d63f15cb53f4bdc19382
      • Opcode Fuzzy Hash: f14fdccdeb1b91b64197b96a4158ca94c38593c210c95f9a2cf1cbefce8e943f
      • Instruction Fuzzy Hash: 11F06211B1AC7E05F27611EA16652BD2185AB4522CFA60536DA2DC61F2DC08EA522D51
      Function 00007FFD9B4B4CF1 Relevance: .0, Instructions: 40COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a0aa6013e9e753301a9bc3cd8339a87ac4203c12aa2c1ec5ff4a83bf05e855dd
      • Instruction ID: af721bc4bf1777f28f290ed5e48ab0a018915fa425126ba043ac7145a99547c3
      • Opcode Fuzzy Hash: a0aa6013e9e753301a9bc3cd8339a87ac4203c12aa2c1ec5ff4a83bf05e855dd
      • Instruction Fuzzy Hash: F1F0FF1055E5D94FE763A3BC58706657FE48F03318B1900EEE0D8C70A3D8480D95C392
      Function 00007FFD9B4B27D7 Relevance: .0, Instructions: 29COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c176c493c913130632a958d06bd99830177f7ebe8e1f3a7ff2efe9b86cb88668
      • Instruction ID: 482f06afbf8c7f7d01d337c2106e2a8d71e3c13c79eb3284e2e96b3e8398fbe8
      • Opcode Fuzzy Hash: c176c493c913130632a958d06bd99830177f7ebe8e1f3a7ff2efe9b86cb88668
      • Instruction Fuzzy Hash: CCE07D3260F94C5BCB10EA9A7C604CA3F98FF8D318B01012AF48CC3251E2125511C755
      Function 00007FFD9B4B3AE8 Relevance: .0, Instructions: 20COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000001C.00000003.2449866272.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_28_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c5f93ff0d040418c35e2e74d93912c4999d2f8597a3012ab833f35c316ba821b
      • Instruction ID: 90d38668f60b6aa6226cad16724b638cfe231f1b02e4f292395069ee4f4ee6a3
      • Opcode Fuzzy Hash: c5f93ff0d040418c35e2e74d93912c4999d2f8597a3012ab833f35c316ba821b
      • Instruction Fuzzy Hash: 04D02B40B1D98D1FD358E77D487B1FB3BC2DF8850030841E8505CC319BCC189C024340

      Execution Graph

      Execution Coverage:17.3%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:27.3%
      Total number of Nodes:11
      Total number of Limit Nodes:1

      Callgraph

      Executed Functions

      Function 00007FFD9B4017FA Relevance: 2.1, APIs: 1, Instructions: 646COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 0000001D.00000002.2449618811.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_29_2_7ffd9b400000_sbdrvmgr.jbxd
      Similarity
      • API ID: DevicePropertyRegistrySetup
      • String ID:
      • API String ID: 3249385096-0
      • Opcode ID: 1caac1f024765b290f1ffc132cd436a3d9a518c9f585486ef526196cfb003c52
      • Instruction ID: 870ed9c41395c64a2abf3964eaf881480ca943b7a8ccaeb4dc98b78440fd4d9a
      • Opcode Fuzzy Hash: 1caac1f024765b290f1ffc132cd436a3d9a518c9f585486ef526196cfb003c52
      • Instruction Fuzzy Hash: E4411431A0D78C8FDB14DF59D8456E87BF0EF9A310F0442AFE088D3252CA74A846C781
      Function 00007FFD9B4012E9 Relevance: 2.0, APIs: 1, Instructions: 508COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 10 7ffd9b4012e9-7ffd9b401311 12 7ffd9b40135b-7ffd9b401370 call 7ffd9b401120 10->12 13 7ffd9b401313-7ffd9b401336 10->13 20 7ffd9b4013c2-7ffd9b4013cc 12->20 21 7ffd9b401372-7ffd9b40137b 12->21 15 7ffd9b401338-7ffd9b40133b 13->15 16 7ffd9b40138f-7ffd9b4013ba call 7ffd9b400548 13->16 18 7ffd9b4013bc-7ffd9b4013c1 15->18 19 7ffd9b40133d-7ffd9b40133f 15->19 23 7ffd9b4013bb 16->23 19->23 24 7ffd9b401341 19->24 25 7ffd9b401425-7ffd9b401427 20->25 26 7ffd9b4013ce-7ffd9b4013d1 20->26 29 7ffd9b401386-7ffd9b40138e call 7ffd9b400540 21->29 23->18 24->29 30 7ffd9b401343-7ffd9b401359 24->30 33 7ffd9b401429-7ffd9b40142c 25->33 34 7ffd9b4014a8-7ffd9b4014d9 call 7ffd9b401130 25->34 31 7ffd9b4013d3-7ffd9b4013d5 26->31 32 7ffd9b401452 26->32 29->16 30->12 37 7ffd9b4013d7 31->37 38 7ffd9b401451 31->38 41 7ffd9b401453-7ffd9b401455 32->41 33->25 39 7ffd9b40142d-7ffd9b40143d 33->39 53 7ffd9b4014db-7ffd9b4014fb 34->53 54 7ffd9b4014fd-7ffd9b401513 call 7ffd9b401110 34->54 43 7ffd9b40141a 37->43 44 7ffd9b4013d9-7ffd9b4013db 37->44 38->32 45 7ffd9b40143e-7ffd9b40144d call 7ffd9b401110 39->45 46 7ffd9b401457-7ffd9b40145d 41->46 50 7ffd9b40141b 43->50 51 7ffd9b401496-7ffd9b401499 43->51 44->46 48 7ffd9b4013dd-7ffd9b4013e5 44->48 45->38 68 7ffd9b401519-7ffd9b40152a 45->68 52 7ffd9b40145e-7ffd9b40145f 46->52 55 7ffd9b4013e7 48->55 56 7ffd9b401461-7ffd9b40146e 48->56 60 7ffd9b40149c-7ffd9b40149e 50->60 61 7ffd9b40141c 50->61 58 7ffd9b40149b 51->58 52->56 53->54 83 7ffd9b40152b-7ffd9b401534 53->83 54->41 54->68 55->39 66 7ffd9b4013e9-7ffd9b4013ed 55->66 62 7ffd9b401472-7ffd9b401484 56->62 58->60 72 7ffd9b4014a4-7ffd9b4014a7 60->72 63 7ffd9b40141e-7ffd9b40141f 61->63 64 7ffd9b40141d 61->64 69 7ffd9b401485-7ffd9b401486 call 7ffd9b401140 62->69 63->58 70 7ffd9b401420 63->70 64->63 66->52 71 7ffd9b4013ef-7ffd9b4013f6 66->71 78 7ffd9b40148b 69->78 75 7ffd9b401491-7ffd9b401493 70->75 76 7ffd9b401421-7ffd9b401423 70->76 71->62 77 7ffd9b4013f8 71->77 72->34 75->54 79 7ffd9b401495 75->79 76->25 77->45 80 7ffd9b4013fa-7ffd9b401414 77->80 78->75 79->51 80->69 84 7ffd9b401416-7ffd9b401419 80->84 85 7ffd9b401536-7ffd9b401539 83->85 86 7ffd9b40158d 83->86 84->43 89 7ffd9b40153b-7ffd9b40153d 85->89 90 7ffd9b4015ba-7ffd9b4015c5 85->90 87 7ffd9b4015fe 86->87 88 7ffd9b40158e-7ffd9b401594 86->88 95 7ffd9b4015ff-7ffd9b401604 87->95 91 7ffd9b401596 88->91 92 7ffd9b401615-7ffd9b40161c 88->92 93 7ffd9b4015b9 89->93 94 7ffd9b40153f 89->94 97 7ffd9b401598 91->97 96 7ffd9b40161e-7ffd9b4016a7 SetupDiGetClassDevsExW 92->96 93->90 98 7ffd9b401583-7ffd9b40158c 94->98 99 7ffd9b401541-7ffd9b401547 94->99 100 7ffd9b401608-7ffd9b401613 95->100 120 7ffd9b4016a9 96->120 121 7ffd9b4016af-7ffd9b4016d7 96->121 101 7ffd9b40159a-7ffd9b4015a2 97->101 102 7ffd9b401614 97->102 98->86 98->100 103 7ffd9b401549-7ffd9b401550 99->103 104 7ffd9b4015b8 99->104 100->102 101->96 106 7ffd9b4015a4 101->106 102->92 107 7ffd9b4015cc-7ffd9b4015d6 103->107 108 7ffd9b401552 103->108 104->93 111 7ffd9b4015e9-7ffd9b4015ef 106->111 112 7ffd9b4015a6 106->112 110 7ffd9b4015da-7ffd9b4015dc 107->110 108->97 109 7ffd9b401554-7ffd9b401558 108->109 114 7ffd9b40155a-7ffd9b401561 109->114 115 7ffd9b4015c9-7ffd9b4015cb 109->115 117 7ffd9b4015dd-7ffd9b4015e7 110->117 123 7ffd9b4015f1-7ffd9b4015fd 111->123 113 7ffd9b4015a9-7ffd9b4015b7 112->113 113->104 114->117 119 7ffd9b401563 114->119 115->107 122 7ffd9b4015e8 117->122 119->113 124 7ffd9b401565-7ffd9b401569 119->124 120->121 122->111 123->87 124->110 125 7ffd9b40156b-7ffd9b401570 124->125 125->123 127 7ffd9b401572-7ffd9b401577 125->127 127->122 128 7ffd9b401579-7ffd9b40157e 127->128 128->95 129 7ffd9b401580 128->129 129->98
      Memory Dump Source
      • Source File: 0000001D.00000002.2449618811.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_29_2_7ffd9b400000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 19c6f4e434655b2937853a4717ad4556d4ce61473bb68c025f3ba429d22bfbcd
      • Instruction ID: b680183e0a03054a87fb7eded37cf1ff13ca7a1d3d42de550569c630b94776f6
      • Opcode Fuzzy Hash: 19c6f4e434655b2937853a4717ad4556d4ce61473bb68c025f3ba429d22bfbcd
      • Instruction Fuzzy Hash: 75F11C31E0E7894FE7799B5898266B57BD0EF57318F0501BEE4C9C71E3DE18690A8382
      Function 00007FFD9B401D11 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 130 7ffd9b401d11-7ffd9b401d1d 131 7ffd9b401d28-7ffd9b401e03 SetupDiGetDeviceRegistryPropertyW 130->131 132 7ffd9b401d1f-7ffd9b401d27 130->132 136 7ffd9b401e0b-7ffd9b401e3a 131->136 137 7ffd9b401e05 131->137 132->131 137->136
      APIs
      Memory Dump Source
      • Source File: 0000001D.00000002.2449618811.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_29_2_7ffd9b400000_sbdrvmgr.jbxd
      Similarity
      • API ID: DevicePropertyRegistrySetup
      • String ID:
      • API String ID: 3249385096-0
      • Opcode ID: 256c46bdcaf3613b271617bcceb83517e46c76e779738843c14d268e1fe05d71
      • Instruction ID: c9f27eb2466f6abef5f6692f6847c479d7bdfcac4ce775d057490d8e411cfdef
      • Opcode Fuzzy Hash: 256c46bdcaf3613b271617bcceb83517e46c76e779738843c14d268e1fe05d71
      • Instruction Fuzzy Hash: 8241C430A0CA5C9FDB58DF58D845AE9BBE0FF59325F04426FE049D3692CB74A841CB81
      Function 00007FFD9B401E3D Relevance: 1.6, APIs: 1, Instructions: 104COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 139 7ffd9b401e3d-7ffd9b401e49 140 7ffd9b401e4b-7ffd9b401e53 139->140 141 7ffd9b401e54-7ffd9b401ee2 SetupDiDestroyDeviceInfoList 139->141 140->141 145 7ffd9b401eea-7ffd9b401f18 141->145 146 7ffd9b401ee4 141->146 146->145
      APIs
      Memory Dump Source
      • Source File: 0000001D.00000002.2449618811.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_29_2_7ffd9b400000_sbdrvmgr.jbxd
      Similarity
      • API ID: DestroyDeviceInfoListSetup
      • String ID:
      • API String ID: 271767589-0
      • Opcode ID: e5382d64b7f304784662b31c223b14710ee828d65cc655cd32829ece5f5442e0
      • Instruction ID: a4ec63a5e1f8922ec9d2378559763ebea2bdb203ef91fdf4ab1b5cff1f458501
      • Opcode Fuzzy Hash: e5382d64b7f304784662b31c223b14710ee828d65cc655cd32829ece5f5442e0
      • Instruction Fuzzy Hash: CF31E73190CA4C9FDB58DB58C855BF97BE0FF56321F04426ED049C3592DB74A855CB81

      Executed Functions

      Function 00007FFD9B4B12C0 Relevance: 2.2, Strings: 1, Instructions: 909COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 2B_I
      • API String ID: 0-979045943
      • Opcode ID: e71f96a3bd61ee8da6f1b9b7c48f29e8609003c4452c2ea62ad3ee6c944280db
      • Instruction ID: 25fd557e6b87cb91dd003e3aba9fc48142ed9455fecc50160af37c3b4e7db472
      • Opcode Fuzzy Hash: e71f96a3bd61ee8da6f1b9b7c48f29e8609003c4452c2ea62ad3ee6c944280db
      • Instruction Fuzzy Hash: 25527A63B1F6D50FEB3596AC586517C6BA2EF85364B1900FBE08C871FBE814AD02E741
      Function 00007FFD9B4B1518 Relevance: .5, Instructions: 491COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e42fcd3d8de06a694a004d10436910d2dac62586e783fe72d291812dd7382289
      • Instruction ID: 128dd049a7597e853843e416105e37119edce254e86e0cc162936901ec99832a
      • Opcode Fuzzy Hash: e42fcd3d8de06a694a004d10436910d2dac62586e783fe72d291812dd7382289
      • Instruction Fuzzy Hash: 4CE15662B1F6C90FE77996AC14691BC6BE2EF85314B1901FFD089871EBDC14AD02D781
      Function 00007FFD9B4B2A70 Relevance: .4, Instructions: 372COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 61bf8076094f9cc69e778fffa6c0259f73eeb04a179ad718c8712c3fbf5df432
      • Instruction ID: 648c42dc3d2a50e6150b956b1099514e10f21881c9e61e58d57935493d8cae12
      • Opcode Fuzzy Hash: 61bf8076094f9cc69e778fffa6c0259f73eeb04a179ad718c8712c3fbf5df432
      • Instruction Fuzzy Hash: 25A14811B0FAAA0FE7795AFC68351A92FA1DF8A254B0A01FBD15CC71E7DC0869068741
      Function 00007FFD9B4B40E5 Relevance: .3, Instructions: 254COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 405c622c539fd4f6d4c5e881f8cfdd9e3834ebc55f064cbd3acd5808eb7c9f66
      • Instruction ID: 999dcc7e7b6207486f0f0f74e6e8d0587b28645c4b55ebf348ae716c76d87281
      • Opcode Fuzzy Hash: 405c622c539fd4f6d4c5e881f8cfdd9e3834ebc55f064cbd3acd5808eb7c9f66
      • Instruction Fuzzy Hash: 94718810B0EA9A1FE76993B808766BD7BC1EF45358F1501BEE049C72E3DD0CA941A782
      Function 00007FFD9B4B5066 Relevance: .3, Instructions: 253COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1e9b13445406478fd02d2dd823ff11e0a9fbebd433ba0714dc79a88b38da4b69
      • Instruction ID: 84d60ab0ff6f2b9af766a2c77f9ee176c673e6d9c72a224cecdc78e03b7851bc
      • Opcode Fuzzy Hash: 1e9b13445406478fd02d2dd823ff11e0a9fbebd433ba0714dc79a88b38da4b69
      • Instruction Fuzzy Hash: 93812720B1EA850FDB1DAB7C54365BDB7E1EF58304B1401BEE04EC72E3DE28A5028786
      Function 00007FFD9B4B310E Relevance: .2, Instructions: 219COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b468f48ac3fe4db0b72a1a5981c01646ddec4f76ba64b63b20321068878e2fd4
      • Instruction ID: 4cdb369db43a085ebff852dc5bdd37f56f49623e24dcc262edbf90392667ffaa
      • Opcode Fuzzy Hash: b468f48ac3fe4db0b72a1a5981c01646ddec4f76ba64b63b20321068878e2fd4
      • Instruction Fuzzy Hash: 8E513411F0EAAE0FE77952BD08362BD3BC5DF8A214B5601BBD559C72E3DC08A9025B41
      Function 00007FFD9B4B4E6A Relevance: .2, Instructions: 215COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0c459fda862f7fc50e3a951a97d82df522e7bf35aecda6bbcc7bcb1cf499f9e0
      • Instruction ID: 111fe3524e93816c59dc2156c0f0243c3f405d522106a6149fc513ad5a5be06b
      • Opcode Fuzzy Hash: 0c459fda862f7fc50e3a951a97d82df522e7bf35aecda6bbcc7bcb1cf499f9e0
      • Instruction Fuzzy Hash: 7E613A20A1E6C51FD71A9778443AAFE7FE1EF96304F0941FEE08A8B1E7CE5855069341
      Function 00007FFD9B4B34E1 Relevance: .2, Instructions: 197COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7d87132b4fd878ffbd4f65c5a6c2e59ed7aca08b354c7db1c0bcf3989cc3d707
      • Instruction ID: 739b084e5445a596e46516146179be2abc5fcfe605964178dd16ea9018207bb1
      • Opcode Fuzzy Hash: 7d87132b4fd878ffbd4f65c5a6c2e59ed7aca08b354c7db1c0bcf3989cc3d707
      • Instruction Fuzzy Hash: BC51D130A0DA5C8FDB65EF6CD859AED7BE0FF59305B0400AFE449D32A2DA35A951CB40
      Function 00007FFD9B4B2258 Relevance: .2, Instructions: 191COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 785ec328cb2442bebdc05422713a04fd6e3daa9069a7d6f2a50ba5dcb65bc96b
      • Instruction ID: 99fa6f7320a06e88baca63f196e6a6ea5bd7dd28ee6166ab49a3a28140d5c3ac
      • Opcode Fuzzy Hash: 785ec328cb2442bebdc05422713a04fd6e3daa9069a7d6f2a50ba5dcb65bc96b
      • Instruction Fuzzy Hash: 0D516B23F0E55A0BE759B7BC68665F9BBD0EF8132470941B7D499C70D7DC08288B4791
      Function 00007FFD9B4B580D Relevance: .2, Instructions: 167COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 25038f565555417ed80f528ff7b8a399a964cb59603b5f3a2ee8c2ea611bdfea
      • Instruction ID: c69c4b5aa3f3c42640c7d5daa14b236e4677d1a8e717b71ca992d297762b7714
      • Opcode Fuzzy Hash: 25038f565555417ed80f528ff7b8a399a964cb59603b5f3a2ee8c2ea611bdfea
      • Instruction Fuzzy Hash: F8413812B0FAAA0FEBB5A3BC04751B97BD1DF89224B1904FED14DC71E2EC08AD069741
      Function 00007FFD9B4B544D Relevance: .2, Instructions: 165COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bb59c48df8514d1181e6cf15172e48a8a7012b38fa0198d807f288c2c7f6ec05
      • Instruction ID: 991e10a1a23b886671244d8e66514c9d9d4155e82a0c9ebbe4532caf381e251a
      • Opcode Fuzzy Hash: bb59c48df8514d1181e6cf15172e48a8a7012b38fa0198d807f288c2c7f6ec05
      • Instruction Fuzzy Hash: 24514820B1EA990FEB2DA7385436ABD77D1EF55304F4601BEE04AC71E7CE185A029785
      Function 00007FFD9B4B4CCA Relevance: .2, Instructions: 162COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5c59115bebe9a615a9593cc2e4e9edea6cf5dc0abff22224272960888652fd46
      • Instruction ID: 52861c68c0456431da4c433b80d36174890ff78f1d2994dc494a39cc240daff4
      • Opcode Fuzzy Hash: 5c59115bebe9a615a9593cc2e4e9edea6cf5dc0abff22224272960888652fd46
      • Instruction Fuzzy Hash: 35512A20A0EAD91FC7569BBC48655FF7FE0DF0621070805EDE489CB1A3C8299913C782
      Function 00007FFD9B4B1D90 Relevance: .2, Instructions: 160COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b10766cc70351068618194bcb36f1ba13fdf4ec67eb41b4476b5343b6b36af9a
      • Instruction ID: a815ec7bb49a4ea07bb6f8766aa202a83e2aa6aea57df7f83b6ca1f40b12d491
      • Opcode Fuzzy Hash: b10766cc70351068618194bcb36f1ba13fdf4ec67eb41b4476b5343b6b36af9a
      • Instruction Fuzzy Hash: 3A414811E2FBAA0FE7AA977848756A83FA1DF46250B0501FBC148CB0E3ED0C5D468742
      Function 00007FFD9B4B55EB Relevance: .2, Instructions: 155COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 50176148095855a005787d331d64c60915f33aa51dd15534304d8205dab2b88c
      • Instruction ID: 9e0d551566c30ea0290b367e77c7f4df7c60287d4b2c46fe8c109959013534d9
      • Opcode Fuzzy Hash: 50176148095855a005787d331d64c60915f33aa51dd15534304d8205dab2b88c
      • Instruction Fuzzy Hash: 8041F631B1EAC90FDB19AB7C54264BC7BD1EF59358B1504FEE04E8B1D7CE29A5028B81
      Function 00007FFD9B4B1C51 Relevance: .2, Instructions: 154COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 48c0bb14ffdb01ab90d8a334046564356b892a8c96d3bc58ef685b46452ac271
      • Instruction ID: 1d5adb0db4673064f94400c73d7ad186b8f77c666749876ff84aadbccdf03b87
      • Opcode Fuzzy Hash: 48c0bb14ffdb01ab90d8a334046564356b892a8c96d3bc58ef685b46452ac271
      • Instruction Fuzzy Hash: 7A41D33091E7C94FDB2A9BA958645B97FB0EF13329F0401BFD089C21A3CA582416C746
      Function 00007FFD9B4B3B30 Relevance: .2, Instructions: 151COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ac492c6b247c45c7517f8f8951bc1c5df16ce1bf9999dba31906204f8f70117c
      • Instruction ID: f1e07b3f036354477ebd4ae03932059a65f8ee6f80d5fbeb75e838418972b852
      • Opcode Fuzzy Hash: ac492c6b247c45c7517f8f8951bc1c5df16ce1bf9999dba31906204f8f70117c
      • Instruction Fuzzy Hash: 4451393091E6995FD751EB7488A59FDBFF0EF0A314B1905FDD0898B1A7C928A913CB02
      Function 00007FFD9B4B454D Relevance: .1, Instructions: 125COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 201721df1d3220b5ecc7ede8a64d89231ec3fdb4b54d1e18bc6cbf5211feec09
      • Instruction ID: 71d9356e3b521af137f36ecb88174ffb533afb6bab736e4cc907d1eca11c4e38
      • Opcode Fuzzy Hash: 201721df1d3220b5ecc7ede8a64d89231ec3fdb4b54d1e18bc6cbf5211feec09
      • Instruction Fuzzy Hash: 7D317B30E0A66C0FD725EBFC88559EE7BE0EF49310B0501BEE149D72A2CD2869019B91
      Function 00007FFD9B4B3F5D Relevance: .1, Instructions: 118COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2b78dbb8316a5383164d24c836e87e8c161377e1cbddf1e078957a1f252968fa
      • Instruction ID: 157c761ab4b06d1c9afe6b2cdfd0c4ce50f2b91e9bb5c2c539c9b1e993341f6f
      • Opcode Fuzzy Hash: 2b78dbb8316a5383164d24c836e87e8c161377e1cbddf1e078957a1f252968fa
      • Instruction Fuzzy Hash: 6D314D7060E6D82FE755A7B848765FE7FF0DF4A11070805EEE489CB1A7C829A553C742
      Function 00007FFD9B4B54D5 Relevance: .1, Instructions: 104COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 06ccc354eb3cf3f3268c2e32114b7117a30b27d4b5d998cdf7d2931ef8ef9d03
      • Instruction ID: 0f6db3f20e02fcd3ce85d1de72388d9c04d6b35b4595712400307d2745f0545f
      • Opcode Fuzzy Hash: 06ccc354eb3cf3f3268c2e32114b7117a30b27d4b5d998cdf7d2931ef8ef9d03
      • Instruction Fuzzy Hash: F831E220B2DD990BEB1EA7385035ABDB791EF55304F4641BCE04A871E7CF28A6029785
      Function 00007FFD9B4B4F55 Relevance: .1, Instructions: 103COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bf6542bb8f1f3e890eca9f3159ae0c90f8c18bd27a2a8a7429f5d9fddf095a65
      • Instruction ID: 8e76dc01253249d0e0f53ee3d55fee8d8bb2600834e0b2305f2409518871fb14
      • Opcode Fuzzy Hash: bf6542bb8f1f3e890eca9f3159ae0c90f8c18bd27a2a8a7429f5d9fddf095a65
      • Instruction Fuzzy Hash: B231F610B2D9850BEB1EA7385075ABDB7D2EF95304F4A41BCF04A871E7CF1C9502A745
      Function 00007FFD9B4B02E0 Relevance: .1, Instructions: 98COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1eda3ba89c5a29ca9542f2f01eceaff71e93a0059c5268f727dadafa6900b6d3
      • Instruction ID: 6daab9b57ec68ba6ae51b3d14e250db0803d906f8a6cd7aa80d15009eafd00b0
      • Opcode Fuzzy Hash: 1eda3ba89c5a29ca9542f2f01eceaff71e93a0059c5268f727dadafa6900b6d3
      • Instruction Fuzzy Hash: 48313930E0A66C4FD765EBFC8855AFE7BE0EF49310F0501BEE149E3262CE2469119B95
      Function 00007FFD9B4B426A Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6a3560a28f7b7095605489082a8e6eea965877ade44da1be572852b3ae3d9281
      • Instruction ID: 3f9d7d0fb7f295ea297ab5d320ec3c1dbaeed121030a19dbece27b4c165f03ad
      • Opcode Fuzzy Hash: 6a3560a28f7b7095605489082a8e6eea965877ade44da1be572852b3ae3d9281
      • Instruction Fuzzy Hash: E911D620B1D51A06EB6CA76C94B57BD71C2EFC8358F61593CE11FC22E6CD28E9802682
      Function 00007FFD9B4B4FA9 Relevance: .1, Instructions: 70COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 598cd99c2882d493ca89054712b99728a99c79e3b776584ac2bff7c1132b0a12
      • Instruction ID: fde42cbb71abce9ae57249d52927e412c92ee9407f000816f6ee6ff20d4e3b26
      • Opcode Fuzzy Hash: 598cd99c2882d493ca89054712b99728a99c79e3b776584ac2bff7c1132b0a12
      • Instruction Fuzzy Hash: 0E11D510B2D9C50AEB1E63685075BFD66D2EF95304F4A40BCF04E831E3CF5C9906A745
      Function 00007FFD9B4B3168 Relevance: .0, Instructions: 47COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f14fdccdeb1b91b64197b96a4158ca94c38593c210c95f9a2cf1cbefce8e943f
      • Instruction ID: 5fd56e2cdba77fee29d982ccd8e4105f27dfa6289c23d63f15cb53f4bdc19382
      • Opcode Fuzzy Hash: f14fdccdeb1b91b64197b96a4158ca94c38593c210c95f9a2cf1cbefce8e943f
      • Instruction Fuzzy Hash: 11F06211B1AC7E05F27611EA16652BD2185AB4522CFA60536DA2DC61F2DC08EA522D51
      Function 00007FFD9B4B3A55 Relevance: .0, Instructions: 43COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9cfbd5cce1ab51b44fc42a759cb9b84cdb7803fdc9f80e62bda280e530ac4bad
      • Instruction ID: 7b04778858ccda8c7d77be6d5978363a37c73c050d981fc105fad00fef0bc1c5
      • Opcode Fuzzy Hash: 9cfbd5cce1ab51b44fc42a759cb9b84cdb7803fdc9f80e62bda280e530ac4bad
      • Instruction Fuzzy Hash: D4F0F96070D6891FD745EB780475AB6BBD1DF1E21070806EDE459CB1D7DD2899518301
      Function 00007FFD9B4B5AF1 Relevance: .0, Instructions: 41COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b7cf93e78e2df81802170a4d61ef0f3fc3051417a14a1e4d0dd890aba22d4024
      • Instruction ID: 104bba01bb439d77018ad76356b59bd6c05b05577f34130dcfa4d77a17828404
      • Opcode Fuzzy Hash: b7cf93e78e2df81802170a4d61ef0f3fc3051417a14a1e4d0dd890aba22d4024
      • Instruction Fuzzy Hash: A8F0461066E5C94FDB63A77C48706A17FE4CF07219B0900F7E0D8CA0A7D94C0D45C362
      Function 00007FFD9B4B27D7 Relevance: .0, Instructions: 29COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c176c493c913130632a958d06bd99830177f7ebe8e1f3a7ff2efe9b86cb88668
      • Instruction ID: 482f06afbf8c7f7d01d337c2106e2a8d71e3c13c79eb3284e2e96b3e8398fbe8
      • Opcode Fuzzy Hash: c176c493c913130632a958d06bd99830177f7ebe8e1f3a7ff2efe9b86cb88668
      • Instruction Fuzzy Hash: CCE07D3260F94C5BCB10EA9A7C604CA3F98FF8D318B01012AF48CC3251E2125511C755
      Function 00007FFD9B4B4DBE Relevance: .0, Instructions: 13COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000022.00000003.2519573166.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_34_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3e8f2ccc63855d002e501e9a8e615fa40158a1cbd32dc0f5f4c3d6a7308699a1
      • Instruction ID: bb64d83458417815e6b467a087a29d8a0152c18a850bfdbc30dbb8c8b00d2ec2
      • Opcode Fuzzy Hash: 3e8f2ccc63855d002e501e9a8e615fa40158a1cbd32dc0f5f4c3d6a7308699a1
      • Instruction Fuzzy Hash: 85C08C33F1800E8A9F209AD8A4010FEF3B4EB4432AF004133D62AD2500D62461225FD0

      Executed Functions

      Function 024217F8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q$$^q
      • API String ID: 0-355816377
      • Opcode ID: 6f6ec37745f0f47119253770864f2435e997aee7037b3ad3a8d4b80533d6e0a7
      • Instruction ID: ee4a83594ee5b7641e3c38d6bfa9fc987f27955dec068e0b97459de1a1923497
      • Opcode Fuzzy Hash: 6f6ec37745f0f47119253770864f2435e997aee7037b3ad3a8d4b80533d6e0a7
      • Instruction Fuzzy Hash: C721B131D10719CFCF15AF79D88489AF7B4FF45304B0586AED4096B226EB31E888CB90
      Function 024217E9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q
      • API String ID: 0-388095546
      • Opcode ID: 0eaebd80b1c49cfc79f8069638bf676061886d7ccd9585c15a8fcce128adfedb
      • Instruction ID: 50a753dcc41a73c6ee17c6a3dbcefbc2517b7338c71707d3f449eb8f447e5664
      • Opcode Fuzzy Hash: 0eaebd80b1c49cfc79f8069638bf676061886d7ccd9585c15a8fcce128adfedb
      • Instruction Fuzzy Hash: E621E231904799CFCF119F78C8948AABB71FF45300B058AAED4496F262EB31D888CB91
      Function 02420848 Relevance: .2, Instructions: 188COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ac337d115416c1c422d091a3433e039cd1359859e2bdf7276f6823bc8e0272ae
      • Instruction ID: 135eae110f3fa33fed0735ea92e546a27391afb4d84d6a08c1a496c6a9b80d97
      • Opcode Fuzzy Hash: ac337d115416c1c422d091a3433e039cd1359859e2bdf7276f6823bc8e0272ae
      • Instruction Fuzzy Hash: F561BF30A00315CFDB19EB75D8586AE7BF2BFA4708F40956AD406AB368DB719C4ACB41
      Function 024215A2 Relevance: .1, Instructions: 144COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cb2be0fcbf9d5c1c2361e856e60b6fa466b4dab5a65d3b9e2fd3c8884f9768f4
      • Instruction ID: 33c9b42935af30e5c4a6d03391340805e544c3e3d1c970067082f036b750ffbc
      • Opcode Fuzzy Hash: cb2be0fcbf9d5c1c2361e856e60b6fa466b4dab5a65d3b9e2fd3c8884f9768f4
      • Instruction Fuzzy Hash: 42517132D50B46A6E710DFA5CC45699F371FFAA700F21CB1AF6483B191EBB0A1D4C651
      Function 024215B0 Relevance: .1, Instructions: 139COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b376e95a150279e1f814b6f9bf2f7f1ad315f0dca6de9f7294ddbc978a56b59c
      • Instruction ID: 4ad335e33bae3b9c4ae2cb05eb983f8a1b099a24a24597d4f59b6ec2eedb30a1
      • Opcode Fuzzy Hash: b376e95a150279e1f814b6f9bf2f7f1ad315f0dca6de9f7294ddbc978a56b59c
      • Instruction Fuzzy Hash: 61513E32E50B06A6E710DFA5CC45A9AF371FFA9700F61CB16F6483B191EBB0A1D4C691
      Function 02421DC8 Relevance: .1, Instructions: 118COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a4fda26c2c6412860176367c720eb0e5b2b3d26250e2b0c689b38e2e51c57945
      • Instruction ID: fef50e23afb204cffd20f32a1995c7a8a9467e26ed0ef0c416cdaf84481e6d00
      • Opcode Fuzzy Hash: a4fda26c2c6412860176367c720eb0e5b2b3d26250e2b0c689b38e2e51c57945
      • Instruction Fuzzy Hash: 49417432E0074A9ACF01DFB9C8505DDF7B2FF95300B11C66AE559B7211EB70A68ACB90
      Function 02421029 Relevance: .1, Instructions: 109COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8b47018176a1ad0ec7319cd9db5dec51f936928cca81114930e1a3fcc4e4c6c7
      • Instruction ID: 62810e2cb3baa265af733fb42f112993f14aa56a1a880eee9ccfd0891d9e998b
      • Opcode Fuzzy Hash: 8b47018176a1ad0ec7319cd9db5dec51f936928cca81114930e1a3fcc4e4c6c7
      • Instruction Fuzzy Hash: FB416D30B0065A9FCB05DBB6C955AAEBBF3EFC4304B01C539D009A7265EB309906CB51
      Function 02420F20 Relevance: .1, Instructions: 102COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a17d873bd5a1e6ccc613988539ce31575eee87ec11e8a41e8785407373bbd67d
      • Instruction ID: d84f29af5a4980d314b5697f3c744fd7b014135f13af4d1630a93d1899020c23
      • Opcode Fuzzy Hash: a17d873bd5a1e6ccc613988539ce31575eee87ec11e8a41e8785407373bbd67d
      • Instruction Fuzzy Hash: 6821D52124D7D44FC313973D98612A9BFE2CFC2314F0A85ABC1858B2B7CD545C8A8762
      Function 02421F34 Relevance: .1, Instructions: 97COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: adb12cb4f3a17e30511c8e2a7754cfead1f8c2c769e55914dca31944f17ff300
      • Instruction ID: 553267b862612ce820e12419e4049f91960ebe6360071fea95e84da4a6824961
      • Opcode Fuzzy Hash: adb12cb4f3a17e30511c8e2a7754cfead1f8c2c769e55914dca31944f17ff300
      • Instruction Fuzzy Hash: 5D41F4B1D0035D8ACB10CFAAC994ADEFBB5EF58304F20822AD419BB254D7716A49CF90
      Function 02421A89 Relevance: .1, Instructions: 93COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 31df5607ceffbe39c427768d2285bc93268d20c500d6e815caca4e38a0153af3
      • Instruction ID: a2b3f70ad7bf9d02df6ec89f1e5256f490038bc34e156bfefbf54834be2fcb0e
      • Opcode Fuzzy Hash: 31df5607ceffbe39c427768d2285bc93268d20c500d6e815caca4e38a0153af3
      • Instruction Fuzzy Hash: 15319532E01749AADB00DFB9D8905DEFBB2FF94300F11C66AE549A7251FB30A595C790
      Function 02421934 Relevance: .1, Instructions: 92COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 25f23858b91e7f12b3dc7c657f358096786944f176fb04278877dd1b3aaaecfb
      • Instruction ID: 47203d6d7d01b6fe566e440ca8fb8a8942f179c8261fe4a5a6b374331cde0479
      • Opcode Fuzzy Hash: 25f23858b91e7f12b3dc7c657f358096786944f176fb04278877dd1b3aaaecfb
      • Instruction Fuzzy Hash: 3B4123B1D012589FCB24CFAAC995BDEBFB5AF48304F14806AE409AB251CB74594ACF50
      Function 024211E4 Relevance: .1, Instructions: 92COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2c4eb3a6af888181d409b6cb9c7a6011eb6e25674890db2ce7046039fbd3ef3f
      • Instruction ID: 9673d8528d96e5e2de380f3ed331a8ed141cc9b1d7de78e795fcd0f0084ea858
      • Opcode Fuzzy Hash: 2c4eb3a6af888181d409b6cb9c7a6011eb6e25674890db2ce7046039fbd3ef3f
      • Instruction Fuzzy Hash: 914125B1D012589FDB15CFAAC994BDEBFF6EF48304F10806AE408AB250CB705949CF90
      Function 02421F40 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 94102043ba9cd76f4286da313a441d245fe1ebb82da2de7a66bbeed179c0fc5c
      • Instruction ID: aa76670b603caee4363d97bb0c419a9040657436804c359a00033820dff84346
      • Opcode Fuzzy Hash: 94102043ba9cd76f4286da313a441d245fe1ebb82da2de7a66bbeed179c0fc5c
      • Instruction Fuzzy Hash: 9041E3B1D1035DCACB10CFAAC984ADEFBB5BF89304F20812AD419BB254D7756A49CF94
      Function 024211F0 Relevance: .1, Instructions: 88COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cc4025a364acee13942e3164905cc1e967823536507b3c42353fe78cfac5fe4c
      • Instruction ID: c9d08482f02ee74cdbc80c8386e66f9a15de673a91c9de6620d7c55202337cf8
      • Opcode Fuzzy Hash: cc4025a364acee13942e3164905cc1e967823536507b3c42353fe78cfac5fe4c
      • Instruction Fuzzy Hash: F73115B1D01258DFDB14DFAAC594BDEBBF6AF48304F20802AE409BB250CB755949CF90
      Function 02421940 Relevance: .1, Instructions: 87COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8600bf2d6067f01921e2a37692a6e9fa66e3876adcba393e2b31ce1065ded8ff
      • Instruction ID: 05803cb423aa67069d1c5ccc1d7ac8ec55f36349fd21b2acba198168087dcd27
      • Opcode Fuzzy Hash: 8600bf2d6067f01921e2a37692a6e9fa66e3876adcba393e2b31ce1065ded8ff
      • Instruction Fuzzy Hash: 8B3114B1D01258DFDB24DFAAC584BDEBBF5AF48304F20802AE409BB251DB755949CFA0
      Function 02420830 Relevance: .1, Instructions: 73COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 66bbacad2078b77b464daf70be3a974044b8fe8ccf75e4d78c283027e314315a
      • Instruction ID: 75be82f51e66486a7e1b98403c20de5cb6a65b76ae84859f526f70ae232b0c5b
      • Opcode Fuzzy Hash: 66bbacad2078b77b464daf70be3a974044b8fe8ccf75e4d78c283027e314315a
      • Instruction Fuzzy Hash: F221F630A003618BCF1A977188243AF7BF2AFE1A08F84556BC80597358DB35980BC381
      Function 02421BA4 Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f3cc3a6f2f07f3f26839cd4053b10d55cc2f51097b4855aff1264866a2929c07
      • Instruction ID: e90dfbc6381a003b0958ff8824b0703188df7f19792332d9f7e9f21e8e4f0846
      • Opcode Fuzzy Hash: f3cc3a6f2f07f3f26839cd4053b10d55cc2f51097b4855aff1264866a2929c07
      • Instruction Fuzzy Hash: 103104B5C00258DFDB14CFAAD494BDEBFB4AB48314F24802AE409BB250CB755886CF90
      Function 02421CB4 Relevance: .1, Instructions: 70COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 39487cd7e11eb9f13cb0b291abf59c4bd3d3e56e6c9bfa319db88d8d977d92f2
      • Instruction ID: f35d7ee97cf6ffd959f265655bfae73543be80de53ba5379f4b49aafd237d713
      • Opcode Fuzzy Hash: 39487cd7e11eb9f13cb0b291abf59c4bd3d3e56e6c9bfa319db88d8d977d92f2
      • Instruction Fuzzy Hash: 1C31E1B1D10258DEDB14CFAAD484ADEBFF5EF48314F24812AE408AB251C7756886CF94
      Function 02421CC0 Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 11355de7e4b0807b18411a81638708a89470b1a6dbee51808b607377afa959d7
      • Instruction ID: 0e89777199b5199da74335f49b09f9974315473d038885a15087939ce1a62076
      • Opcode Fuzzy Hash: 11355de7e4b0807b18411a81638708a89470b1a6dbee51808b607377afa959d7
      • Instruction Fuzzy Hash: B631E3B1D10258DFDB24CFAAC484ADEBFF5EF48314F24802AE419AB251CB756885CB94
      Function 02421BB0 Relevance: .1, Instructions: 67COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 61e766f30dfa5eaaa3e4a19453c0bf96e30561c338ff9b9185bf8eab6d132071
      • Instruction ID: 78e92aa6e99429b4832381529a72e685c2ff12ee6b1bed3104b28694c0eb5f39
      • Opcode Fuzzy Hash: 61e766f30dfa5eaaa3e4a19453c0bf96e30561c338ff9b9185bf8eab6d132071
      • Instruction Fuzzy Hash: F521D2B1D00258DFDB14DFAAD484BDEBFF8AF48314F64802AE419AB251CB755885CB94
      Function 02421188 Relevance: .0, Instructions: 31COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 952612528f92b4d94170e3f07fc8f543a3e1d73d9c90fa0e4a9dca90968e13b9
      • Instruction ID: 27b9d353cc68ce0b03e47ab80d850d9cd4619300f219b0d965c5a87dd72bd091
      • Opcode Fuzzy Hash: 952612528f92b4d94170e3f07fc8f543a3e1d73d9c90fa0e4a9dca90968e13b9
      • Instruction Fuzzy Hash: E8F08230609288EFCB42CFB08D61D6DBFA6DF45204745C2AED405CB262D9318A078B61
      Function 024218E0 Relevance: .0, Instructions: 30COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a994cc1cbf722ad8f1e239e51cad209df5a0a4f364131f87ea49292a6930c487
      • Instruction ID: 8e9f7d674393e248c3e70331d784ae60d0d982a4c628bce22916d2c33dcfc7c9
      • Opcode Fuzzy Hash: a994cc1cbf722ad8f1e239e51cad209df5a0a4f364131f87ea49292a6930c487
      • Instruction Fuzzy Hash: 2BF0A7306093899FC742CF758D619697FB6CFC2304705C1EED449DB152DD308E069751
      Function 02420AD2 Relevance: .0, Instructions: 28COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d0f78761e8502cfa620bac42bcb1cbbcaed7538646b0c7d041c0890e3ce49fc3
      • Instruction ID: 4a65418c9424ffdf500968ecddbebd31b900bcf67bc220348b54096a4250219b
      • Opcode Fuzzy Hash: d0f78761e8502cfa620bac42bcb1cbbcaed7538646b0c7d041c0890e3ce49fc3
      • Instruction Fuzzy Hash: 6BF09A30914248EFCB42EFB8E99558CBFB0EB84309B6086BDC405E7324DB301F188B41
      Function 02420AD8 Relevance: .0, Instructions: 25COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7c3f9f0fb22fad5d2cd6c1a238e2f97f1abf81619f8aa02cd8a68c4d19daa04c
      • Instruction ID: 728dc46de872c2263ff4afb92b80bef6388450367c618a1d93dd9a75ad185720
      • Opcode Fuzzy Hash: 7c3f9f0fb22fad5d2cd6c1a238e2f97f1abf81619f8aa02cd8a68c4d19daa04c
      • Instruction Fuzzy Hash: FBF0F830911248EFCB41EFB8E98569DBBB1EB84309F6085A9D405A7364EA316F489B41
      Function 02421198 Relevance: .0, Instructions: 23COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 58e277201382e548e6a60e3f3b1213cdfe065e9bda609ec98e99bf28e6faa2c7
      • Instruction ID: 964a5db8da2006b857a33473d7e6b5db181bf3a1014e985a216e2a522e090839
      • Opcode Fuzzy Hash: 58e277201382e548e6a60e3f3b1213cdfe065e9bda609ec98e99bf28e6faa2c7
      • Instruction Fuzzy Hash: 38E09A31B0120CABCB00DFB1C900E6EBBEBDB84304B40C0A9E5088B210EA31DA069B90
      Function 02420B3A Relevance: .0, Instructions: 20COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 85bc6566ca934deb5ee6c9fb0c39bfab0b1e0da80b6599ae1cfc6d7fd438dd2a
      • Instruction ID: 990e821328d4261c09d239d62b9f4b9ceae9799fbc5ecd4d46fec5619b839006
      • Opcode Fuzzy Hash: 85bc6566ca934deb5ee6c9fb0c39bfab0b1e0da80b6599ae1cfc6d7fd438dd2a
      • Instruction Fuzzy Hash: C6E0C22224CBD00FC313A73D5450098ABE2EDC531074642BBC044C729ACF689C4A87E2
      Function 024209B5 Relevance: .0, Instructions: 15COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000023.00000002.2515580609.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_35_2_2420000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1214461495efba30d92289a81a89fea284561f077610c660d6757ed91032b6d2
      • Instruction ID: a7788264b8ae044133383b50572d4c31be5a1a26c7bb9f16dca5acf9aecc8011
      • Opcode Fuzzy Hash: 1214461495efba30d92289a81a89fea284561f077610c660d6757ed91032b6d2
      • Instruction Fuzzy Hash: 96D09E35740129CFCF00EFA8D5446DC77B0EF98715F000069E109DB270D7759855CB51

      Executed Functions

      Function 00007FFD9B410FA8 Relevance: .3, Instructions: 263COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000025.00000002.2519212648.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_37_2_7ffd9b410000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6f921f34c6bdaf09e0fa34536dca7dbc3a82858a309ceaae127c801169256da7
      • Instruction ID: 753bc90c62311b83dec59603d7a87bde86e83c1932998b24ecbe5bb62197eb15
      • Opcode Fuzzy Hash: 6f921f34c6bdaf09e0fa34536dca7dbc3a82858a309ceaae127c801169256da7
      • Instruction Fuzzy Hash: 2A71D653F0FAC60BE375469C2C221356F96DFA66A470951FBD0C8861FFEC469A05D382
      Function 00007FFD9B41135A Relevance: .1, Instructions: 98COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000025.00000002.2519212648.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_37_2_7ffd9b410000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 216440a75b9a27ae5e79df05f218aa08174c63dc9ac201752af063661b181d97
      • Instruction ID: 84df70b5158df76b8f28e6c1fb901069c7f50b7477ff7d654941fc36dffbde76
      • Opcode Fuzzy Hash: 216440a75b9a27ae5e79df05f218aa08174c63dc9ac201752af063661b181d97
      • Instruction Fuzzy Hash: 4121B63190CA1C9FEB18DBA8D849AE97BE0FF55321F00422FD049D3652DB756856CB81
      Function 00007FFD9B410E47 Relevance: .0, Instructions: 37COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000025.00000002.2519212648.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_37_2_7ffd9b410000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c2e088a8313e3118faf81bd1380b65b41285dc98256b8213bbad0fd0a22b6aaf
      • Instruction ID: 6753e669d43a16571fa5e1ea792fa080e4b494aa34dd9e14e98d06baa7c0d5c1
      • Opcode Fuzzy Hash: c2e088a8313e3118faf81bd1380b65b41285dc98256b8213bbad0fd0a22b6aaf
      • Instruction Fuzzy Hash: 63F0B430A0DA484FD715AF68A8634E97BD0EF49364B2405FFE04EC7197D93A95838282

      Executed Functions

      Function 00007FFD9B4C12DE Relevance: 1.9, Strings: 1, Instructions: 697COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 2A_I
      • API String ID: 0-941469806
      • Opcode ID: 1e95d8d939ac02117864ad1ee65f5eeeade3736172d8477b2911eb56c52adbc7
      • Instruction ID: dc931e525507660807a64be4076ab50c22cbd2c2ecd64ac0e2274b5a54efb3f4
      • Opcode Fuzzy Hash: 1e95d8d939ac02117864ad1ee65f5eeeade3736172d8477b2911eb56c52adbc7
      • Instruction Fuzzy Hash: 8322F8A3B0FBC40FF73555AC18251792FD2EB92A6471901FFE0C9861FBE815AD02A345
      Function 00007FFD9B4C1518 Relevance: .4, Instructions: 450COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4718146dca9f0a91c3c38339152aabc9a5a04c0e1eae79d79f8732b20e7caf55
      • Instruction ID: a4e0cd6364a48eccd42f7eb54328d71e4fb3b9747bdaf265f16b383cd6bcef31
      • Opcode Fuzzy Hash: 4718146dca9f0a91c3c38339152aabc9a5a04c0e1eae79d79f8732b20e7caf55
      • Instruction Fuzzy Hash: 4CD16A62B0FBC90FE77956AC14291B86BD2EF85624B1901FFE089C71F7EC15AD029341
      Function 00007FFD9B4C3A8C Relevance: .3, Instructions: 270COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4be9c7fa76a67e04fdce3aabc019f54a1d005eeec36c359630dde2a70f4064f4
      • Instruction ID: 42eafbaa3fd5e70af3fb0f4a701057e347d1927a960e34ecd81e9e941071e63c
      • Opcode Fuzzy Hash: 4be9c7fa76a67e04fdce3aabc019f54a1d005eeec36c359630dde2a70f4064f4
      • Instruction Fuzzy Hash: 0191E571E0E54A4FE719FBB488266F9B7A0AF44708F1501BEC01EC71E7DE3869469B41
      Function 00007FFD9B4C3E1A Relevance: .5, Instructions: 470COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d9bf86ebb556396c567425cb70b5761cb799114a0f4e5ea547fc02fc2f28447f
      • Instruction ID: 3534bf64a9c691ab43adcdab499ff601bb2c64c6f6418b154e210ef911bfc17a
      • Opcode Fuzzy Hash: d9bf86ebb556396c567425cb70b5761cb799114a0f4e5ea547fc02fc2f28447f
      • Instruction Fuzzy Hash: 3151D822A1E1521AE715B7BCB866DF53FA1EF4133870846F7E0DD8A0D7DC4864C68399
      Function 00007FFD9B4C3ED3 Relevance: .4, Instructions: 379COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e99ca89d9d8524bd18b752f9d70e6143589047efaecab9a71f136dceae83274e
      • Instruction ID: 1c86b4f8431d783ae87e06310cab4e8a2c5ce1b748344a5231f88b8604f1659d
      • Opcode Fuzzy Hash: e99ca89d9d8524bd18b752f9d70e6143589047efaecab9a71f136dceae83274e
      • Instruction Fuzzy Hash: 0531E12261E1950FE316B7BCA866DE53FB1EF0222470842F7E19DCB097DC4868868396
      Function 00007FFD9B4C20FA Relevance: .3, Instructions: 328COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 89b4545c255d2da9fb970b0ddc2e5f2c7544ce4be3a96fc265902f5fcbceef61
      • Instruction ID: 442e8caaf85efca36db3853a09cd37cf499c62e78e6f8424738a72d9ce2121f5
      • Opcode Fuzzy Hash: 89b4545c255d2da9fb970b0ddc2e5f2c7544ce4be3a96fc265902f5fcbceef61
      • Instruction Fuzzy Hash: 94912913B1E1A60AE31977BCB4A65F93FA1EF4123870842F7D0DD8E0E7DC49648B8295
      Function 00007FFD9B4C310E Relevance: .2, Instructions: 218COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: db3f462757e83ce87cce0f0ff0a6d52ef638593d375ed2aea9c03d51756f596d
      • Instruction ID: c673bae9ddd41feb55e706996e3b2796cd4137764ff5d8516e9b6e2862fda585
      • Opcode Fuzzy Hash: db3f462757e83ce87cce0f0ff0a6d52ef638593d375ed2aea9c03d51756f596d
      • Instruction Fuzzy Hash: AA514612F1EA9E0FE7B676B808361F937D1DF8AA18B4601B6D41DC72E3DC18A9025742
      Function 00007FFD9B4C34E1 Relevance: .2, Instructions: 192COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9d363bf87114fef3385a9828854331e37749927fd1b482cc65af5dfbe6a74f46
      • Instruction ID: 8b950f5cc9e40bd303acc3c2b1b3ce181256bb1f975b1a679813fe8e402e563c
      • Opcode Fuzzy Hash: 9d363bf87114fef3385a9828854331e37749927fd1b482cc65af5dfbe6a74f46
      • Instruction Fuzzy Hash: ED51D231B1DA4C8FDB65EF6CD859AF97BE0FF58704F1500BAE409C32A2DA35A9418B41
      Function 00007FFD9B4C1D90 Relevance: .2, Instructions: 159COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1466dbd7261ca9ec8990b190add73ac85ca5da79beeb2184dfe5e7a8dd9dc022
      • Instruction ID: 4fff7253ade6c7ff08794d4d007567c64c0e34546cf5624e0d7c7999c89f50de
      • Opcode Fuzzy Hash: 1466dbd7261ca9ec8990b190add73ac85ca5da79beeb2184dfe5e7a8dd9dc022
      • Instruction Fuzzy Hash: DF412711E0FB8A0FE7AA667848756F53BA1EF56654B0601FBC048CB0F3ED4C6D468342
      Function 00007FFD9B4C1C51 Relevance: .2, Instructions: 154COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1e10695742589c4159a5c93268e8f42fc803213b020c6ae9a1c6a938ac7b56a4
      • Instruction ID: ace3c78345a2b124d9931b384f1a3011989fb42bcc4000df4a027ff8e82fa987
      • Opcode Fuzzy Hash: 1e10695742589c4159a5c93268e8f42fc803213b020c6ae9a1c6a938ac7b56a4
      • Instruction Fuzzy Hash: 1C41D53191E7CD4FDB2AABA958655F57FA0EF13329F0401BFE089C31A3CA582516C746
      Function 00007FFD9B4C2C25 Relevance: .1, Instructions: 96COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fee2d332b3bcc9061f532ab440e251e179f875e338c4b13f42d619baae66fd84
      • Instruction ID: 21240b2b1b79aa9dfe719424baced82e864a2befeca26cdf45b87294abe55ab4
      • Opcode Fuzzy Hash: fee2d332b3bcc9061f532ab440e251e179f875e338c4b13f42d619baae66fd84
      • Instruction Fuzzy Hash: 0C214812F0FAAA0FE7BA72B854751F92B91AF46A24B0602FAC058CA1E7DD4859435381
      Function 00007FFD9B4C1AAE Relevance: .1, Instructions: 52COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2d31a0c36550e0c6a9be02106526ab763946fa5817e2b30212b7e4105157dac1
      • Instruction ID: 86cbb977c9b07ac183045e9d71a7b29aaace2bd9bdbb98b020d8246c1391363e
      • Opcode Fuzzy Hash: 2d31a0c36550e0c6a9be02106526ab763946fa5817e2b30212b7e4105157dac1
      • Instruction Fuzzy Hash: E901F131F09A4C4FDBB8EE8894A50FDB3E2FF44718B02403AE05ED3271DE2198119B40
      Function 00007FFD9B4C3168 Relevance: .0, Instructions: 47COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 73787e7e3e31795cfc448f24f5629eb6e8174edfbc58c290e68c6c57ed3907f9
      • Instruction ID: 69a373947f70b9382f0535e97c47426ae39bf1484c867d53b63bdbef7c475865
      • Opcode Fuzzy Hash: 73787e7e3e31795cfc448f24f5629eb6e8174edfbc58c290e68c6c57ed3907f9
      • Instruction Fuzzy Hash: A4F08611B1FC5F09F27731EC16B62F961C1EB45A2CFA61535D82DC61F2DC28FA522542
      Function 00007FFD9B4C27D7 Relevance: .0, Instructions: 29COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000027.00000003.2582131866.00007FFD9B4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_39_3_7ffd9b4c0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bf1a68f9c1d3a87a85940ac658332253110b7e66b33c94fbe019d704371cff47
      • Instruction ID: 05d1d47d63551489a07c923460a289d40ad1160d32cc02cd4fd414d417ae563d
      • Opcode Fuzzy Hash: bf1a68f9c1d3a87a85940ac658332253110b7e66b33c94fbe019d704371cff47
      • Instruction Fuzzy Hash: D2E07D3360F94C5BCB10EA9A7CA04CA3F98FB8D318B01012AF48CC3251E2525511C351

      Executed Functions

      Function 00007FFD9B4B12C0 Relevance: 3.4, Strings: 2, Instructions: 912COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 2B_I$;4B_^
      • API String ID: 0-2737990438
      • Opcode ID: d38c44720d3aab935f1da7f9db56b90b350fa7b5b297e4a9bb61735792c46299
      • Instruction ID: 1307d6bc2b914a2fabeb43de88928cb499248c7c6c3b69aff754f4901777ed93
      • Opcode Fuzzy Hash: d38c44720d3aab935f1da7f9db56b90b350fa7b5b297e4a9bb61735792c46299
      • Instruction Fuzzy Hash: 19527A63B1F6D40FEB3996AC586517C6BA2EF85354B1940FBE08C871FBE814AD02E741
      Function 00007FFD9B4B1518 Relevance: 1.7, Strings: 1, Instructions: 450COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: ;4B_^
      • API String ID: 0-619533793
      • Opcode ID: a28aa6abbedf37cf409c460938b3523763d38fc436368ad11b00b5fa0cca0dfe
      • Instruction ID: 56215eed3e172934cb41051fde28777980ba5fb663ac3a2e6d540993b2da230a
      • Opcode Fuzzy Hash: a28aa6abbedf37cf409c460938b3523763d38fc436368ad11b00b5fa0cca0dfe
      • Instruction Fuzzy Hash: B4D16562B1FAC90FE77996AC146917C6B92EF89224B1900FBD088871EBEC14AD06D741
      Function 00007FFD9B4B39B9 Relevance: 1.7, Strings: 1, Instructions: 406COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: ,
      • API String ID: 0-3772416878
      • Opcode ID: 5a6e8d8f62023d2d9485739624da68a96e36903d55d1b1c9d0e72632148d127a
      • Instruction ID: 387f3f0406994e4e0859f3c0fa913d5547ca1697b3c04131a1e47ff76dcbd1ae
      • Opcode Fuzzy Hash: 5a6e8d8f62023d2d9485739624da68a96e36903d55d1b1c9d0e72632148d127a
      • Instruction Fuzzy Hash: 75D1D330A09A4D8FDB5ADF28C4656A97BF1EF49304F9540BAD41DCB2E6CE35AD42CB40
      Function 00007FFD9B4B5A71 Relevance: .7, Instructions: 714COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2e9ca397f91b7f24f55c7127fb1fa28f239fb25f59e297f9271dd0b2ec780641
      • Instruction ID: 61f71b638ec11090c62bde25ae030dc8a9067cbdf1928e023834e1c4eb8985c3
      • Opcode Fuzzy Hash: 2e9ca397f91b7f24f55c7127fb1fa28f239fb25f59e297f9271dd0b2ec780641
      • Instruction Fuzzy Hash: B432DF30B19A498FE759EF28C864A69B7F1FF49304F9540B9D45EC72A6DE34AD02CB40
      Function 00007FFD9B4B4C6D Relevance: .7, Instructions: 677COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 200c88230a9af113a53d4550422b90fe45f6f792cb7b5c287b74b38019f1fbbe
      • Instruction ID: b0b1c7932998bba381c1df409f8ece174e43db0a915e9b9ee5f308ced6f0d958
      • Opcode Fuzzy Hash: 200c88230a9af113a53d4550422b90fe45f6f792cb7b5c287b74b38019f1fbbe
      • Instruction Fuzzy Hash: 6BE12630B1DA494FDB1DEB2894255BC77E2EF99304F5540BEE04EC72E3DE24A9029B85
      Function 00007FFD9B4B4C88 Relevance: .7, Instructions: 661COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: eeeaf19a9febe57642a4d2af5bc2a7ac199f77bb25444a935a1f68ba7561d356
      • Instruction ID: 1b470008dde29155e55064141805e0fd3587ed8475c5c22a197ac1f88060ba30
      • Opcode Fuzzy Hash: eeeaf19a9febe57642a4d2af5bc2a7ac199f77bb25444a935a1f68ba7561d356
      • Instruction Fuzzy Hash: 3AE12730B1DA494FDB1DEB2894255B877F2EF99304F5541BEE00EC72E7DE24A9029B81
      Function 00007FFD9B4B2290 Relevance: .5, Instructions: 472COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: de008e3df3b3a252acf33b8c1dca5bce734cd61e0bd9484b549c7c3adb4b22c8
      • Instruction ID: fbe11f11d9d463deb14fedb906e6d0d5ddc6b0e39dd53dfbd4ea1d50e81c29e0
      • Opcode Fuzzy Hash: de008e3df3b3a252acf33b8c1dca5bce734cd61e0bd9484b549c7c3adb4b22c8
      • Instruction Fuzzy Hash: FEE1E530B1DA494FDB1DEB289425578B3E2EF99304F5541BEE00EC72E7DE34A9029B85
      Function 00007FFD9B4B2A70 Relevance: .4, Instructions: 371COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cb864d61248de36c282414911e578360d1b62a7ce153d2883188e92f6191e29b
      • Instruction ID: 36716da81ac5eeccec9b700a1392078dac501dda3a911f2e0e8882f6880a0989
      • Opcode Fuzzy Hash: cb864d61248de36c282414911e578360d1b62a7ce153d2883188e92f6191e29b
      • Instruction Fuzzy Hash: 51A15811B0FAAA0FE7799AFC68351A83FA1DF8A254B0A01FBD15CC71E7DC0869069741
      Function 00007FFD9B4B0271 Relevance: .4, Instructions: 351COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b18305ed6af6439b45088649b18e2849fa3907e4813633a20e5c33f02c15935e
      • Instruction ID: 43bba6a72ae94a15e101e27d87e7fa971a06c07622806ec1b5f20f84431c7995
      • Opcode Fuzzy Hash: b18305ed6af6439b45088649b18e2849fa3907e4813633a20e5c33f02c15935e
      • Instruction Fuzzy Hash: 2CA14621F0EA6A0FE76962B958261FD3791DF89324F4501BBE50EC72E3DC186D029B81
      Function 00007FFD9B4B4731 Relevance: .3, Instructions: 265COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b31018d9559837aa70ea264b575ffabea5493917afef3be0809fd57cc684d50f
      • Instruction ID: 380b26262b7ccbae6c48907f9a20ea5849f39403c87d35573caf9c6fc9bd1963
      • Opcode Fuzzy Hash: b31018d9559837aa70ea264b575ffabea5493917afef3be0809fd57cc684d50f
      • Instruction Fuzzy Hash: CE81E630A09A4D8FD746DF28C8215A97BB1EF46304B9640FAD41DCB2E2CE35AD03DB81
      Function 00007FFD9B4B4760 Relevance: .2, Instructions: 219COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 680216cd5950f04007de7821c5049168cf5cbdef656cdfd200485adbdd36731c
      • Instruction ID: 99a4e7b6be261994adafefb9f33403ee3c7f72ecaf7ee72a49b1e55bd0c6cdbf
      • Opcode Fuzzy Hash: 680216cd5950f04007de7821c5049168cf5cbdef656cdfd200485adbdd36731c
      • Instruction Fuzzy Hash: F361C530A09A5D8FD755EF28C8215A977B1EF45704B9544FAD81DCB2A6CE35ED03CB80
      Function 00007FFD9B4B34E1 Relevance: .2, Instructions: 196COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e34b261629ccc2cf067225ef5c4f4029451411d0702257904cf81542e1682096
      • Instruction ID: 8c917f3b7e6b45fceccd3a79a86b0499330feca791beb6fae60d17a30bab5a88
      • Opcode Fuzzy Hash: e34b261629ccc2cf067225ef5c4f4029451411d0702257904cf81542e1682096
      • Instruction Fuzzy Hash: C851AA30A09A1C8FEB95EF6CD855AE87BF1FF59304F4500AAE409C72A2DA35AC41CB40
      Function 00007FFD9B4B2278 Relevance: .2, Instructions: 193COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 278960c1e17413a15ef29375f080131e19ecd9ceadfdf186c69b5af87ff22ff4
      • Instruction ID: 045fdd0c6a98224f6a60020cdcf930ca137d649b8d99c5b0470643c75ca2b131
      • Opcode Fuzzy Hash: 278960c1e17413a15ef29375f080131e19ecd9ceadfdf186c69b5af87ff22ff4
      • Instruction Fuzzy Hash: BA516923B0E6590FE759F7BCA8665F97B90DF8532470901BBC499C71E7DC08284B8781
      Function 00007FFD9B4B3F6A Relevance: .2, Instructions: 184COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a78c38464ba2ee7357a2671657f7bf42e7323ce11eb30bbe38084d67a5106a16
      • Instruction ID: 2d006e8a02744209df55624b26fa8df8cd6dff9b6d5257c34e4be911b51dbf9b
      • Opcode Fuzzy Hash: a78c38464ba2ee7357a2671657f7bf42e7323ce11eb30bbe38084d67a5106a16
      • Instruction Fuzzy Hash: 70515520B0EA190FEB98A77C54B56BC66E2EF88314F5045BEE10EC72E7DC1CAD424781
      Function 00007FFD9B4B3EB9 Relevance: .2, Instructions: 168COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 37943c326eb062cdb7382818b4baf18b6ab97bb56d2532e803912efd63a0372f
      • Instruction ID: be062ec3cf208bff0ceaaf4cc4711f7a18d65ffa74a11c7b771921cb8a766c5b
      • Opcode Fuzzy Hash: 37943c326eb062cdb7382818b4baf18b6ab97bb56d2532e803912efd63a0372f
      • Instruction Fuzzy Hash: 27512311B0EA990FEBA6937854342B92FE1DF86314F4941FBE098CB1E3DC085D46D782
      Function 00007FFD9B4B1D90 Relevance: .2, Instructions: 160COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9c2f5e96dac2bb8b493c8ed8a33ff502532adcf7bcd7747fb4474fd6dac830dd
      • Instruction ID: f2808b6d0f0972fd0d6e55c35871762d05a3e067e06354aa3a242d9589404764
      • Opcode Fuzzy Hash: 9c2f5e96dac2bb8b493c8ed8a33ff502532adcf7bcd7747fb4474fd6dac830dd
      • Instruction Fuzzy Hash: 5C413711E2FBAA0FE7AA977848756A83FA1DF56254B0601FBC148CB0F3ED4C5D468742
      Function 00007FFD9B4B1C51 Relevance: .2, Instructions: 154COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 48c0bb14ffdb01ab90d8a334046564356b892a8c96d3bc58ef685b46452ac271
      • Instruction ID: 1d5adb0db4673064f94400c73d7ad186b8f77c666749876ff84aadbccdf03b87
      • Opcode Fuzzy Hash: 48c0bb14ffdb01ab90d8a334046564356b892a8c96d3bc58ef685b46452ac271
      • Instruction Fuzzy Hash: 7A41D33091E7C94FDB2A9BA958645B97FB0EF13329F0401BFD089C21A3CA582416C746
      Function 00007FFD9B4B5583 Relevance: .1, Instructions: 149COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 667dc5d8802c28e36e09e9c4593f6aa5dba53c48091899228cefe57aa419bea5
      • Instruction ID: b065b0742fee54026cfd31ebb5237ab2c60c67b35cd06bb56ac097e9d2629b9c
      • Opcode Fuzzy Hash: 667dc5d8802c28e36e09e9c4593f6aa5dba53c48091899228cefe57aa419bea5
      • Instruction Fuzzy Hash: 4F41C330B0DA484FDB19EF3894215ACB7A1EF58314B5540BED00DCB2D7DE39E9428B84
      Function 00007FFD9B4B431D Relevance: .1, Instructions: 133COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d886e4bf104c690df451a7e01269528dfd34a92f80e6267a6ea7e3cdc98778a1
      • Instruction ID: 1ecb8b8834bdd81d2113e5b6cf75ac1e85645b3f41e312bcb99cea8c13085336
      • Opcode Fuzzy Hash: d886e4bf104c690df451a7e01269528dfd34a92f80e6267a6ea7e3cdc98778a1
      • Instruction Fuzzy Hash: AE310731B0961C4FEB58EBA8C8659ED7BF1EF99314F4501BAD009D72A2CE24AD11CB91
      Function 00007FFD9B4B02E0 Relevance: .1, Instructions: 101COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8bdb8357729ffb55c3eec5c9f1aeb90abe7c32fc4c34f2d32969b08034ba96fc
      • Instruction ID: ddd86ab4e737abe4d8bf41226cc2b3465c728ec09ca0b4e69296d817f32eee31
      • Opcode Fuzzy Hash: 8bdb8357729ffb55c3eec5c9f1aeb90abe7c32fc4c34f2d32969b08034ba96fc
      • Instruction Fuzzy Hash: 9331A430B19A2C4FDB58EBACC865AED77F1EF59314F45417AE40AD32A2CD24AD11CB90
      Function 00007FFD9B4B583C Relevance: .1, Instructions: 68COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b1dba0b1a9c496924adeac3f42183ca58ce6e0201dac9fc78280d909e321eec9
      • Instruction ID: cabc5230d8ff1979972753496cc26b66adc57663c4fb59f6f4ba2d55cb73824a
      • Opcode Fuzzy Hash: b1dba0b1a9c496924adeac3f42183ca58ce6e0201dac9fc78280d909e321eec9
      • Instruction Fuzzy Hash: 5711251170F79E0FE766537C18752A93FE19F8A260F5A44F7D588CB1A3E5184C469342
      Function 00007FFD9B4B3D6F Relevance: .1, Instructions: 53COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5125e4beda2f2a2023084ae2f7e465101af4ef09ddfcc97538f8df38904961f7
      • Instruction ID: 50b78c50aaca7054e02e9382d3c59c055d8e1d1257d2e29ec1b920c6c31eb0a3
      • Opcode Fuzzy Hash: 5125e4beda2f2a2023084ae2f7e465101af4ef09ddfcc97538f8df38904961f7
      • Instruction Fuzzy Hash: 2901AD30619A4E8FD74AEF68D9615EA77B1FF4A304B9644A5D80DCB2B2C931AD12DB00
      Function 00007FFD9B4B6199 Relevance: .1, Instructions: 52COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 37de6ea51b29f68b9554aa767da9366510e920a03ff0599fd17ec3212d30893a
      • Instruction ID: b694ae81bdcd4a8f6a3012ea2b23b075360735b09d77eae9e7c057c66cae7d1b
      • Opcode Fuzzy Hash: 37de6ea51b29f68b9554aa767da9366510e920a03ff0599fd17ec3212d30893a
      • Instruction Fuzzy Hash: 7E01283050E6C24FD327977888B1A647FA0DF07214B0E02EAD094CB1F3D95DA846C752
      Function 00007FFD9B4B3168 Relevance: .0, Instructions: 47COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f14fdccdeb1b91b64197b96a4158ca94c38593c210c95f9a2cf1cbefce8e943f
      • Instruction ID: 5fd56e2cdba77fee29d982ccd8e4105f27dfa6289c23d63f15cb53f4bdc19382
      • Opcode Fuzzy Hash: f14fdccdeb1b91b64197b96a4158ca94c38593c210c95f9a2cf1cbefce8e943f
      • Instruction Fuzzy Hash: 11F06211B1AC7E05F27611EA16652BD2185AB4522CFA60536DA2DC61F2DC08EA522D51
      Function 00007FFD9B4B27D7 Relevance: .0, Instructions: 29COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000028.00000003.2617020229.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_40_3_7ffd9b4b0000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c176c493c913130632a958d06bd99830177f7ebe8e1f3a7ff2efe9b86cb88668
      • Instruction ID: 482f06afbf8c7f7d01d337c2106e2a8d71e3c13c79eb3284e2e96b3e8398fbe8
      • Opcode Fuzzy Hash: c176c493c913130632a958d06bd99830177f7ebe8e1f3a7ff2efe9b86cb88668
      • Instruction Fuzzy Hash: CCE07D3260F94C5BCB10EA9A7C604CA3F98FF8D318B01012AF48CC3251E2125511C755

      Executed Functions

      Function 00A917F8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q$$^q
      • API String ID: 0-355816377
      • Opcode ID: 3ca9d2720f577bceb4427999ed0f851e98998684329ba983e0fbece6738bdd4d
      • Instruction ID: 8212e82fcdc4ee09c871c353fecd44b91ce57f8a17b2f0f0d2e3a2876e91a86d
      • Opcode Fuzzy Hash: 3ca9d2720f577bceb4427999ed0f851e98998684329ba983e0fbece6738bdd4d
      • Instruction Fuzzy Hash: 2121A332E1070ADFCF15AF68D844899F7B4FF55314B058AAED4096F225EB31E889DB90
      Function 00A91F34 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: Pn
      • API String ID: 0-3630330470
      • Opcode ID: c74f78de1dee2c7008f98ef1fe24a105672f577d72bd56958c7aaf445ed3f092
      • Instruction ID: 8df932a74db95661f696932721bc2d02c54ddebdd5c6652ca3034ada8659088d
      • Opcode Fuzzy Hash: c74f78de1dee2c7008f98ef1fe24a105672f577d72bd56958c7aaf445ed3f092
      • Instruction Fuzzy Hash: B841F571D0035D9ECB10CFA9C954ADEFBB5AF48304F20822AD419BB251D7715A45CF90
      Function 00A911E4 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: Pn
      • API String ID: 0-3630330470
      • Opcode ID: cb77966b4b9fc3e3aab5c3404b4df03909d077d100c3142d3e45664de1ca5bd7
      • Instruction ID: 4e16c7389675a21d286c923e56a34b6535e8e813554e81a74b501ee3558c0f56
      • Opcode Fuzzy Hash: cb77966b4b9fc3e3aab5c3404b4df03909d077d100c3142d3e45664de1ca5bd7
      • Instruction Fuzzy Hash: 7A4102B1E012589FCF14DFA9C995BDEBBF5AF48300F24802AE409AB250CB745945CF91
      Function 00A91934 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: Pn
      • API String ID: 0-3630330470
      • Opcode ID: 66435e6b98ea5e412198c455c9e47a2259a79f4efcbefa8654db162abe6a9c44
      • Instruction ID: 84f7cec5a6ebc1d08228d204685907b48510e43c6d7b856ec34d2a9c73778d78
      • Opcode Fuzzy Hash: 66435e6b98ea5e412198c455c9e47a2259a79f4efcbefa8654db162abe6a9c44
      • Instruction Fuzzy Hash: 5C4103B1E012589FCF14CFA9C995BDEBFF5AF48304F24802AE409AB291DB745946CF91
      Function 00A91F40 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: Pn
      • API String ID: 0-3630330470
      • Opcode ID: 7839d99214212e5575c7067cd4b8c81707c66bea03f4e0ddf75ad836be1dd2b1
      • Instruction ID: c5e6b4aee20fc8e5999834a4ca936f6ea1f0392744bcfa6506466659a43c85da
      • Opcode Fuzzy Hash: 7839d99214212e5575c7067cd4b8c81707c66bea03f4e0ddf75ad836be1dd2b1
      • Instruction Fuzzy Hash: 7941D4B1D1035D9ACB10CFAAC944ADEFBF5AF48304F20852AD419BB254D7756A45CF90
      Function 00A911F0 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: Pn
      • API String ID: 0-3630330470
      • Opcode ID: 6d7fe1fca42f231469356e3f84c9c52fdc768d52296ff9ef17153a787aa170ec
      • Instruction ID: e49e6f7205b9b9bd0789bcc0075491cb121550e4eea55a30baac0093e1abdf31
      • Opcode Fuzzy Hash: 6d7fe1fca42f231469356e3f84c9c52fdc768d52296ff9ef17153a787aa170ec
      • Instruction Fuzzy Hash: 083115B1E01258DFCF14DFAAC595BDEBBF5AF48304F20802AE409AB250CB755945CF91
      Function 00A91940 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: Pn
      • API String ID: 0-3630330470
      • Opcode ID: d58fd6ff61ed0f602a1ce05e4dbad8a053a9e49a1fd25e10a0fdf38afd1ec8df
      • Instruction ID: d783d93fff93e009318a4c37d1f97210c22bad2a7e67e87ef1baeec45ddeaa84
      • Opcode Fuzzy Hash: d58fd6ff61ed0f602a1ce05e4dbad8a053a9e49a1fd25e10a0fdf38afd1ec8df
      • Instruction Fuzzy Hash: EC310FB1E01258DFCF14DFAAC984BDEBBF5AF48344F20802AE419AB290DB745945CF91
      Function 00A91BA4 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: Pn
      • API String ID: 0-3630330470
      • Opcode ID: 108e7958e8b2c9c475072e1bda08ff7c57974eab9210746455520be5a17d1e90
      • Instruction ID: abfb68d0ace83b1613e68a40553edad7808a6f44d4508e1198304fd969f0962b
      • Opcode Fuzzy Hash: 108e7958e8b2c9c475072e1bda08ff7c57974eab9210746455520be5a17d1e90
      • Instruction Fuzzy Hash: 6131E2B1D00258DFCB10CFA9D894ADEBFF4AB48314F24812AE419AB250CB755885CB90
      Function 00A91CB4 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: Pn
      • API String ID: 0-3630330470
      • Opcode ID: bf918c0b76bc03b08cf5a0ccf8d6d30797e257c3a04bf4a06b05a663fb1c3b21
      • Instruction ID: 217309a290862e81b4cc583d4474f08a67c96c49daf77e4927f52dc062bfc9be
      • Opcode Fuzzy Hash: bf918c0b76bc03b08cf5a0ccf8d6d30797e257c3a04bf4a06b05a663fb1c3b21
      • Instruction Fuzzy Hash: 35310EB1D00249DFDB24CFA9C484BDEBFF5AF48310F24852AE409AB250CB75A885CF90
      Function 00A91CC0 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: Pn
      • API String ID: 0-3630330470
      • Opcode ID: 73c1b4f98258b0cb0f51d8c0b61e6506406f98a5ad2e6990c7061160316a3527
      • Instruction ID: 22aafbaeb0c93ad67975e4da8afc88c27862dfe9327273ad22f7a321d30c27a6
      • Opcode Fuzzy Hash: 73c1b4f98258b0cb0f51d8c0b61e6506406f98a5ad2e6990c7061160316a3527
      • Instruction Fuzzy Hash: C131D3B1D00258DFDB24DFA9C484BDEBFF9AF48310F24802AE419AB250DB756985CF90
      Function 00A917E9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q
      • API String ID: 0-388095546
      • Opcode ID: f540d4188c56493dec676d482947268a1e018b5e8e8249f0637fb81e7b1d4e33
      • Instruction ID: a8ce45418dcd3a2a661a6cbb0e525987784c390e5be876142df5cd61a5bc570e
      • Opcode Fuzzy Hash: f540d4188c56493dec676d482947268a1e018b5e8e8249f0637fb81e7b1d4e33
      • Instruction Fuzzy Hash: 3921B032A1474ACFCF119F78C8548A9BBB1FF55300B058AAED4496F262EB31D885DB91
      Function 00A91BB0 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: Pn
      • API String ID: 0-3630330470
      • Opcode ID: 60abd97c280a67b067d77eee4fe8a9882a72df98108ced79ff30fd1309620115
      • Instruction ID: bf4021d7c76e230b2d83a00cec2c9c36c058d1c30b80ea0c6c922d97898b2711
      • Opcode Fuzzy Hash: 60abd97c280a67b067d77eee4fe8a9882a72df98108ced79ff30fd1309620115
      • Instruction Fuzzy Hash: 3A21B0B1D00258DFCB14DFAAD484BDEBFF8BF48314F24842AE419AB250CB755985CB94
      Function 00A90848 Relevance: .2, Instructions: 188COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1c21dff12623b0d6eb875af82f0b91026423beecde6cc8aa01f4f702f23ce814
      • Instruction ID: 2fc937858fdf44ad2c18122134caf66ab3dcabd0b30413a58c2581983f044ccf
      • Opcode Fuzzy Hash: 1c21dff12623b0d6eb875af82f0b91026423beecde6cc8aa01f4f702f23ce814
      • Instruction Fuzzy Hash: F7619C30B00349DFDF15EB74D854AAE7BF2BF88784F10856AD405AB265DB319C4ACB81
      Function 00A915A2 Relevance: .1, Instructions: 144COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 052722f718608ea3061d8a4ef47bebe0e5acdf188f6c953aeb86f4321461db4a
      • Instruction ID: 7afca22e51517a31c30bc71e8c63323bb91bedeaa7d3dac531d26926c1416757
      • Opcode Fuzzy Hash: 052722f718608ea3061d8a4ef47bebe0e5acdf188f6c953aeb86f4321461db4a
      • Instruction Fuzzy Hash: 6F518132D50B46A6E710DBA5CC45A99F371FFAA700F21CB1AF6483B191EBB0A1D8C641
      Function 00A915B0 Relevance: .1, Instructions: 139COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d3d420d6efd53895cf9d2af062e8762f310398f45afae1bd752d7829cb26325c
      • Instruction ID: 421ffe89ecdaf5b100d64714175c053f81aa3378e55980f91fcfbe9bb6e718e6
      • Opcode Fuzzy Hash: d3d420d6efd53895cf9d2af062e8762f310398f45afae1bd752d7829cb26325c
      • Instruction Fuzzy Hash: DE514E32E50B06A6E710DBA5CC45A9AF371FFA9700F61CB16F6483B191FBB0A1D4C681
      Function 00A91DC8 Relevance: .1, Instructions: 118COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bd990a0678d546c5a1041f90b7ab0939dc6a6e942e4504151565016a379d2f12
      • Instruction ID: 8a81d4e2b8a493b10be945f6fda3eacd746ae058deff8fa34802f417b38024ba
      • Opcode Fuzzy Hash: bd990a0678d546c5a1041f90b7ab0939dc6a6e942e4504151565016a379d2f12
      • Instruction Fuzzy Hash: 2F417432E10B4A9ACF01DFB9C8504EDF7B5FF95300B11C66AD955B7211EB30A586CB90
      Function 00A91029 Relevance: .1, Instructions: 109COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 374d17cd878ed3ebddf32bca77ee1869550d6d16556ce3f9a4fe874c620b2f21
      • Instruction ID: def92b73f028cf958d507277b6589135c3ac1a8f59b352060f6e47bb1bd3a93c
      • Opcode Fuzzy Hash: 374d17cd878ed3ebddf32bca77ee1869550d6d16556ce3f9a4fe874c620b2f21
      • Instruction Fuzzy Hash: DA416A30B0064A9FCF04DB75C994AAEBBF6EFC4304B11C539D10AA72A5EF31A906CB51
      Function 00A90F20 Relevance: .1, Instructions: 103COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a10ad17166fafe827e2c1cee413874ace02563729da0ebc54d8e78f0385a614a
      • Instruction ID: 2f3e7173da6b32c36ceb82ea7f0316131fa1ee813d7f757990d058634b68bb7d
      • Opcode Fuzzy Hash: a10ad17166fafe827e2c1cee413874ace02563729da0ebc54d8e78f0385a614a
      • Instruction Fuzzy Hash: 0421A22124D7C44FC753A77C99616A9BFE2CF82354B0A85EBC185CB1A7CD548C8AC362
      Function 00A91A89 Relevance: .1, Instructions: 93COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5bf26531c29add8d728362c2adbd4e40916d93dacd89a3275e821f2234d2d16c
      • Instruction ID: 0dbcb126057975528636dd7e510bd91b0a61c91917a5bbf5f2bf93a9da4344ce
      • Opcode Fuzzy Hash: 5bf26531c29add8d728362c2adbd4e40916d93dacd89a3275e821f2234d2d16c
      • Instruction Fuzzy Hash: 7F31A432E0160AAADF00DFB9D8905EEF7B2FF94350F11C66AE405A7211FB30A985C790
      Function 00A90830 Relevance: .1, Instructions: 73COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e90b83262c77777cbedc60adff0f1c4674bdca35bf9f1b4ea70470ec666e484a
      • Instruction ID: a2a051a4fed4b2ea394ac862a62aa987b210c8703b4fad9635ea90b3ea33d638
      • Opcode Fuzzy Hash: e90b83262c77777cbedc60adff0f1c4674bdca35bf9f1b4ea70470ec666e484a
      • Instruction Fuzzy Hash: B421A1357043418FCF169B748810AAE7BF2AFC5B84F05856AC849977A9DA358C0BC792
      Function 00A91188 Relevance: .0, Instructions: 31COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c24d435055b2e328c3207318662b727518c6829f8646dc426fa3ebbbbfb72689
      • Instruction ID: 1c0c00889622c302f101372ab8367a2548220f95dbc0e025ec17cbbf078158b2
      • Opcode Fuzzy Hash: c24d435055b2e328c3207318662b727518c6829f8646dc426fa3ebbbbfb72689
      • Instruction Fuzzy Hash: 0FF08230609288EFCB42CBB08D6186D7FA6DF41204705C2ADD405CB162DD318A06DB61
      Function 00A918E0 Relevance: .0, Instructions: 30COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 02db542b72767f11bf301aa8036ecd28f3342743c47f862851e2eadd1999511e
      • Instruction ID: 81f29448ce98c6403ab986e83b393df788542fda908030828dd20af27ac2d196
      • Opcode Fuzzy Hash: 02db542b72767f11bf301aa8036ecd28f3342743c47f862851e2eadd1999511e
      • Instruction Fuzzy Hash: 2FF0A73060A3859FCB42CB748D618697FB6DFC2304709C1EDD449DB152DD308E06D751
      Function 00A90AD2 Relevance: .0, Instructions: 28COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1105c0af55a48f3c949f93406b4c83951ccd0707776acfe472b710130b287e6d
      • Instruction ID: dafde865f4c6b6fe6a4fe37d208f1cf0ef5b5e63de0e8641cc03379b8caea69a
      • Opcode Fuzzy Hash: 1105c0af55a48f3c949f93406b4c83951ccd0707776acfe472b710130b287e6d
      • Instruction Fuzzy Hash: 34F09A30915648EFCB81EFB8E99598CBFB0FB48304B5086BDC405E7264DB301F199B41
      Function 00A90AD8 Relevance: .0, Instructions: 25COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 876aa76f052f6306ce8b89765ab4e8202a9e0c4d0a7b96dddb648b1871134234
      • Instruction ID: 0acee701c95905cee561cef5dde79b4bc5bdf1ec9cd5bfde0a0f5063b76be534
      • Opcode Fuzzy Hash: 876aa76f052f6306ce8b89765ab4e8202a9e0c4d0a7b96dddb648b1871134234
      • Instruction Fuzzy Hash: D3F05830911608EFCB40EFB8E98498CBBB0FB48304F5045A9D405E7264EA306F499B41
      Function 00A91198 Relevance: .0, Instructions: 23COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f934db37272e29091e84558bf44e319ffc78592952f85a7741dfa35315b4bb9a
      • Instruction ID: 8146d2f9ddaebda417f9a800ff4e394417e49c354f5acd04b0b63e0d4284cc66
      • Opcode Fuzzy Hash: f934db37272e29091e84558bf44e319ffc78592952f85a7741dfa35315b4bb9a
      • Instruction Fuzzy Hash: 67E09A31B01209BBCB40DFB4CE4096EBBEEEB80304740C1A8E508CB254EA31DA01DB90
      Function 00A90B3A Relevance: .0, Instructions: 20COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5bc02895ac86be9effc64b478ceb711c5a9354e3441c9237fb33a1054d116f74
      • Instruction ID: dfcbc1102b05e2fda59f1ea4a148440cb168b56a9ef8aae523bcb37cd5af5b43
      • Opcode Fuzzy Hash: 5bc02895ac86be9effc64b478ceb711c5a9354e3441c9237fb33a1054d116f74
      • Instruction Fuzzy Hash: 07E0C22234CBC00FC713A73C5550098ABE2EDC531074782BBD0448729ACF689C4AC7E2
      Function 00A909B5 Relevance: .0, Instructions: 15COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000029.00000002.2602163616.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_41_2_a90000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1c79d3dec26725b047ef91631da9b5fd024e08a3239e2c06fe9488a1545e2cd3
      • Instruction ID: cf650f7c920193985101b627a76ff64cdf0132823128cafcb0ec7ab0dac97a01
      • Opcode Fuzzy Hash: 1c79d3dec26725b047ef91631da9b5fd024e08a3239e2c06fe9488a1545e2cd3
      • Instruction Fuzzy Hash: 43D09E35740219CFCF00EFA8D5445DC77B0EF88755F000069E109DB270D7759855CB91

      Executed Functions

      Function 00007FFD9B3D0840 Relevance: .5, Instructions: 518COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002B.00000002.2606142292.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_43_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1292779eb0414d490d8de298bc8ae72129ca534deecd28444521ff3e27d2a50f
      • Instruction ID: 81a27a8019ebbcbda21745b47b5fc365362756b0446c04535475f9131207a292
      • Opcode Fuzzy Hash: 1292779eb0414d490d8de298bc8ae72129ca534deecd28444521ff3e27d2a50f
      • Instruction Fuzzy Hash: 28E15D6260FAC91FE372E6EC187167A6F95DFC6650B1903FFD08C871EBD81A99068341
      Function 00007FFD9B3D0960 Relevance: .5, Instructions: 498COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002B.00000002.2606142292.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_43_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8bf32fcbc7950a330b37dbc9a8293a44c2be4a70d13408d807642e927643aab2
      • Instruction ID: e301348f8b2084b8029bbe5f523cd24c7c4494311fc808d48da46534292bd550
      • Opcode Fuzzy Hash: 8bf32fcbc7950a330b37dbc9a8293a44c2be4a70d13408d807642e927643aab2
      • Instruction Fuzzy Hash: 58E17D62B0FAC91FE376E6AC28712697B95DFC6610B1907FFD08C871E7D8199A05C341
      Function 00007FFD9B3D0FA8 Relevance: .3, Instructions: 263COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002B.00000002.2606142292.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_43_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9f7277ddd368aaafcd0d39df5d0f1e0ac66c730e89dfc1577e70dd21e01478c1
      • Instruction ID: 43efa4e037c0ff0f4270dfcee8f23c57b7199b2da206fd972819cbf40e2080fa
      • Opcode Fuzzy Hash: 9f7277ddd368aaafcd0d39df5d0f1e0ac66c730e89dfc1577e70dd21e01478c1
      • Instruction Fuzzy Hash: 6171C793A0FAC50FF37695DC2C611265F9ADBD266071903FFE08C871FBD85A9E058291
      Function 00007FFD9B3D135A Relevance: .1, Instructions: 98COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002B.00000002.2606142292.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_43_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6b7561e96508ff3e67e7f2baf3e2d5f6aed1c96303bee2d41f1b4ed01871ce31
      • Instruction ID: 994c3d3726ce11e5a9d302155663aa3faac9ad4d4ede0f59d8eba4bf90abaa9b
      • Opcode Fuzzy Hash: 6b7561e96508ff3e67e7f2baf3e2d5f6aed1c96303bee2d41f1b4ed01871ce31
      • Instruction Fuzzy Hash: 4121963190CA5C9FEB18EBA8D855AE97BE0FF55321F00422FD049D3652DB756846CB81
      Function 00007FFD9B3D0D5E Relevance: .1, Instructions: 97COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002B.00000002.2606142292.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_43_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8d1ee1480fbe31a671591486f3174a45b44dcba36b94e29ca8d83160fd6d93ed
      • Instruction ID: a27d36c828f24ff5ce321226c4734c852158d4b6c480b21861188574eff80158
      • Opcode Fuzzy Hash: 8d1ee1480fbe31a671591486f3174a45b44dcba36b94e29ca8d83160fd6d93ed
      • Instruction Fuzzy Hash: B131F561A0E6C92FD326F7B854B66B97BD0DF46610F1905FED08ACB2A2C81D5A46C342
      Function 00007FFD9B3D0CAE Relevance: .0, Instructions: 50COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002B.00000002.2606142292.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_43_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: dc36671776bbd59d4f16a314b59103637c0059f966dc242327bd0bdd8fabec44
      • Instruction ID: 9f9bdeb6a4cc39fd9b93e4f9958c4377d32825f220dd9f5fb462a13d98f3b95d
      • Opcode Fuzzy Hash: dc36671776bbd59d4f16a314b59103637c0059f966dc242327bd0bdd8fabec44
      • Instruction Fuzzy Hash: 5F01F721B1E59E6FE361FB7C58716A8BBC1DF49620B5405FEC08ECB2E6CD0969458342
      Function 00007FFD9B3D0E47 Relevance: .0, Instructions: 37COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002B.00000002.2606142292.00007FFD9B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_43_2_7ffd9b3d0000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3b862538b81253e13d861bbec8df0b09c00a16481c7d7ca5bbf868e266d4e280
      • Instruction ID: 2a4b14905881870a80efe3baecc20167482d6c24ce0692d0fedd84d36e492a9d
      • Opcode Fuzzy Hash: 3b862538b81253e13d861bbec8df0b09c00a16481c7d7ca5bbf868e266d4e280
      • Instruction Fuzzy Hash: 61F0BB31A0D6480FD715AF68A8524E57BD0DF4536472405FFD05EC7196D93A95828382

      Executed Functions

      Function 010217F8 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q$$^q
      • API String ID: 0-355816377
      • Opcode ID: 25efca308524a8bdadbc96bdddc9b6ec9cafc30abbcf52f522c57ea46f3703ef
      • Instruction ID: a114f36886c35a6ab6d9eaffbe628890b0ba0fa7a846280bee96b7f7df327c12
      • Opcode Fuzzy Hash: 25efca308524a8bdadbc96bdddc9b6ec9cafc30abbcf52f522c57ea46f3703ef
      • Instruction Fuzzy Hash: 3221BF31D00719CFCF15AF78D8448A9F7B4FF85300B0586AED4496B226EB71E498CB90
      Function 010217E9 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q
      • API String ID: 0-388095546
      • Opcode ID: 4a4db3ad085e5e0368e791bf9e8be9470820b343cff5677495b1db2529e43fd2
      • Instruction ID: f3cd11ca4ca50ee84359dd83b91ad4f0f87835845c6ceb320272022c5b39816c
      • Opcode Fuzzy Hash: 4a4db3ad085e5e0368e791bf9e8be9470820b343cff5677495b1db2529e43fd2
      • Instruction Fuzzy Hash: E621D331D04759CFDF12AF78D8548A9FBB1FF45300B0586AED4896B222EB71D584CB91
      Function 01020848 Relevance: .2, Instructions: 184COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 597e30bb9de7391f7345830575d1cd35177e9aee6828805887ac2a197733dcf0
      • Instruction ID: edb206b6115548320099fcd713d81a637c66bd4edf30154e9315765acc57e519
      • Opcode Fuzzy Hash: 597e30bb9de7391f7345830575d1cd35177e9aee6828805887ac2a197733dcf0
      • Instruction Fuzzy Hash: 9F618E34A00315CFDF19EFA4D954AAE7BF2BF85704F008569E486AB368EB359846CB41
      Function 010215A2 Relevance: .1, Instructions: 140COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d2c9ffe867029a8f775e8947eec12e9007bb512e6d663d1b5357d2ca00886065
      • Instruction ID: 90dfb0d46dc69bf241fbb12e6861e4cfecbb3419ff74e29d3f634fafde76de60
      • Opcode Fuzzy Hash: d2c9ffe867029a8f775e8947eec12e9007bb512e6d663d1b5357d2ca00886065
      • Instruction Fuzzy Hash: D9514E32E50B06A6E710DBA5CC45B99F372EF99700F61CB1AF6483B191FBB0A1D4C641
      Function 010215B0 Relevance: .1, Instructions: 139COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c2db2b8de979083bb002c789c264d48a5691e3a94d2c72c6186de4986a18639c
      • Instruction ID: c5b87b8818c224fa5cafcec4f8ba8b967cb6ddd2f03231d366b8fdc14eb95017
      • Opcode Fuzzy Hash: c2db2b8de979083bb002c789c264d48a5691e3a94d2c72c6186de4986a18639c
      • Instruction Fuzzy Hash: A1512E32E50B06A6E710DBA5CC45A99F371FF99700F61CB16F6483B191FBB0A1D4C691
      Function 01021DC8 Relevance: .1, Instructions: 116COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9968fed34dd07b18e0f98acd1097f7a27322da10acd319a6da56f747ebd482d2
      • Instruction ID: d80a15d5ff4bc1944a42ea92c0ae6b62793fbbe6cd6ff57fdb1d8e7514143275
      • Opcode Fuzzy Hash: 9968fed34dd07b18e0f98acd1097f7a27322da10acd319a6da56f747ebd482d2
      • Instruction Fuzzy Hash: 73418532E00B4A9ACF11EFB9C8504DDF7B2FF95304B11C66AD559B7215EB30A586CB80
      Function 01021029 Relevance: .1, Instructions: 105COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3bd2c5a0de2c4d601d88ac3337428415270b4fb84faa9c7c73a64d58b1de8aff
      • Instruction ID: b836e734e7ab8c29574632947910ca0dd42c46a86d8c32d5fd14e5e6984a47d9
      • Opcode Fuzzy Hash: 3bd2c5a0de2c4d601d88ac3337428415270b4fb84faa9c7c73a64d58b1de8aff
      • Instruction Fuzzy Hash: 48414A31B0060A9BCB14EB75C995AAEB7F3AFC4304F10C579D109A7265EB34A906CB50
      Function 01020F20 Relevance: .1, Instructions: 94COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2519df5b5e91ef0c1bc1a30123411a78862908599940150e21d8b755d4e3fe78
      • Instruction ID: bac4d991ccb34ec74081a7498cb0392e6ec0c9609fbf103f33d3ba538f7d6d0e
      • Opcode Fuzzy Hash: 2519df5b5e91ef0c1bc1a30123411a78862908599940150e21d8b755d4e3fe78
      • Instruction Fuzzy Hash: A82106222897940FD716A33CA8643BDBF96CFC1314F1908BFD5858B6ABCE548C45C791
      Function 01021F34 Relevance: .1, Instructions: 93COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ec5421f9b31092dd8f3f0e833a057cb0fe335d687db94a0087ec0881e5e0e498
      • Instruction ID: 3e575eb404e280c0b44a51a0344a4bec8b0d1b2057e909c68bb95fee6a827dd8
      • Opcode Fuzzy Hash: ec5421f9b31092dd8f3f0e833a057cb0fe335d687db94a0087ec0881e5e0e498
      • Instruction Fuzzy Hash: D34104B1D003598BCB10CFE9C594ADEFBB5AF58304F20812AE459BB255D7746A49CF90
      Function 01021F40 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3c3d6938a6c892287c8a794239b1a6f82ed6b1d9ae9f1c1320505e7348672db9
      • Instruction ID: 7cc40e0954bf8cac0f34583c44be179ee53cee6a577229bc1c4ea2d3dda3e79e
      • Opcode Fuzzy Hash: 3c3d6938a6c892287c8a794239b1a6f82ed6b1d9ae9f1c1320505e7348672db9
      • Instruction Fuzzy Hash: D541D4B1D0035D8ACB10CFEAC584ADEFBB5BF48304F20812AE459BB255D7756A45CF94
      Function 01021A89 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 68ba66499ebe2b225631b05107529e7ffd825649995d057e973a187fec49dd6c
      • Instruction ID: edde3a89577e6d9ef2a638ff9a6a52f3dfd98eff63ec8790483c7f344bf23000
      • Opcode Fuzzy Hash: 68ba66499ebe2b225631b05107529e7ffd825649995d057e973a187fec49dd6c
      • Instruction Fuzzy Hash: E331B132E0170AAADB01DFB9D8905EEF7B2FF94300F11C66AE544A7221FB30A585C790
      Function 01021934 Relevance: .1, Instructions: 90COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bbf0843f58cc33e2b24a07494dd2b0805926d6ad5b92516bdeb013bd474e3909
      • Instruction ID: 1adde9d6705ccf9643785115bd9f1c42521073e477fae6feab4f3084441c0585
      • Opcode Fuzzy Hash: bbf0843f58cc33e2b24a07494dd2b0805926d6ad5b92516bdeb013bd474e3909
      • Instruction Fuzzy Hash: 644133B1D012589FDB24CFAAD484BDEBFF5AF48304F24806AE449BB290CB745945CF90
      Function 010211E4 Relevance: .1, Instructions: 90COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a6f3cfb53e5c1784da6338ca36be49f38e0d44d299cfcec62c05814ab165d89d
      • Instruction ID: 09769a77cdc724d3cf9f028dcab4cedfdc086682c0f7e5be5626317b24cb8c37
      • Opcode Fuzzy Hash: a6f3cfb53e5c1784da6338ca36be49f38e0d44d299cfcec62c05814ab165d89d
      • Instruction Fuzzy Hash: 464113B1D012589FDB14DFAAC994BDEBFF6AF48304F20802AE448BB264CB745945CF90
      Function 010211F0 Relevance: .1, Instructions: 88COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f5650972816a5bd628582eb2f54ce06e2f23f1dac74eff39a801155b86f0db2e
      • Instruction ID: 0f44c6a6047ebd6f92b5f1c5ab5b2daccb12f2cd7e9a1f3631f2cfa257634a9a
      • Opcode Fuzzy Hash: f5650972816a5bd628582eb2f54ce06e2f23f1dac74eff39a801155b86f0db2e
      • Instruction Fuzzy Hash: 683101B1D002589FDB24DFAAC994BDEBFF6AF48300F20802AE448BB254CB755945CF90
      Function 01021940 Relevance: .1, Instructions: 87COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 77fe420a92e321035ce18af2b44d5d7a1606c0f70914eeaa90cc7314da8013d6
      • Instruction ID: f8ce3dfc5d35df675338117e38db0bb39136e1e772bdbeb078cc0d48c90c89dd
      • Opcode Fuzzy Hash: 77fe420a92e321035ce18af2b44d5d7a1606c0f70914eeaa90cc7314da8013d6
      • Instruction Fuzzy Hash: 38312FB1D01258DFDB24DFAAC984BDEBBF5AF48304F20802AE448AB254CB345945CF90
      Function 01021CB4 Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d098aa6c4d41c0267185227b061491d0bd5abaa5a0f732a3d35bce4180ec17ae
      • Instruction ID: 2b8224bf42be69a035c17b7dc87e0f6d8a550f917e42c90025031cd16b13e36a
      • Opcode Fuzzy Hash: d098aa6c4d41c0267185227b061491d0bd5abaa5a0f732a3d35bce4180ec17ae
      • Instruction Fuzzy Hash: 2F3103B1D00258DFDB24DFAAD494AEEBFF5AF48310F24812AE459BB250CB755845CF90
      Function 01021BA4 Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6fb3844904f773b309e78407517a25d5fc4808a7757ff325f0673671c98a7e86
      • Instruction ID: 323b43886d707ff69995977e8cb51247638d4ec1f6977b01cfc8976d0f0657e2
      • Opcode Fuzzy Hash: 6fb3844904f773b309e78407517a25d5fc4808a7757ff325f0673671c98a7e86
      • Instruction Fuzzy Hash: A73100B1D00258DFCB14CFAAD494BDEBFF9AF48314F24802AE459BB250CB355885CB94
      Function 01020830 Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4efe84aa601df1fcdf536ebb0660f9bdb8472749901909b0e8dda8fef189ded0
      • Instruction ID: 33ab88fab6af90b3cda7ba766f8ce1e7453162516c241f9527cc1fed52d3a51b
      • Opcode Fuzzy Hash: 4efe84aa601df1fcdf536ebb0660f9bdb8472749901909b0e8dda8fef189ded0
      • Instruction Fuzzy Hash: 9521F635A043514FDF26977888106AE7BB26FC1A08F45459EE9899B39DEB358806C382
      Function 01021CC0 Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 85e7d39acc0bd457fa283c3d77e1281bab5a07680c1e6fa9f557cc64322c27e5
      • Instruction ID: 853e19ff92e6d17435ec4c70b856bac78999ab9a41b4a7349f408be0fa3c7825
      • Opcode Fuzzy Hash: 85e7d39acc0bd457fa283c3d77e1281bab5a07680c1e6fa9f557cc64322c27e5
      • Instruction Fuzzy Hash: 3531D4B1D00258DFDB24DFAAD484ADEBFF9AF48310F24802AE459BB250CB756945CF94
      Function 01021BB0 Relevance: .1, Instructions: 67COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3d77a760d5dee761edc29e45e12fc1dac4080a86da9c57badf8b45ce8b7bcfac
      • Instruction ID: ca0911a41a1c533d03f0821f4e622d371900d5cc9a55d06930ce7e79bd608bf3
      • Opcode Fuzzy Hash: 3d77a760d5dee761edc29e45e12fc1dac4080a86da9c57badf8b45ce8b7bcfac
      • Instruction Fuzzy Hash: 2121CEB1D0025C9FDB14DFAAD484ADEBFF8AF48310F24802AE459BB244CB756985CB94
      Function 01021188 Relevance: .0, Instructions: 27COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d0767a26e07b7f4f1b6368bc1a7c87637f66312dda48551b813a9c8818832928
      • Instruction ID: 336a3b9c31f5ec2d78ebdd8764f9d3043ad8f9d42635aeefaf9234de2772e90e
      • Opcode Fuzzy Hash: d0767a26e07b7f4f1b6368bc1a7c87637f66312dda48551b813a9c8818832928
      • Instruction Fuzzy Hash: 10F0E571B01008AFCB05DFB0D950EAEBBE6DB95308F10C1ACD505CB2A1ED318A02DB80
      Function 010218E0 Relevance: .0, Instructions: 26COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cf5e685007dbc6755afc50d34238e01ed3ea4db33dad486617061b55b6ce1ae3
      • Instruction ID: 119a240e651dd3afeaf0203f97331d07a7f6dbe7fbbf912f4589f4cea463dfbe
      • Opcode Fuzzy Hash: cf5e685007dbc6755afc50d34238e01ed3ea4db33dad486617061b55b6ce1ae3
      • Instruction Fuzzy Hash: E6E0E531B01109AFCB04DFB49A5166A7BA7CBC1308B05C0ED8009DB251EE30CA06A340
      Function 01020AD8 Relevance: .0, Instructions: 25COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ee08b372a3f407cea6ee340a3451d3693461c86d47a8b136110746044ec7adb6
      • Instruction ID: 7389cb267477c9b021ab25f1b6a49dc5891221ca3b25fdfadc0f9972865714dd
      • Opcode Fuzzy Hash: ee08b372a3f407cea6ee340a3451d3693461c86d47a8b136110746044ec7adb6
      • Instruction Fuzzy Hash: 00F0F834941208EFCF41FFB8EA8599CBBF1EB44300F5045BAD409A7224EB306F559B50
      Function 01021198 Relevance: .0, Instructions: 23COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9b178f69c25eaa970be40f33c2eca17cd43b76150922ae75bb1a8f0353f3b270
      • Instruction ID: 710f2f0b33e17af34249d4644158900c7afdaafb83586e6ebaed50313ab8fd96
      • Opcode Fuzzy Hash: 9b178f69c25eaa970be40f33c2eca17cd43b76150922ae75bb1a8f0353f3b270
      • Instruction Fuzzy Hash: 68E09A31B0110DAB8B00EFB0C90196EBBEADB85304B50C0A8E5088B220EA31DA019B90
      Function 01020B3A Relevance: .0, Instructions: 18COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8a8cb205190c8c6d59f8f4294f8a2846e4f11d3d4dddc0431a88eed23134bdfa
      • Instruction ID: d989a785087e04148f484648dba677c8851802ec9f853d9d9910cf6b622f6c60
      • Opcode Fuzzy Hash: 8a8cb205190c8c6d59f8f4294f8a2846e4f11d3d4dddc0431a88eed23134bdfa
      • Instruction Fuzzy Hash: 89D0C223744A500BC705A26CA050298A6C2DFC0314F41017AD10446288CF549C4587D1
      Function 010209B5 Relevance: .0, Instructions: 15COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002D.00000002.2611621957.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_45_2_1020000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3bb55a8b1ba58d95892d729292c6a1c4929ca88eaab317e5a293b9d7a58a8272
      • Instruction ID: dc142a8fe0438fbb35075eb4b33451c64b835e37c627c44fb6e8c0d7e444e268
      • Opcode Fuzzy Hash: 3bb55a8b1ba58d95892d729292c6a1c4929ca88eaab317e5a293b9d7a58a8272
      • Instruction Fuzzy Hash: 29D09E35740229CFCF00EFA8D5445DC77B0EF98715F000169E109DB274D7759855CB51

      Executed Functions

      Function 00007FFD9B410FA8 Relevance: .3, Instructions: 263COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002F.00000002.2616670225.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_47_2_7ffd9b410000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6f921f34c6bdaf09e0fa34536dca7dbc3a82858a309ceaae127c801169256da7
      • Instruction ID: 753bc90c62311b83dec59603d7a87bde86e83c1932998b24ecbe5bb62197eb15
      • Opcode Fuzzy Hash: 6f921f34c6bdaf09e0fa34536dca7dbc3a82858a309ceaae127c801169256da7
      • Instruction Fuzzy Hash: 2A71D653F0FAC60BE375469C2C221356F96DFA66A470951FBD0C8861FFEC469A05D382
      Function 00007FFD9B41135A Relevance: .1, Instructions: 98COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 0000002F.00000002.2616670225.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_47_2_7ffd9b410000_sbdrvmgr.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 216440a75b9a27ae5e79df05f218aa08174c63dc9ac201752af063661b181d97
      • Instruction ID: 84df70b5158df76b8f28e6c1fb901069c7f50b7477ff7d654941fc36dffbde76
      • Opcode Fuzzy Hash: 216440a75b9a27ae5e79df05f218aa08174c63dc9ac201752af063661b181d97
      • Instruction Fuzzy Hash: 4121B63190CA1C9FEB18DBA8D849AE97BE0FF55321F00422FD049D3652DB756856CB81

      Executed Functions

      Function 00007FFD9B4912C0 Relevance: 2.1, Strings: 1, Instructions: 882COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 2D_I
      • API String ID: 0-1054241413
      • Opcode ID: 473774fe8281121367c0b65abee975bb445d81f7de260036dc608a185e4ab7d3
      • Instruction ID: cd40fa6b387b4c1448930fd5310dcec09c7671d54578b5880b9c0660f097678e
      • Opcode Fuzzy Hash: 473774fe8281121367c0b65abee975bb445d81f7de260036dc608a185e4ab7d3
      • Instruction Fuzzy Hash: CB529C63B0FAC51FE73546AC58251786B92EF86B64B1901FBD089C71FBEC54AD01E382
      Function 00007FFD9B491518 Relevance: .5, Instructions: 480COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b3c9f5650542a3b74135a14249d336cd8e68ad121f6a9668f52588b81f57ecbe
      • Instruction ID: d8ccb4e69a3e381e08792922586ca22bb63141a0940c55df6f777f8373bcae15
      • Opcode Fuzzy Hash: b3c9f5650542a3b74135a14249d336cd8e68ad121f6a9668f52588b81f57ecbe
      • Instruction Fuzzy Hash: 3CE19C62B0FAC90FE7754AAC14291787BD2EF86764B0900FBD089C71F7DC15AD029382
      Function 00007FFD9B4920FA Relevance: .3, Instructions: 339COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8da7d8bd5e47967b625bd8d60dd89f824f7a98d82aaf79af7ca9917098579827
      • Instruction ID: 610b24477d1ac63202882a2c0e4783579c06e5188365ec7830d4baf8cc4a8d35
      • Opcode Fuzzy Hash: 8da7d8bd5e47967b625bd8d60dd89f824f7a98d82aaf79af7ca9917098579827
      • Instruction Fuzzy Hash: 80911813B1E5960AD71A77BCB4665F97F61EF4223870842F7D0DDCB0EBDC09648A8291
      Function 00007FFD9B49449D Relevance: .2, Instructions: 224COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9d1b00150e53008378ccd06192378ede310d28101c9e146da224c183014100ce
      • Instruction ID: 1f42bdc6b2d88c175d8c422d66c0a2eb959599b015ed769bd04f232376da1964
      • Opcode Fuzzy Hash: 9d1b00150e53008378ccd06192378ede310d28101c9e146da224c183014100ce
      • Instruction Fuzzy Hash: 58612412B0EA9A0FF7B952A854763B92AD1EF85B28F1601FED449C71E3EC0C9D455382
      Function 00007FFD9B49410E Relevance: .2, Instructions: 193COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3e84692478b9b63768568a47b2b445e0e8910392a1f60d21522963242a17dc79
      • Instruction ID: 0a8129378b0c81504113ae17ffb2829e44235c17c691e7a9bd54ed356c67cb0f
      • Opcode Fuzzy Hash: 3e84692478b9b63768568a47b2b445e0e8910392a1f60d21522963242a17dc79
      • Instruction Fuzzy Hash: B351B430B28A098BDB58EF6C94166A973E1FFA8714F50407DE01EC72DBDE35A945C781
      Function 00007FFD9B4934E1 Relevance: .2, Instructions: 184COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a7e7664b8b9ef99ef9edab93d5d3c540f95c868d260e53f9377ca92036884349
      • Instruction ID: 92795a788860aaa8fd1b8ab0423edff4e7743948db37ec4380ade90db4332ada
      • Opcode Fuzzy Hash: a7e7664b8b9ef99ef9edab93d5d3c540f95c868d260e53f9377ca92036884349
      • Instruction Fuzzy Hash: 6F518E30B18A0D8FEB54EF6CD859AE977E1FF59714F15007AE409D32A2DE35A841CB81
      Function 00007FFD9B492C25 Relevance: .2, Instructions: 178COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9f9cb46d1b338674d4abb6b7daa7b8e43981bd728066bad14203ec59673665a2
      • Instruction ID: fa9a89ffe636e7d1856cd6f24b53403f11746ce3085ab7de3c6290861ac03e42
      • Opcode Fuzzy Hash: 9f9cb46d1b338674d4abb6b7daa7b8e43981bd728066bad14203ec59673665a2
      • Instruction Fuzzy Hash: 9A414912B0FB9E0FE7BA52B848352A83B91DF46A14F0601FAD058CB1E7ED0C59478341
      Function 00007FFD9B491D90 Relevance: .2, Instructions: 157COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 69e67ce2fc6c18d520c7379a335d343d89f8e8459a1161a5ac2df5a82c6d3298
      • Instruction ID: 0823f2766b9c9b3bcccfdcc8d407309bddbf7eb81189c8f5276ea0ffb107a72c
      • Opcode Fuzzy Hash: 69e67ce2fc6c18d520c7379a335d343d89f8e8459a1161a5ac2df5a82c6d3298
      • Instruction Fuzzy Hash: EE412711E0EB8A1FFBAA977848756A43BA1DF56A54B0601FBC058CB1F7EC4C5D4A8342
      Function 00007FFD9B491C51 Relevance: .2, Instructions: 154COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 92a0d3aaed17cc176f48ff47ace37e1611b8fb3bc323745b2619a9242556e431
      • Instruction ID: fbbe0e52070f2730414d4ea3795a568600949b39f13d696af102346d16c510ae
      • Opcode Fuzzy Hash: 92a0d3aaed17cc176f48ff47ace37e1611b8fb3bc323745b2619a9242556e431
      • Instruction Fuzzy Hash: 5E41E33091E7C95FDB2A9BA958646F57FA0EF13329F0801BFD099C21A3CA582416C746
      Function 00007FFD9B4939B9 Relevance: .1, Instructions: 77COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f72433d33628bc1cc941ab1383c26a5246e806be13251f3e2354a736eeda2504
      • Instruction ID: a4b5ccbfad576824014545d26908d792f9649a3d3fda37dfe4857cf963b072db
      • Opcode Fuzzy Hash: f72433d33628bc1cc941ab1383c26a5246e806be13251f3e2354a736eeda2504
      • Instruction Fuzzy Hash: FD213B2061E68E4FE751ABAC84256B636F1FF82B14F5640B6E459C62F3CD75DA01CB01
      Function 00007FFD9B493168 Relevance: .0, Instructions: 47COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f3806c8a42dee169c0dfadb9a06870ba6249b648c65239ed1effc851e4def48e
      • Instruction ID: 68b1133ea6a6f7e044d27875454af783d97870ed1c5fc6300c213e6072618c90
      • Opcode Fuzzy Hash: f3806c8a42dee169c0dfadb9a06870ba6249b648c65239ed1effc851e4def48e
      • Instruction Fuzzy Hash: 7DF01D11B5AC5E06F37621E816A62B961C1AB4AA2CFA60635D83DC62F2DC08AA522552
      Function 00007FFD9B4948A1 Relevance: .0, Instructions: 43COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6ef2cf62a0f86dcde3c50375a57f9e439c62b1f8ec193355a40a5cfd55076e09
      • Instruction ID: d35b8fed899efea97e0c18402f830fb2f4c0db24bffa54ba07f6f3fdcdf79ff3
      • Opcode Fuzzy Hash: 6ef2cf62a0f86dcde3c50375a57f9e439c62b1f8ec193355a40a5cfd55076e09
      • Instruction Fuzzy Hash: 4BF0FF1851E6C94FDB72977C9870A627FE49F43628B0944EEE0D8C60E3D9881986C382
      Function 00007FFD9B4927D7 Relevance: .0, Instructions: 29COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 93cf5aacaa3026acf39e252800ffc57ec0fa43b80f8df4008369a67914db63ca
      • Instruction ID: 8adbff31f14a59e48ac99d4f04ede518e311642460e879845901edf7a5f28b57
      • Opcode Fuzzy Hash: 93cf5aacaa3026acf39e252800ffc57ec0fa43b80f8df4008369a67914db63ca
      • Instruction Fuzzy Hash: DAE07D32A4F94C5BCB10EA9A6CA04CA3B98FB8D318B01016AF48CC3251E2525511C351
      Function 00007FFD9B490271 Relevance: .0, Instructions: 5COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000031.00000003.2637142463.00007FFD9B490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B490000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_49_3_7ffd9b490000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
      • Instruction ID: 06401d89036e6c46b20f7c1a37fce2788aa04f350aaf19392997c2e569a891a5
      • Opcode Fuzzy Hash: 494321b211d3b07eba72ae0cfba8f1e5f15258979fdff7b412b7bd2dce9a97e0
      • Instruction Fuzzy Hash:

      Executed Functions

      Function 013B10B9 Relevance: .1, Instructions: 149COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bf86881c1ac1098fe162053d347d79292ba7f4a8bc1426de11143541ac183c4a
      • Instruction ID: 7950fd0b7a392aeec8d7bf1c694d2b7bd5f13be7e47359d8b07ea3c5d6dbee82
      • Opcode Fuzzy Hash: bf86881c1ac1098fe162053d347d79292ba7f4a8bc1426de11143541ac183c4a
      • Instruction Fuzzy Hash: EE51B171E002489FCF14CFA9D594AEEBFF9AF49308F148069E505EB260EB319945CF50
      Function 013B1538 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q$$^q
      • API String ID: 0-355816377
      • Opcode ID: 8a69b542b479243879a4255d456c895e64d97d437c5bc66416c20b6f393dd762
      • Instruction ID: c6a68c4132a7a68bdb0a410679f7afd731a0770f054c31d135d08c69f1098e3c
      • Opcode Fuzzy Hash: 8a69b542b479243879a4255d456c895e64d97d437c5bc66416c20b6f393dd762
      • Instruction Fuzzy Hash: 8E21D331E00709CFCF21AF68D8948A9F774FF84314F1586AED9496B226EB31E594CB90
      Function 013B1529 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID: $^q
      • API String ID: 0-388095546
      • Opcode ID: 4bd6c0dc5d3ab5fe40ad4d3dd985a168054794b7f7d713ed8e9797ca095f4032
      • Instruction ID: fc76f208f3314b87c6c3018a3ecfe3e013312b61a1c1bf0744a689f537a5808c
      • Opcode Fuzzy Hash: 4bd6c0dc5d3ab5fe40ad4d3dd985a168054794b7f7d713ed8e9797ca095f4032
      • Instruction Fuzzy Hash: 1021E531900709DFCF21AF78D8548A5FB74FF45314F0986AED9456B126EB31E485CB90
      Function 013B0848 Relevance: .2, Instructions: 190COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d02cdb9bdeefa46861c3875c18a373df9e202f49c2918034461cdcd2d5127be7
      • Instruction ID: b3502c887fac0da61531054205cadf677d5f5e73e943b0ac6e72c5ce8e2a8618
      • Opcode Fuzzy Hash: d02cdb9bdeefa46861c3875c18a373df9e202f49c2918034461cdcd2d5127be7
      • Instruction Fuzzy Hash: 2961E230A00309DFEF19EF78D4946AEBBB6BF85708F00896DE50597768EB319846CB41
      Function 013B0E0F Relevance: .2, Instructions: 174COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f96517d544e915982b73687c33271de1ff8e77aaa81f36a551573fbfe0258963
      • Instruction ID: 8ce488b2f9783df510f89aeedd56df3be8fdd93b20fa04abd90808622277c220
      • Opcode Fuzzy Hash: f96517d544e915982b73687c33271de1ff8e77aaa81f36a551573fbfe0258963
      • Instruction Fuzzy Hash: 9D316B2164D3D04FC707A73C95A01EA7FB6DF87218B1904EBC2C5CB5A7D955988AC362
      Function 013B12F0 Relevance: .1, Instructions: 139COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 296addab5b05410af99108b49b5cd4709b85803dad099caa7271e2d930401321
      • Instruction ID: e35b9ed5bd8a374a809151d057e27c32ab6e1fa1ae096fd4f47de77838dc46b0
      • Opcode Fuzzy Hash: 296addab5b05410af99108b49b5cd4709b85803dad099caa7271e2d930401321
      • Instruction Fuzzy Hash: 81512032E50B0AA6E710EFA5CC45699F372FF99700F61CB15F6483B195EBB0A1D4C681
      Function 013B1B08 Relevance: .1, Instructions: 119COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 72531b205c17cff0da47ab1e8836f103a9dda1c6269694af8b5266f7d343c9d7
      • Instruction ID: c744cdb017b0c2e677e9bf3dd5ab7c7df49f9dc380e0f47ec04a80ff6acf1a5d
      • Opcode Fuzzy Hash: 72531b205c17cff0da47ab1e8836f103a9dda1c6269694af8b5266f7d343c9d7
      • Instruction Fuzzy Hash: 42415E32E0074A9ACB01EFB9D8904D9F7B5FF85304B11C65AE555B7215FB30A685C790
      Function 013B1C74 Relevance: .1, Instructions: 97COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6356a73003faffd208bb6e3aa5d0926ce44ac22ced95ffdaf84178d4b36515a3
      • Instruction ID: 13f11128d50054651b7fc59131eb416909d5aac9a3b87401238a53b014fb08d2
      • Opcode Fuzzy Hash: 6356a73003faffd208bb6e3aa5d0926ce44ac22ced95ffdaf84178d4b36515a3
      • Instruction Fuzzy Hash: E04125B1C0035DDACB10DFAAC594ADEFBB5AF49304F20812ED559BB210D7716A45CF90
      Function 013B118C Relevance: .1, Instructions: 96COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6f4da6074f8c8e22cf57f96e1f21f9768d5aa903da8a8a65f18245efc90f9bd8
      • Instruction ID: e3ea5f25ef321e0053a83d05f54192c80d04192e54b4ae4ab92cdc6b3eee6ce8
      • Opcode Fuzzy Hash: 6f4da6074f8c8e22cf57f96e1f21f9768d5aa903da8a8a65f18245efc90f9bd8
      • Instruction Fuzzy Hash: AE4135B1D00248AFCB14DFAAD594BDEBFF5AF49308F24802AE518AB250DB355945CF90
      Function 013B1674 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bf7c698fb7c304c1c70b85f73f5ed4fce1232d66d3056ed3885c53d4dbdca006
      • Instruction ID: 0bb7d029f09c788493b0b0879d61d47754c40f2d3add173394be951c4d8eebb9
      • Opcode Fuzzy Hash: bf7c698fb7c304c1c70b85f73f5ed4fce1232d66d3056ed3885c53d4dbdca006
      • Instruction Fuzzy Hash: FE4145B1D00248DFDB14DFAAD995BDEBFF5AF48308F10802AE509AB250EB345945CF90
      Function 013B1C80 Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0da73d1009416656d6e994f7be15d9aa88831ca1c4d912370be4356b8152a849
      • Instruction ID: 80d6314cf1ccda3ac1f4330165ff5109232fee98bfe737fa33281b10e39303e9
      • Opcode Fuzzy Hash: 0da73d1009416656d6e994f7be15d9aa88831ca1c4d912370be4356b8152a849
      • Instruction Fuzzy Hash: 654104B1D0035DDACB14DFAAC994ADEFBB5BF48304F20812AD519BB244EB706A45CF90
      Function 013B1198 Relevance: .1, Instructions: 88COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cf5dc48cabe52c45360d9c932917c9b1be97a2d0664d6610063aef799bbfb1cc
      • Instruction ID: 45abaabd3bd130fc6708642a269a67aa26bb0d57e0421197886a63796cbadca0
      • Opcode Fuzzy Hash: cf5dc48cabe52c45360d9c932917c9b1be97a2d0664d6610063aef799bbfb1cc
      • Instruction Fuzzy Hash: F13114B1D01208DFDB14DFAAD994BDEBFF6AF48304F20802AE519AB254DB745945CF90
      Function 013B1680 Relevance: .1, Instructions: 87COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b330a054dd7072f5669975b23d9b5fced3c217e3a949fd5fa819a62bcfd06f9b
      • Instruction ID: 0227a4d5fef9a98d9b63f7058e1c6dcbc9c778a2d132de518bfbd9be3c12135e
      • Opcode Fuzzy Hash: b330a054dd7072f5669975b23d9b5fced3c217e3a949fd5fa819a62bcfd06f9b
      • Instruction Fuzzy Hash: C93132B1D01248DFDB14DFAAD995BDEBFF5AF48308F10802AE509AB250DB345945CF90
      Function 013B0E9F Relevance: .1, Instructions: 83COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: eb1b1b5a5117e29b9bc29c865f2b3c04e6fba81a4c5fad7a66083aa57d74c3ad
      • Instruction ID: 072ac2c1d2c6cdb500a5762748d1ec54475f3af0ab1de9150326c62233015c65
      • Opcode Fuzzy Hash: eb1b1b5a5117e29b9bc29c865f2b3c04e6fba81a4c5fad7a66083aa57d74c3ad
      • Instruction Fuzzy Hash: 2AF0243024C3C00FC726533C95A06FA7FF99F87358F0904AFD282CA9A2C5516849C322
      Function 013B0EAF Relevance: .1, Instructions: 77COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ef73503b39e21cf8d28918c274296ddee8f6e198cd29492b074597c94dfdb039
      • Instruction ID: 0a2d7c81f926b6cf8d0f426975f0c09ec736c3f93e5d5ba8cd471cda95b22e0a
      • Opcode Fuzzy Hash: ef73503b39e21cf8d28918c274296ddee8f6e198cd29492b074597c94dfdb039
      • Instruction Fuzzy Hash: 31F0273064C3800EC766533C51D05FB7FF99FC7218B0904AFD242C79A3D9A1584AC311
      Function 013B0830 Relevance: .1, Instructions: 73COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4aea22a9e41a06363c403383a8f67dc5138486b3d530b84d2b1bc62ec4098088
      • Instruction ID: e56b9bbd6f4a9b29a496184444123238f239d664e6e46d400c77ef48cc1924b9
      • Opcode Fuzzy Hash: 4aea22a9e41a06363c403383a8f67dc5138486b3d530b84d2b1bc62ec4098088
      • Instruction Fuzzy Hash: 2921F631A003815FEF1A977484502EF7FB2AFC6708F0445AEDA4997766EB369807C382
      Function 013B1A00 Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 33cf26630331b65efe28b77c7493c50c7bfee1a49bb22c78d2983d4a8b63363d
      • Instruction ID: 1f427cbe07697916ea4c888fb9639fb33fc5db522cb1bb6a751ccb56b6d41a59
      • Opcode Fuzzy Hash: 33cf26630331b65efe28b77c7493c50c7bfee1a49bb22c78d2983d4a8b63363d
      • Instruction Fuzzy Hash: C131F4B1D002589FDB24DFAAD494BDEBFF9AF48314F24802AE519AB240DB746845CF90
      Function 013B18F0 Relevance: .1, Instructions: 67COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2014d4965e7120e5a0accd3f6bf231d66205fd8dfe823e71cf80753766fc00b1
      • Instruction ID: 8354f772a796537b10ae82292947d00913c87c2e79ac87fef4cedcab8d0ebd4d
      • Opcode Fuzzy Hash: 2014d4965e7120e5a0accd3f6bf231d66205fd8dfe823e71cf80753766fc00b1
      • Instruction Fuzzy Hash: FC21D3B1D00258DFDB14DFAAD494BDEBFF8AF08314F24802AE559AB254DB745845CF90
      Function 013B1028 Relevance: .1, Instructions: 54COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8974da1cdfb3e3ecd4ef7025dc1a3227a5ffb91a6bcb363ca8ef025085e3a87f
      • Instruction ID: ca6a834633550a7193b0c88afb44b7bf2a3c7e45850fc5d9ce154fd6bdf7301e
      • Opcode Fuzzy Hash: 8974da1cdfb3e3ecd4ef7025dc1a3227a5ffb91a6bcb363ca8ef025085e3a87f
      • Instruction Fuzzy Hash: 7511C431704385AFDB25DB79E4545AEBFB6EFC2314B14C5BED049C7255EA32980ACB40
      Function 013B161F Relevance: .0, Instructions: 30COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c0e4296fc581696cb6604400c53ee6a72db5ecc94ce34ad8277b5f16a3288a2f
      • Instruction ID: 0234b18e7199469ef118c470dc54c268e72700728a1d1d7585d8ecd61b0b5660
      • Opcode Fuzzy Hash: c0e4296fc581696cb6604400c53ee6a72db5ecc94ce34ad8277b5f16a3288a2f
      • Instruction Fuzzy Hash: 64F02731A0424CABC704DF748D9199BBFFADB82208B09C0ECD408C7105E931DA059380
      Function 013B0B3A Relevance: .0, Instructions: 24COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a2fc7b76c1b9ef8c05049d75df362cca38814753f423f9f94f22e87767a4b021
      • Instruction ID: 2fce639fa7d28dc165e009b11f624c96a25c3d65c8094fc3b25ecb1039237cb7
      • Opcode Fuzzy Hash: a2fc7b76c1b9ef8c05049d75df362cca38814753f423f9f94f22e87767a4b021
      • Instruction Fuzzy Hash: 03E086212497E41EC706B77C14608E76FB69DCB71871811EBE180CB26ACD518D05D3E5
      Function 013B08FF Relevance: .0, Instructions: 15COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000032.00000002.2635713752.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_50_2_13b0000_DefMic.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 61303e71518fa0d87665a9347d414d00281e452189080d9d7edcd59bcd994761
      • Instruction ID: 1e12c7971c7a76d588975c20179640c04e2f83b39ab628b87f429cbaee2be007
      • Opcode Fuzzy Hash: 61303e71518fa0d87665a9347d414d00281e452189080d9d7edcd59bcd994761
      • Instruction Fuzzy Hash: CCD09E35740119CFDF04EFA8D5445DC77B4EF88715F000169E209DB670D7759855CB51