Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
getscreen-868841125.exe

Overview

General Information

Sample name:getscreen-868841125.exe
Analysis ID:1550005
MD5:9a5c564f4095f7232dc6d422e12689fe
SHA1:ac6f4faa193de3e332faea713335f7596219b2ce
SHA256:c9a8360c43e59b41a21c155be136a6a3d9b75519a200607277ef2de2e17057a5
Tags:exeuser-cisdemo
Infos:

Detection

Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:62
Range:0 - 100

Signatures

Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Tries to disable installed Antivirus / HIPS / PFW
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • getscreen-868841125.exe (PID: 6460 cmdline: "C:\Users\user\Desktop\getscreen-868841125.exe" MD5: 9A5C564F4095F7232DC6D422E12689FE)
    • getscreen-868841125.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\getscreen-868841125.exe" -gpipe \\.\pipe\PCommand97mtndswofgjjkzzi -gui MD5: 9A5C564F4095F7232DC6D422E12689FE)
    • getscreen-868841125.exe (PID: 384 cmdline: "C:\Users\user\Desktop\getscreen-868841125.exe" -cpipe \\.\pipe\PCommand96jbkhndtrtyjfwyx -cmem 0000pipe0PCommand96jbkhndtrtyjfwyxgm1mii67kk80a3y -child MD5: 9A5C564F4095F7232DC6D422E12689FE)
  • cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe (PID: 572 cmdline: "C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe" -elevate \\.\pipe\elevateGS512cuvzruqaiugsbcrywmwtwnufwuzsdlu MD5: 9A5C564F4095F7232DC6D422E12689FE)
  • svchost.exe (PID: 6552 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1532 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: getscreen-868841125.exe PID: 6460JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

    Sigma Signatures

    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, ProcessId: 6552, ProcessName: svchost.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-06T10:36:14.380599+010020229301A Network Trojan was detected20.109.210.53443192.168.2.549712TCP
    2024-11-06T10:36:53.152496+010020229301A Network Trojan was detected20.109.210.53443192.168.2.549913TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    Compliance

    barindex
    PE / OLE file has a valid certificate
    Source: getscreen-868841125.exeStatic PE information: certificate valid
    Contains modern PE file flags such as dynamic base (ASLR) or NX
    Source: getscreen-868841125.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Binary contains paths to debug symbols
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemprox.pdbdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\bcryptprimitives.pdb.1.5 source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD36000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186ED792000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED385000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbi.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92DD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\netapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD30000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ObjectsE.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-868841125.exet.pdbui source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\samlib.pdbbb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED368000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED36E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDF5A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mpr.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB9B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED385000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdblb8 source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEB85000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdbgh source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdbbX source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WinTypes.pdblse] source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE839000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB8F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDE6B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\TextInputFramework.pdb\* source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92B6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\CoreUIComponents.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB77000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD2A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDB1B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\cryptbase.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED39B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB3C6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED362000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\WindowManagementAPI.pdb\* source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEB73000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB6B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED35C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEDE3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE208000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdbx source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE3FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE37F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92BC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDEC6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDD52000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186ED792000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gr32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEDE3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD2A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED395000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDC97000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEB85000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE7CE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED395000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED39B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB60000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE323000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-868841125.exec.pdb* source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdbdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92B6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED35C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDC38000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDB81000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB5A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92B0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDABE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE401000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB3CC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: getscreen-868841125.exentdll.pdbA source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE3F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE94B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDC38000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA74000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-868841125.exex.pdbdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED356000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92BC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbbg source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB7D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB83000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mpr.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB9B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED38F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE1D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: _samlib.pdbll\samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\kernel32.pdbh source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD3C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB7D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED356000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: prox.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE94B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA7A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEEA7000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000000.00000002.2209202970.00000186EC850000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA74000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDC97000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE407000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: win32u.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE17000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA7A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE11000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DRV\winspool.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEE3D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nt.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE0E1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED350000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE3FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDE6B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEB73000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fastprox.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\TextInputFramework.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE8F0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB89000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB95000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdbb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdb3~ source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UxTheme.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDDAD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE40D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED368000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE021000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA6E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE37F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDFB5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE1D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE839000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\JSAMSIProvider64.pdb.pdbP source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB83000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE208000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbs.dat source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE3F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92DD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE021000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UxTheme.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDDAD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED350000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WinTypes.pdbb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB54000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD24000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: win32u.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE17000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdb;V source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE0B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE2C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE8F0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EED86000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE895000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EED86000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB95000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\devobj.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92DD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD30000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE07C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdbll source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdbl\gdiplus.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InternalTlsAllocDataxesExprox.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SAS.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED374000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE774000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: msvcp_win.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB3CC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\InputHost.pdbe.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdbP source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED36E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemprox.pdbb.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDFBB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDBDD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB5A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb64.dll( source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SAS.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED374000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE40D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDD52000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD24000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE407000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB54000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE774000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\powrprof.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-868841125.exelib.pdb* source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: <;top\symbols\dll\samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92DD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92B0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE401000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDEC6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-868841125.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\JSAMSIProvider64.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SleepExen-868841125.exellnt.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE2C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbidb8 source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92DD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE07C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MMDevAPI.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA14000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NtDelayExecutionnkexegdiplus.pdb: source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-868841125.exepdb.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB89000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE0E1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE895000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD3C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\netutils.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED362000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\propsys.pdbb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE11000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-868841125.pdbm source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEB7F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEE3D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED38F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\iphlpapi.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\WindowManagementAPI.pdbx source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: $.0x140D5D2E2841125.exeObjectsE.pdb? source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE323000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB3C6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB8F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEB7F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDFB5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDF5A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-868841125.pdbF source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: getscreen-868841125.exesExgr32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD36000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDBDD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\InputHost.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDFBB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb.pdbb` source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\comctl32.pdbb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDCF7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE0B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB77000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDABE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB71000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB60000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA14000.00000004.00000020.00020000.00000000.sdmp
    Source: Joe Sandbox ViewIP Address: 78.47.165.25 78.47.165.25
    Source: Joe Sandbox ViewIP Address: 51.89.95.37 51.89.95.37
    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49712
    Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49913
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/3.1.5 (Win64, getscreen.me, 228)
    Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/3.1.5 (Win64, getscreen.me, 228)
    Source: global trafficDNS traffic detected: DNS query: getscreen.me
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: svchost.exe, 00000006.00000002.3279821933.0000020E27200000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
    Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
    Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
    Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
    Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
    Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
    Source: edb.log.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://proxy.contoso.com:3128/
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01http://www.webrtc.org/exper
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-timeurn:3gpp:video-orientationhttp://www.we
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
    Source: getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-frame-tracking-id
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.g
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.ge
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsa
    Source: getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsc
    Source: getscreen-868841125.exe, 00000005.00000002.2214333049.000002C3402D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscre
    Source: getscreen-868841125.exe, 00000003.00000003.2250765934.0000011749DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/r
    Source: getscreen-868841125.exe, 00000005.00000003.2213515795.000002C340339000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/privacy-policy/
    Source: getscreen-868841125.exe, 00000005.00000002.2213882113.000000D6604F5000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/te
    Source: getscreen-868841125.exe, 00000005.00000003.2213515795.000002C340339000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/terms-of-use/
    Source: getscreen-868841125.exe, 00000003.00000003.2273783273.0000011749E0F000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000003.00000003.2273360244.0000011749DDF000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000003.00000003.2242383051.0000011749E2E000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000003.00000003.2250765934.0000011749DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/user-guides/agent/
    Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
    Source: svchost.exe, 00000006.00000003.2063230865.0000020E27020000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
    Source: qmgr.db.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
    Source: getscreen-868841125.exe, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ECCA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_4fb72d18-e
    Source: Yara matchFile source: Process Memory Space: getscreen-868841125.exe PID: 6460, type: MEMORYSTR
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
    Source: getscreen-868841125.exeStatic PE information: Resource name: LANG type: DOS executable (COM)
    Source: getscreen-868841125.exeStatic PE information: Resource name: RT_ICON type: COM executable for DOS
    Source: cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drStatic PE information: Resource name: LANG type: DOS executable (COM)
    Source: cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
    Source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE40D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefwpuclnt.dll.muij% vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED385000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewldp.dll.muij% vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED385000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamensi.dllj% vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000002.2235143754.00007FF6EFCE9000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSAMLib.DLLj% vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000000.2019471157.00007FF6EFCE9000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB31D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLEAUT32.DLLj% vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED38A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefwbase.dllj% vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000003.00000002.2292540411.00007FF6EFCE9000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000003.00000000.2057357741.00007FF6EFCE9000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000005.00000002.2219369202.00007FF6EFCE9000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000005.00000000.2059163061.00007FF6EFCE9000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: getscreen-868841125.exeBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: classification engineClassification label: mal51.evad.winEXE@9/13@2/3
    Source: C:\Users\user\Desktop\getscreen-868841125.exeFile created: C:\Users\user\AppData\Local\Getscreen.meJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeMutant created: \Sessions\1\BaseNamedObjects\Global\PCommandMutextTurbo96phqghum
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-868841125.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: getscreen-868841125.exe, 00000000.00000003.2184851441.00000186EADD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUEy);
    Source: C:\Users\user\Desktop\getscreen-868841125.exeFile read: C:\Users\user\Desktop\getscreen-868841125.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\getscreen-868841125.exe "C:\Users\user\Desktop\getscreen-868841125.exe"
    Source: unknownProcess created: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe "C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe" -elevate \\.\pipe\elevateGS512cuvzruqaiugsbcrywmwtwnufwuzsdlu
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess created: C:\Users\user\Desktop\getscreen-868841125.exe "C:\Users\user\Desktop\getscreen-868841125.exe" -gpipe \\.\pipe\PCommand97mtndswofgjjkzzi -gui
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess created: C:\Users\user\Desktop\getscreen-868841125.exe "C:\Users\user\Desktop\getscreen-868841125.exe" -cpipe \\.\pipe\PCommand96jbkhndtrtyjfwyx -cmem 0000pipe0PCommand96jbkhndtrtyjfwyxgm1mii67kk80a3y -child
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess created: C:\Users\user\Desktop\getscreen-868841125.exe "C:\Users\user\Desktop\getscreen-868841125.exe" -gpipe \\.\pipe\PCommand97mtndswofgjjkzzi -guiJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-868841125.exe "C:\Users\user\Desktop\getscreen-868841125.exe" -cpipe \\.\pipe\PCommand96jbkhndtrtyjfwyx -cmem 0000pipe0PCommand96jbkhndtrtyjfwyxgm1mii67kk80a3y -childJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mmdevapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mfwmaaec.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: audioses.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: symsrv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: mpr.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: msi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: sas.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: secur32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: userenv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: usp10.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: version.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: wininet.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: winmm.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: samcli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: netutils.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: wldp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: d2d1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: directmanipulation.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mscms.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coloradapterclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: icm32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: seclogon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32Jump to behavior
    Source: getscreen-868841125.exeStatic PE information: certificate valid
    Source: getscreen-868841125.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: getscreen-868841125.exeStatic file information: File size 7627560 > 1048576
    Source: getscreen-868841125.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x740200
    Source: getscreen-868841125.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemprox.pdbdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\bcryptprimitives.pdb.1.5 source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD36000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186ED792000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED385000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbi.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92DD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\netapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD30000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ObjectsE.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-868841125.exet.pdbui source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\samlib.pdbbb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED368000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED36E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDF5A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mpr.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB9B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED385000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdblb8 source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEB85000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdbgh source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdbbX source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WinTypes.pdblse] source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE839000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB8F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDE6B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\TextInputFramework.pdb\* source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92B6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\CoreUIComponents.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB77000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD2A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDB1B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\cryptbase.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED39B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB3C6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED362000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\WindowManagementAPI.pdb\* source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEB73000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB6B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED35C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEDE3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE208000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdbx source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE3FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE37F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92BC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDEC6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDD52000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186ED792000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gr32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEDE3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD2A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED395000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDC97000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEB85000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE7CE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED395000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED39B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB60000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE323000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-868841125.exec.pdb* source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdbdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92B6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED35C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDC38000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDB81000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB5A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92B0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDABE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE401000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB3CC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: getscreen-868841125.exentdll.pdbA source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE3F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE94B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDC38000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA74000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-868841125.exex.pdbdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED356000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92BC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbbg source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB7D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB83000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mpr.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB9B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED38F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE1D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: _samlib.pdbll\samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\kernel32.pdbh source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD3C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB7D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED356000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: prox.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE94B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA7A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEEA7000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000000.00000002.2209202970.00000186EC850000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA74000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDC97000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE407000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: win32u.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE17000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA7A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE11000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DRV\winspool.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEE3D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nt.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE0E1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED350000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE3FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDE6B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEB73000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fastprox.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\TextInputFramework.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE8F0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB89000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB95000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdbb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdb3~ source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UxTheme.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDDAD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE40D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED368000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE021000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA6E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE37F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDFB5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE1D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE839000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\JSAMSIProvider64.pdb.pdbP source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB83000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE208000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbs.dat source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE3F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92DD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE021000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UxTheme.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDDAD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED350000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WinTypes.pdbb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB54000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD24000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: win32u.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE17000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdb;V source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE0B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE2C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE8F0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EED86000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE895000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EED86000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB95000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\devobj.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92DD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD30000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE07C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdbll source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdbl\gdiplus.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InternalTlsAllocDataxesExprox.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SAS.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED374000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE774000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: msvcp_win.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB3CC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\InputHost.pdbe.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdbP source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED36E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemprox.pdbb.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDFBB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDBDD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB5A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb64.dll( source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SAS.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED374000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE40D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDD52000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD24000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE407000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB54000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE774000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\powrprof.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-868841125.exelib.pdb* source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: <;top\symbols\dll\samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92DD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92B0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE401000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDEC6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-868841125.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\JSAMSIProvider64.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SleepExen-868841125.exellnt.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE2C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbidb8 source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E92DD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE07C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MMDevAPI.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA14000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NtDelayExecutionnkexegdiplus.pdb: source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-868841125.exepdb.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB89000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE0E1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EE895000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD3C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\netutils.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED362000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\propsys.pdbb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE11000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-868841125.pdbm source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEB7F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEE3D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ED38F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\iphlpapi.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\WindowManagementAPI.pdbx source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: $.0x140D5D2E2841125.exeObjectsE.pdb? source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EE323000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB3C6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB8F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEB7F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDFB5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDF5A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-868841125.pdbF source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: getscreen-868841125.exesExgr32.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAD36000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDBDD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\InputHost.pdb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDFBB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb.pdbb` source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\comctl32.pdbb source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDCF7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EAE0B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB77000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.2212293801.00000186EDABE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB71000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-868841125.exe, 00000000.00000002.2209202970.00000186ECB60000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb source: getscreen-868841125.exe, 00000000.00000002.2218439491.00000186EEA14000.00000004.00000020.00020000.00000000.sdmp
    Source: cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe.0.drStatic PE information: real checksum: 0x7518c8 should be: 0x74d76b
    Source: getscreen-868841125.exeStatic PE information: real checksum: 0x7518c8 should be: 0x74d76b
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: C:\Users\user\Desktop\getscreen-868841125.exeFile created: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-868841125.exeFile created: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries memory information (via WMI often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Size FROM Win32_DiskDrive
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Size FROM Win32_DiskDrive
    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 14
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 14
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 14
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, VolumeName, FileSystem, Size, FreeSpace FROM Win32_LogicalDisk
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, VolumeName, FileSystem, Size, FreeSpace FROM Win32_LogicalDisk
    Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
    Query firmware table information (likely to detect VMs)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWindow / User API: threadDelayed 887Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWindow / User API: windowPlacementGot 930Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWindow / User API: threadDelayed 852Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exe TID: 5864Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exe TID: 6004Thread sleep count: 852 > 30Jump to behavior
    Source: C:\Windows\System32\svchost.exe TID: 3840Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: getscreen-868841125.exe, 00000000.00000002.2208281319.00000186EB222000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $VMware Virtual RAM
    Source: getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Hyper-V console (use port 2179, disable negotiation)
    Source: getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMnet
    Source: getscreen-868841125.exe, 00000000.00000002.2206756933.0000003145CF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: {"token":"","uid":"2ED92742-89DC-DD72-92E8-869FA5A66493","turbo":"2048781730715455VtYxoHeAjUwFOXcsQB7u","turbo_old":"","invite":"","brand":"","install":false,"admin":true,"isadmin":true,"onetime":true,"file_download":true,"name":"494126","nonadmin":true,"islock":false,"blackscreen_available":true,"hibernate":true,"power_supply":true,"silent":false,"start_time":1730885756,"os":"win","rdp":false,"os_user":"user","os_username":"","build":228,"version":"3.1.5","hardware":"{\"CPU\":\"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\",\"CPUSpeed\":2000,\"CPUCores\":4,\"CPUCoresLogical\":1,\"CPUFamily\":\"Intel64 Family 6 Model 143 Stepping 8\",\"BIOS\":\"69FSTA1H7L\",\"BIOSVersion\":\"20221121\",\"BIOSDate\":\"\",\"RAMPhys\":8191,\"RAMPhysAvail\":2223,\"RAMVirt\":134217727,\"RAMVirtAvail\":134213405,\"RAMPageFile\":8191,\"RAMBanks\":[{\"Bank\":\"RAM slot #0\",\"Locator\":\"RAM slot #0\",\"DataWidth\":64,\"Manufacturer\":\"VMware Virtual RAM\",\"PartNumber\":\"VMW-4096MB\",\"SerialNumber\":\"00000001\",\"Capacity\":4096}],
    Source: getscreen-868841125.exe, 00000000.00000002.2206756933.0000003145CF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: {"CPU":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","CPUSpeed":2000,"CPUCores":4,"CPUCoresLogical":1,"CPUFamily":"Intel64 Family 6 Model 143 Stepping 8","BIOS":"69FSTA1H7L","BIOSVersion":"20221121","BIOSDate":"","RAMPhys":8191,"RAMPhysAvail":2223,"RAMVirt":134217727,"RAMVirtAvail":134213405,"RAMPageFile":8191,"RAMBanks":[{"Bank":"RAM slot #0","Locator":"RAM slot #0","DataWidth":64,"Manufacturer":"VMware Virtual RAM","PartNumber":"VMW-4096MB","SerialNumber":"00000001","Capacity":4096}],"VideoName":"SOAHXM4H","VideoRAM":1024,"VideoCards":[{"Name":"SOAHXM4H","RAM":1024,"Integrated":false}],"Locale":"0809","LocaleOemPage":"1252","LocaleCountry":"Switzerland","LocaleCurrency":"CHF","LocaleTimezone":120,"LocaleFormatTime":"HH:mm:ss","LocaleFormatDate":"dd\/MM\/yyyy","ComputerModel":"9WKEwVnO","ComputerDomain":"FF2Ov","ComputerWorkgroup":"WORKGROUP","ComputerName":"user-PC","ComputerIP":["192.168.2.5","fe80::357a:d50d:a849:be2d"],"OSName":"Microsoft Windows 10 Pro","OSVersion":"10.0.19045","HDD":[{"Model":"W6FMLTP2 SC
    Source: getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=
    Source: getscreen-868841125.exe, 00000000.00000002.2206756933.0000003145CF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: RAM slot #0RAM slot #0@VMware Virtual RAMVMW-4096MB00000001
    Source: getscreen-868841125.exe, 00000003.00000002.2279699658.00000117474DC000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000003.00000002.2278658945.00000117457B1000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000003.00000003.2274781623.00000117474D7000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000003.00000003.2243719639.00000117474CC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3279938006.0000020E27259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3278526536.0000020E21C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: getscreen-868841125.exe, 00000000.00000002.2206756933.0000003145CF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
    Source: cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2033175765.000001D87D4A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
    Source: getscreen-868841125.exe, 00000000.00000002.2207050295.00000186E9264000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000005.00000003.2212512849.000002C340325000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: getscreen-868841125.exe, 00000000.00000002.2207812229.00000186EADDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"token":"","uid":"2ED92742-89DC-DD72-92E8-869FA5A66493","turbo":"2048781730715455VtYxoHeAjUwFOXcsQB7u","turbo_old":"","invite":"","brand":"","install":false,"admin":true,"isadmin":true,"onetime":true,"file_download":true,"name":"494126","nonadmin":true,"islock":false,"blackscreen_available":true,"hibernate":true,"power_supply":true,"silent":false,"start_time":1730885756,"os":"win","rdp":false,"os_user":"user","os_username":"","build":228,"version":"3.1.5","hardware":"{\"CPU\":\"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\",\"CPUSpeed\":2000,\"CPUCores\":4,\"CPUCoresLogical\":1,\"CPUFamily\":\"Intel64 Family 6 Model 143 Stepping 8\",\"BIOS\":\"69FSTA1H7L\",\"BIOSVersion\":\"20221121\",\"BIOSDate\":\"\",\"RAMPhys\":8191,\"RAMPhysAvail\":2223,\"RAMVirt\":134217727,\"RAMVirtAvail\":134213405,\"RAMPageFile\":8191,\"RAMBanks\":[{\"Bank\":\"RAM slot #0\",\"Locator\":\"RAM slot #0\",\"DataWidth\":64,\"Manufacturer\":\"VMware Virtual RAM\",\"PartNumber\":\"VMW-4096MB\",\"SerialNumber\":\"00000001\",\"Capacity\":4096}],\"VideoName\":\"SOAHXM4H\",\"VideoRAM\":1024,\"VideoCards\":[{\"Name\":\"SOAHXM4H\",\"RAM\":1024,\"Integrated\":false}],\"Locale\":\"0809\",\"LocaleOemPage\":\"1252\",\"LocaleCountry\":\"Switzerland\",\"LocaleCurrency\":\"CHF\",\"LocaleTimezone\":120,\"LocaleFormatTime\":\"HH:mm:ss\",\"LocaleFormatDate\":\"dd\\\/MM\\\/yyyy\",\"ComputerModel\":\"9WKEwVnO\",\"ComputerDomain\":\"FF2Ov\",\"ComputerWorkgroup\":\"WORKGROUP\",\"ComputerName\":\"user-PC\",\"ComputerIP\":[\"192.168.2.5\",\"fe80::357a:d50d:a849:be2d\"],\"OSName\":\"Microsoft Windows 10 Pro\",\"OSVersion\":\"10.0.19045\",\"HDD\":[{\"Model\":\"W6FMLTP2 SCSI Disk Device\",\"Size\":393199}],\"LogicalDisks\":[{\"Disk\":\"C:\",\"Name\":\"\",\"FileSystem\":\"NTFS\",\"Size\":213143,\"FreeSpace\":19244}],\"SoundDevices\":[],\"NetAdapters\":[{\"Name\":\"Intel(R) 82574L Gigabit Network Connection\",\"Manufacturer\":\"Intel Corporation\",\"MACAddress\":\"EC:F4:BB:57:0D:C9\",\"Speed\":953,\"Addresses\":\"192.168.2.5, fe80::357a:d50d:a849:be2d\",\"DNS\":\"1.1.1.1\",\"DCHP\":\"\",\"Cable\":true,\"WoL\":false}],\"Monitors\":[]}"}
    Source: getscreen-868841125.exe, 00000003.00000002.2279699658.00000117474DC000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000003.00000003.2274781623.00000117474D7000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000003.00000003.2243719639.00000117474CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`?G
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-868841125.exe "C:\Users\user\Desktop\getscreen-868841125.exe" -cpipe \\.\pipe\PCommand96jbkhndtrtyjfwyx -cmem 0000pipe0PCommand96jbkhndtrtyjfwyxgm1mii67kk80a3y -childJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ECCA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
    Source: getscreen-868841125.exe, 00000000.00000002.2210368690.00000186ECCA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
    Source: C:\Users\user\Desktop\getscreen-868841125.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts631
    Windows Management Instrumentation    		1
    DLL Side-Loading    		12
    Process Injection    		11
    Masquerading    		11
    Input Capture    		741
    Security Software Discovery    		Remote Services11
    Input Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Disable or Modify Tools    		LSASS Memory551
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)551
    Virtualization/Sandbox Evasion    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets142
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Software Packing    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://docs.ge0%Avira URL Cloudsafe
    http://proxy.contoso.com:3128/0%Avira URL Cloudsafe
    https://docs.g0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/r0%Avira URL Cloudsafe
    https://docs.getsa0%Avira URL Cloudsafe
    https://docs.getsc0%Avira URL Cloudsafe
    https://docs.getscreen.me/user-guides/agent/0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/terms-of-use/0%Avira URL Cloudsafe
    https://docs.getscre0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/te0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/privacy-policy/0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    getscreen.me
    		51.89.95.37
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://getscreen.me/signal/agentfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://docs.gegetscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://g.live.com/odclientsettings/Prod/C:edb.log.6.drfalse
          		high
          http://proxy.contoso.com:3128/getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docs.getscreen.me/user-guides/agent/getscreen-868841125.exe, 00000003.00000003.2273783273.0000011749E0F000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000003.00000003.2273360244.0000011749DDF000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000003.00000003.2242383051.0000011749E2E000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000003.00000003.2250765934.0000011749DD5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docs.getscreen.me/en/rgetscreen-868841125.exe, 00000003.00000003.2250765934.0000011749DD5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docs.getscreen.me/en/rules/tegetscreen-868841125.exe, 00000005.00000002.2213882113.000000D6604F5000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docs.getscregetscreen-868841125.exe, 00000005.00000002.2214333049.000002C3402D0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.ver)svchost.exe, 00000006.00000002.3279821933.0000020E27200000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://www.winimage.com/zLibDllgetscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.2063230865.0000020E27020000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drfalse
                		high
                https://docs.ggetscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://docs.getscreen.me/en/rules/terms-of-use/getscreen-868841125.exe, 00000005.00000003.2213515795.000002C340339000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://docs.getscgetscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://docs.getsagetscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EAB6C000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE9FC000.00000040.00000001.01000000.00000003.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01getscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extensiongetscreen-868841125.exe, 00000000.00000002.2222254253.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe, 00000002.00000002.2035425266.00007FF6EA6D1000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000003.00000002.2285311262.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.2215086204.00007FF6EE561000.00000040.00000001.01000000.00000003.sdmpfalse
                    		high
                    https://docs.getscreen.me/en/rules/privacy-policy/getscreen-868841125.exe, 00000005.00000003.2213515795.000002C340339000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    78.47.165.25
                    		unknownGermany
                    		24940HETZNER-ASDEfalse
                    51.89.95.37
                    		getscreen.meFrance
                    		16276OVHFRfalse

                    Private

                    IP
                    127.0.0.1

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1550005
                    Start date and time:2024-11-06 10:35:07 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 5m 47s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:9
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:getscreen-868841125.exe
                    Detection:MAL
                    Classification:mal51.evad.winEXE@9/13@2/3
                    EGA Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 184.28.90.27
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: getscreen-868841125.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    04:35:59API Interceptor2x Sleep call for process: getscreen-868841125.exe modified
                    04:36:00API Interceptor2x Sleep call for process: svchost.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    78.47.165.25getscreen-120727697-x86.exeGet hashmaliciousUnknownBrowse
                      getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                        getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                          getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                            getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                              getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                                getscreen-156413884-x86.exeGet hashmaliciousUnknownBrowse
                                  getscreen-156413884-x86.exeGet hashmaliciousUnknownBrowse
                                    getscreen-511588515.exeGet hashmaliciousUnknownBrowse
                                      getscreen-973519027.exeGet hashmaliciousUnknownBrowse
                                        51.89.95.37getscreen-227149269.exeGet hashmaliciousUnknownBrowse
                                          getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                                            getscreen-120727697-x86.exeGet hashmaliciousUnknownBrowse
                                              getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                                                getscreen-941605629-x86.exeGet hashmaliciousUnknownBrowse
                                                  getscreen-469829524.exeGet hashmaliciousUnknownBrowse
                                                    getscreen-469829524.exeGet hashmaliciousUnknownBrowse
                                                      getscreen-156413884-x86.exeGet hashmaliciousUnknownBrowse
                                                        getscreen-511588515.exeGet hashmaliciousUnknownBrowse
                                                          getscreen-959987858.exeGet hashmaliciousUnknownBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            getscreen.megetscreen-227149269.exeGet hashmaliciousUnknownBrowse
                                                            • 5.75.168.191
                                                            getscreen-227149269.exeGet hashmaliciousUnknownBrowse
                                                            • 5.75.168.191
                                                            getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                                                            • 51.89.95.37
                                                            getscreen-120727697-x86.exeGet hashmaliciousUnknownBrowse
                                                            • 51.89.95.37
                                                            getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                                                            • 5.75.168.191
                                                            getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                                                            • 78.47.165.25
                                                            getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                                                            • 5.75.168.191
                                                            getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                                                            • 78.47.165.25
                                                            getscreen-941605629-x86.exeGet hashmaliciousUnknownBrowse
                                                            • 5.75.168.191
                                                            getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                                                            • 5.75.168.191

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            HETZNER-ASDEAnfrage24438.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 188.40.95.144
                                                            Anfrage24438.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 188.40.95.144
                                                            DeGrsOm654.exeGet hashmaliciousQuasarBrowse
                                                            • 195.201.57.90
                                                            PO_11000262.vbsGet hashmaliciousFormBookBrowse
                                                            • 148.251.114.233
                                                            5112024976.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 188.40.95.144
                                                            5112024976.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 188.40.95.144
                                                            https://me-qr.com/f/tritonstone?hash=Get hashmaliciousUnknownBrowse
                                                            • 49.12.126.78
                                                            EQ_AW24 New Order Request.xlx.exeGet hashmaliciousGuLoader, StormKitty, XWormBrowse
                                                            • 176.9.162.125
                                                            En88bvC0fc.exeGet hashmaliciousFormBookBrowse
                                                            • 195.201.82.185
                                                            malware-DONT-RUN.ps1Get hashmaliciousUnknownBrowse
                                                            • 49.12.202.237
                                                            OVHFRhttps://media.nomadsport.net/Culture/SetCulture?culture=en&returnUrl=https://t.ly/qrCwtGet hashmaliciousUnknownBrowse
                                                            • 51.75.86.98
                                                            173088018932da39249a78e1e5ce12172206503d9aff64ce4d812c9c37e75655611d901e96791.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                            • 176.31.147.220
                                                            D7R Image_capture 28082024 JPEG FILE.exeGet hashmaliciousFormBookBrowse
                                                            • 213.186.33.5
                                                            AENiBH7X1q.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                            • 51.195.88.199
                                                            ffsBbRe8UN.exeGet hashmaliciousFormBookBrowse
                                                            • 198.50.252.64
                                                            https://www.calameo.com/read/0078089179e74e2f639e0Get hashmaliciousUnknownBrowse
                                                            • 51.89.9.252
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 139.99.3.47
                                                            ahlntQUj2t.exeGet hashmaliciousXmrigBrowse
                                                            • 54.37.232.103
                                                            https://t.co/WUjzOGRMNxGet hashmaliciousUnknownBrowse
                                                            • 51.38.120.206
                                                            RnOAeiRWds.exeGet hashmaliciousAsyncRATBrowse
                                                            • 51.222.21.24

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\ProgramData\Getscreen.me\crashlogs\fc1bde256d166eec5135a7b0e7e496c7fda65aa3.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                                                            File Type:ASCII text
                                                            Category:modified
                                                            Size (bytes):17058
                                                            Entropy (8bit):5.459978019964504
                                                            Encrypted:false
                                                            SSDEEP:384:Hx8Zwkg57pxAfS5OO2JB9UzxD1cNNhR2dGNhR2BhR2dceNhR23NhR2lhR2AcicNg:5RSrt
                                                            MD5:BA69E6A0D121345BF120BA087C01905C
                                                            SHA1:19B6314547DE625B50F507A0B684F72F8CB56130
                                                            SHA-256:17713A67AF1AECB873133D2DB8C237D341750CE2F6CBC816942943CA88CAA3DB
                                                            SHA-512:190FE1E12BD73F13BFF27101A1FC909859EC2D4CC820542FD7F900F17C8710EE3B71C939497348B5C0D6D5EB2408403A4EFD5CB539573C8F66C4D8580D871CC2
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:Filename.: getscreen-868841125.exe-fc1bde256d166eec5135a7b0e7e496c7fda65aa3.crash.SHA1..: fc1bde256d166eec5135a7b0e7e496c7fda65aa3.Time..: 2024.11.6 9:37.Program..: Getscreen.me.Version..: 3.1.5.OS...: Windows 10 build 19045, x64.BIOS..: .Explorer.: 11.789.19041.0.Processors.: 0 x .Video..: .Computer.: .Memory..: 2 free of 8 Gb.Handles..: 439.Image Base.: 0x140000000..Exception.: 0xC0000005 at 0x00007FF6EE1547BC (getscreen-868841125.exe.$0x5F47BC)..Modules...: C:\Users\user\Desktop\getscreen-868841125.exe (3.1.5.0)...: C:\Windows\SYSTEM32\ntdll.dll (10.0.19041.1949)...: C:\Windows\System32\KERNEL32.DLL (10.0.19041.1889)...: C:\Windows\System32\KERNELBASE.dll (10.0.19041.1949)...: C:\Windows\System32\ADVAPI32.dll (10.0.19041.1682)...: C:\Windows\System32\msvcrt.dll (7.0.19041.546)...: C:\Windows\System32\sechost.dll (10.0.19041.1865)...: C:\Windows\System32\RPCRT4.dll (10.0.19041.1806)...: C:\Windows\System32\COMDLG32.dll (10.0.19041.1806)...: C:\Windows\System32\combase.dll (10.0.190

                                                            C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):7627560
                                                            Entropy (8bit):7.943908022770192
                                                            Encrypted:false
                                                            SSDEEP:98304:iT0vaR0C912Is4uDTlWDxqi/S/YMUXhoXueFkEu1WefOo6CMCFiATJsqU:E0sN4P3nixx/kYMUxaue+EuwcwCRo
                                                            MD5:9A5C564F4095F7232DC6D422E12689FE
                                                            SHA1:AC6F4FAA193DE3E332FAEA713335F7596219B2CE
                                                            SHA-256:C9A8360C43E59B41A21C155BE136A6A3D9B75519A200607277EF2DE2E17057A5
                                                            SHA-512:EF740ACA09E47A27086FB53C93371C7AFF383E981E54770A7568FAB9377E18574DA135D6D292D3A5AEB1930C4146605FF655E4D5E82B070449770EDBB8F8B277
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Reputation:low
                                                            Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......n.\g*t24*t24*t24a.15.t24...4"t24..65>t24>.65.t24*t24.s24a.55+t24..15$t24..75St24a.75.t24a.65~t24a.45(t24a.35gt24*t34.w249.;5.v249.25+t249..4+t24*t.4+t249.05+t24Rich*t24........................PE..d...r..g.........."....(..t..0...p...y.........@......................................u...`.........................................p....T..8...........8#.......#...4t.(/......,...........................@|..(...0...@...........................................UPX0.....p..............................UPX1......t.......t.................@....rsrc....0............t.............@..............................................................................................................................................................................................................................................................................................4.22.UPX!.$..

                                                            C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe:Zone.Identifier

                                                            Download File
                                                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Reputation:high, very likely benign file
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            C:\ProgramData\Getscreen.me\folder\settings.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):5.8125
                                                            Encrypted:false
                                                            SSDEEP:3:BvBWf9/TIOM+C8uzP:7QJRJuj
                                                            MD5:1DE0E5C9E0FD29779584817408AF154F
                                                            SHA1:B8607296A4DCEC4B8B823E02FA16FE03CF028104
                                                            SHA-256:6BFC406CD250D36E665CA9146A86FF027E22C1BECCFBF8BFC9034ECBB058BEB8
                                                            SHA-512:55B00B03684A2F4C58BC1CCA2A28F09DBD8854B307DEB61EA8A776881665B3481F9BE8274EF518061660796BEE9435AA1C65F68168BB0E3BEAD8FAC724709174
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:...J.+.q....:.O......~4......(....,.6.<.....2.@\.%.+.#.K.jK..

                                                            C:\ProgramData\Getscreen.me\logs\20241106.capture.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):943
                                                            Entropy (8bit):4.930956779566037
                                                            Encrypted:false
                                                            SSDEEP:24:TS8zA7YOX8zA7YN8zA7Y+gAqHC247qz1Z2b+:TTzs5szsjzsst
                                                            MD5:3F3653F65C01FC68BDFE770BA2DDA1D0
                                                            SHA1:E65F0D42C47CAC5E5BBBC982DAEB4BEF43558978
                                                            SHA-256:0E01A1EAA6E0DFFA5485C38CA5F2D5CFDF9602B242C00570178D2649856FDE20
                                                            SHA-512:9D70626E3C3B42AD45D93CC25607B1E58222BE70332E95D76C925B82B6E91C13D978D5E4161C97EB3905EFA810E3A1AF2809DEE10F381880BF96E00F2F4A4E8E
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..11:04:52.824.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1024-0:1280 desktop: 0:1024-0:1280..11:04:52.826.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1024-0:1280 desktop: 0:1024-0:1280..11:04:52.827.INFO.BlackScreen initialized..11:04:52.827.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1024-0:1280 desktop: 0:1024-0:1280..11:04:52.827.INFO.Capture select monitor '\\.\DISPLAY1'..11:04:52.884.INFO.Capture set frame rate to 30..11:04:52.885.INFO.Child frame mark off..11:04:52.885.INFO.FrameMark hide frame..11:04:53.980.INFO.FrameMark hide frame..11:05:05.008.INFO.FrameMark hide frame..11:05:07.873.INFO.Opus compress stop..11:05:07.873.INFO.Capture capture stopped..11:05:07.884.INFO.Child get stop message..

                                                            C:\ProgramData\Getscreen.me\logs\20241106.gui.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):3293
                                                            Entropy (8bit):4.8686356371778405
                                                            Encrypted:false
                                                            SSDEEP:48:TCG+inb18M1lh5LZbtseMo3qpDACrIE7pwbiOg9dl4hY87x:Nfd3h5LZbtseMo3SkCrIE7pwbiOnx
                                                            MD5:7344B8E8FB5F9E52D01651395996B360
                                                            SHA1:B6C9DB96D1FB895C7AB1B6A2918D2FF937237566
                                                            SHA-256:EFE620A588447A0440DD8AC971970CAD009F168AF6B18446CC2F6A88BDC321CC
                                                            SHA-512:53D8E5E32312BA6506D7471F23214AB74AEEEE76C90C81FA7AFC7E01E8FFDAAD54F9A1711846B4C0B28689C154F89D549D7C39B1AC9A4A266418BDDBE7DBDEF3
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..11:04:52.796.INFO.Gui GUI started..11:04:52.884.INFO.Gui load data: 'this://app/main-turbo.htm'..11:04:52.905.INFO.Gui load data: 'this://app/common/zepto.min.js'..11:04:52.911.INFO.Gui load data: 'this://app/common/sciter.js'..11:04:52.916.INFO.Gui load data: 'this://app/ico/favicon.ico'..11:04:52.951.INFO.Gui document ready..11:04:52.973.INFO.Gui load data: 'this://app/lang/en.json'..11:04:52.986.INFO.Gui send event event-application-status: {"value":"connecting"}'..11:04:52.986.INFO.Gui send event event-install-status: {"value":false}'..11:04:52.987.INFO.Gui send event event-domain: {"value":""}'..11:04:52.987.INFO.Gui send event event-fastaccess-url: {"value":""}'..11:04:52.987.INFO.Gui send event event-fastaccess-code: {"value":""}'..11:04:52.987.INFO.Gui send eve

                                                            C:\ProgramData\Getscreen.me\logs\20241106.log

                                                            Download File
                                                            Process:C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):2945
                                                            Entropy (8bit):5.138681551852952
                                                            Encrypted:false
                                                            SSDEEP:48:Tvmkd1gbQ1fmHHM+w/Cd9dyv3eJIZpJIP2z7yAchSschI6Ve6MGEL+VThtchI9HY:jiwjpOAcws6e6MGhThtRH0C30rOEv
                                                            MD5:6374E3F4AE1FC0827A7093A9AD656B8A
                                                            SHA1:8F2AD6D14D50A367D5FC50CAE40339A3786E14A2
                                                            SHA-256:F0E52BAEA1A1CD7B080EC8E47B338BD6F7E2F4CD30A4068B5AD8435820D462F5
                                                            SHA-512:49BEA2ADEFD52DD62351D45C579D01054A14B6ED3C8CCC9E3DD86D59645177E2B698B915D9B094440E62CD390747825B89C9B4557F5A468E9CD60760BB3A1C87
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..11:04:48.968.INFO.Server start server run....11:04:48.969.INFO.Start Getscreen.me v 3.1.5 build 228 revision 0..11:04:49.416.ERROR.Service service 'GetscreenSV' not found..11:04:49.561.INFO.Service service 'GetscreenSV' installed..11:04:49.929.INFO.Service service 'GetscreenSV' start success..11:04:49.942.INFO.Service get control message 1..11:04:49.951.INFO.Capture capture stopped..11:04:49.954.INFO.FrameMark hide frame..11:04:51.128.INFO.Service service 'GetscreenSV' stop [0] (0)..11:04:51.629.INFO.Service service 'GetscreenSV' removed..11:04:51.646.INFO.Child success get system token..11:04:51.648.INFO.Child start child process simply..11:04:51.649.INFO.Shared remove shared memory 0000pipe0PCommand96jbkhndtrtyjfwyxgm1mii67kk80a3y..11:04:51.649.INFO.Shared create shared memory 0000pipe0PCommand96jbkhndt

                                                            C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96jbkhndtrtyjfwyxgm1mii67kk80a3y

                                                            Download File
                                                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):16777520
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3::
                                                            MD5:76E060E929A27A8F50A5EA6EDFC52356
                                                            SHA1:91B7BC99D759D84720B376F69BC934D75D9EC549
                                                            SHA-256:95F95F6678AD42DE249FE02F78472B553837B1E2AECD2F43B5715FAE9187FEAE
                                                            SHA-512:F1A361F28A87B18B8B5707BD3332E751EE30DFC5C9A32A4BBC39B7E8D5AC34385E96B49546003741A797C1A8E53537A91D5345DFCB1707BC65A483D458FD38FE
                                                            Malicious:false
                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                            Download File
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1310720
                                                            Entropy (8bit):0.8306936380587826
                                                            Encrypted:false
                                                            SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugA:gJjJGtpTq2yv1AuNZRY3diu8iBVqFq
                                                            MD5:F8B13378725A8ABBA5C5F4A8DBB76B3B
                                                            SHA1:477D2941CF829BFAD980102FC0D62C8D0BB62D18
                                                            SHA-256:A52A99EAB2F9FFD08772613885949C312F1E0166F0E47A70B45D87E3D3E16E5B
                                                            SHA-512:789FE6B439C6CE49215AA1F52EFCBCB29CCBCF6398CC06C40302981AEABE162E77CE85DF35913EFF99E92004EF83F7C8E924CA2BDC20A64E0BAE605CA28BDF99
                                                            Malicious:false
                                                            Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                            Download File
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xaffeb7f8, page size 16384, DirtyShutdown, Windows version 10.0
                                                            Category:dropped
                                                            Size (bytes):1310720
                                                            Entropy (8bit):0.6585404071487256
                                                            Encrypted:false
                                                            SSDEEP:1536:xSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:xaza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                            MD5:60E3D50A169063FEC82FD8DE03A3347E
                                                            SHA1:F294173DF30B9A75115776457B1168540DB267FA
                                                            SHA-256:8AAD24B1FD7275B9FB47843C184C8FC3386876D4CEA2F637D9943F7A6CDAABC6
                                                            SHA-512:FBE67388883996EEFF79BB6B21EC51E45C271A141AFBAA74466A41CB0D9D38EF75FBBC509C11175B592D10ED04ACF34EFC76737880B5F415457245827E48756A
                                                            Malicious:false
                                                            Preview:....... ...............X\...;...{......................0.z..........{...$...|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{...................................S6.$...|.....................o.$...|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                            Download File
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):16384
                                                            Entropy (8bit):0.079650656042485
                                                            Encrypted:false
                                                            SSDEEP:3:3w/KYeSajuZ6ekGuAJkhvekl1rxbllrekGltll/SPj:AKz6Ytrxl9Je3l
                                                            MD5:E2ADAE85CDEE97DF298069D592808613
                                                            SHA1:F2284F1207AA8EB6A785EA0C9281F352E7EE9554
                                                            SHA-256:9C3C0FC7A0E9AC4E8DDF033CAFDCA3490FA8ABF2FCBBC4A9BFD2425100CB20F4
                                                            SHA-512:BEA743D6443A5E39FB382364A467F174E467C117A8CAB7F36272781194A6445DD89B2BC74152F6482072999B5728513A597D8DC71CA1E4E1120EDD3053A9E619
                                                            Malicious:false
                                                            Preview:mo.......................................;...{...$...|.......{...............{.......{...XL......{.....................o.$...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Getscreen.me\folder\settings.dat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):5.84375
                                                            Encrypted:false
                                                            SSDEEP:3:BvBWf9/TIOMpFl8g:7QJROFz
                                                            MD5:653EDCA9A14BFFE49D4EB21CB70DCBF1
                                                            SHA1:4D7CAF204F36A40E0D399F1C8878DC761DAF48F1
                                                            SHA-256:D0261066BD4ECAB5C1BC394ED0C9C81F3DDF0FD3D590659E9572C3A68ACD77C8
                                                            SHA-512:6F8B4E9123BAAC7146FFFE61143686F9CAF0C3FEF83A4B0E64457E46665178E47CE9DA90E86E1B7D729D8B9C046DE09ECAF24A25D608ECBE3A553789EBE6F8F3
                                                            Malicious:false
                                                            Preview:...J.+.q....:.O......~4......(....,.6.<.....2.8UO..u.C/.A{;

                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                            Download File
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):55
                                                            Entropy (8bit):4.306461250274409
                                                            Encrypted:false
                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                            Malicious:false
                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                            Static File Info

                                                            General

                                                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                            Entropy (8bit):7.943908022770192
                                                            TrID:
                                                            • Win64 Executable GUI (202006/5) 81.26%
                                                            • UPX compressed Win32 Executable (30571/9) 12.30%
                                                            • Win64 Executable (generic) (12005/4) 4.83%
                                                            • Generic Win/DOS Executable (2004/3) 0.81%
                                                            • DOS Executable Generic (2002/1) 0.81%
                                                            File name:getscreen-868841125.exe
                                                            File size:7'627'560 bytes
                                                            MD5:9a5c564f4095f7232dc6d422e12689fe
                                                            SHA1:ac6f4faa193de3e332faea713335f7596219b2ce
                                                            SHA256:c9a8360c43e59b41a21c155be136a6a3d9b75519a200607277ef2de2e17057a5
                                                            SHA512:ef740aca09e47a27086fb53c93371c7aff383e981e54770a7568fab9377e18574da135d6d292d3a5aeb1930c4146605ff655e4d5e82b070449770edbb8f8b277
                                                            SSDEEP:98304:iT0vaR0C912Is4uDTlWDxqi/S/YMUXhoXueFkEu1WefOo6CMCFiATJsqU:E0sN4P3nixx/kYMUxaue+EuwcwCRo
                                                            TLSH:0276337A944E146DC6738276AE541E932E0B930DA4435AE8D68C9B9F1374EF00FE7387
                                                            File Content Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......n.\g*t24*t24*t24a.15.t24...4"t24..65>t24>.65.t24*t24.s24a.55+t24..15$t24..75St24a.75.t24a.65~t24a.45(t24a.35gt24*t34.w249.;5.v2

                                                            File Icon

                                                            Icon Hash:418c6963696c9643

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x1421879d0
                                                            Entrypoint Section:UPX1
                                                            Digitally signed:true
                                                            Imagebase:0x140000000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x67178872 [Tue Oct 22 11:11:46 2024 UTC]
                                                            TLS Callbacks:0x42187c18, 0x1
                                                            CLR (.Net) Version:
                                                            OS Version Major:6
                                                            OS Version Minor:0
                                                            File Version Major:6
                                                            File Version Minor:0
                                                            Subsystem Version Major:6
                                                            Subsystem Version Minor:0
                                                            Import Hash:7c27dce4bef0d003a570ce3109e1f949

                                                            Authenticode Signature

                                                            Signature Valid:true
                                                            Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                            Signature Validation Error:The operation completed successfully
                                                            Error Number:0
                                                            Not Before, Not After
                                                            • 28/05/2024 15:50:28 28/06/2026 16:36:10
                                                            Subject Chain
                                                            • CN=POINT B LTD, O=POINT B LTD, L=Limassol, S=Limassol, C=CY, OID.1.3.6.1.4.1.311.60.2.1.3=CY, SERIALNUMBER=HE 430957, OID.2.5.4.15=Private Organization
                                                            Version:3
                                                            Thumbprint MD5:9B083870477F4699693EEECABF351BF8
                                                            Thumbprint SHA-1:B3C999E29AED18DEA59733F3CAA94E788B1AC3A1
                                                            Thumbprint SHA-256:3E73B7C28C18DC6A03B9816F200365F1DF1FF80A7BD0D55DB920F1B24BBD74E7
                                                            Serial:7AE0E9C1CFE2DCE0E21C4327

                                                            Entrypoint Preview

                                                            Instruction
                                                            push ebx
                                                            push esi
                                                            push edi
                                                            push ebp
                                                            dec eax
                                                            lea esi, dword ptr [FF8C0625h]
                                                            dec eax
                                                            lea edi, dword ptr [esi-01A47000h]
                                                            push edi
                                                            xor ebx, ebx
                                                            xor ecx, ecx
                                                            dec eax
                                                            or ebp, FFFFFFFFh
                                                            call 00007F5F610CD6B5h
                                                            add ebx, ebx
                                                            je 00007F5F610CD664h
                                                            rep ret
                                                            mov ebx, dword ptr [esi]
                                                            dec eax
                                                            sub esi, FFFFFFFCh
                                                            adc ebx, ebx
                                                            mov dl, byte ptr [esi]
                                                            rep ret
                                                            dec eax
                                                            lea eax, dword ptr [edi+ebp]
                                                            cmp ecx, 05h
                                                            mov dl, byte ptr [eax]
                                                            jbe 00007F5F610CD683h
                                                            dec eax
                                                            cmp ebp, FFFFFFFCh
                                                            jnbe 00007F5F610CD67Dh
                                                            sub ecx, 04h
                                                            mov edx, dword ptr [eax]
                                                            dec eax
                                                            add eax, 04h
                                                            sub ecx, 04h
                                                            mov dword ptr [edi], edx
                                                            dec eax
                                                            lea edi, dword ptr [edi+04h]
                                                            jnc 00007F5F610CD651h
                                                            add ecx, 04h
                                                            mov dl, byte ptr [eax]
                                                            je 00007F5F610CD672h
                                                            dec eax
                                                            inc eax
                                                            mov byte ptr [edi], dl
                                                            sub ecx, 01h
                                                            mov dl, byte ptr [eax]
                                                            dec eax
                                                            lea edi, dword ptr [edi+01h]
                                                            jne 00007F5F610CD652h
                                                            rep ret
                                                            cld
                                                            inc ecx
                                                            pop ebx
                                                            jmp 00007F5F610CD66Ah
                                                            dec eax
                                                            inc esi
                                                            mov byte ptr [edi], dl
                                                            dec eax
                                                            inc edi
                                                            mov dl, byte ptr [esi]
                                                            add ebx, ebx
                                                            jne 00007F5F610CD66Ch
                                                            mov ebx, dword ptr [esi]
                                                            dec eax
                                                            sub esi, FFFFFFFCh
                                                            adc ebx, ebx
                                                            mov dl, byte ptr [esi]
                                                            jc 00007F5F610CD648h
                                                            lea eax, dword ptr [ecx+01h]
                                                            jmp 00007F5F610CD669h
                                                            dec eax
                                                            inc ecx
                                                            call ebx
                                                            adc eax, eax
                                                            inc ecx
                                                            call ebx
                                                            adc eax, eax
                                                            add ebx, ebx
                                                            jne 00007F5F610CD66Ch
                                                            mov ebx, dword ptr [esi]
                                                            dec eax
                                                            sub esi, FFFFFFFCh
                                                            adc ebx, ebx
                                                            mov dl, byte ptr [esi]
                                                            jnc 00007F5F610CD646h
                                                            sub eax, 03h
                                                            jc 00007F5F610CD67Bh
                                                            shl eax, 08h
                                                            movzx edx, dl
                                                            or eax, edx
                                                            dec eax
                                                            inc esi
                                                            xor eax, FFFFFFFFh
                                                            je 00007F5F610CD6BAh
                                                            sar eax, 1

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x111cc700x548cUPX0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x218b3380x8d8.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x21890000x2338.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x20a80000x723c0UPX1
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x7434000x2f28UPX0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x218bc100x2c.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x2187c400x28UPX1
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x21880300x140UPX1
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            UPX00x10000x1a470000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            UPX10x1a480000x7410000x7402004c967097f131aff1e1780575ff9d7f14unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x21890000x30000x2e000577af4204cd6272d7113f80c4460d0dFalse0.5467900815217391data5.88972477976154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            AFX_DIALOG_LAYOUT0x211b9e00x2ASCII text, with no line terminatorsRussianRussia5.0
                                                            INI0x2149d180xadataRussianRussia1.8
                                                            LANG0x211e9200x21ecdataRussianRussia0.9705204974666053
                                                            LANG0x2120b100x33d9dataRussianRussia0.970617042115573
                                                            LANG0x2123ef00x2454dataRussianRussia0.34720430107526884
                                                            LANG0x21263480x25b3dataRussianRussia0.9348254066936069
                                                            LANG0x21289000x2454dataRussianRussia0.9278494623655914
                                                            LANG0x212ad580x289bdataRussianRussia0.9302549302549302
                                                            LANG0x212d5f80x252cdataRussianRussia0.9330601092896175
                                                            LANG0x212fb280x1f5fdataRussianRussia0.9346283152782966
                                                            LANG0x2131a880x23cedataRussianRussia0.9368317695832424
                                                            LANG0x2133e580x242eDOS executable (COM)RussianRussia0.9326279421291298
                                                            LANG0x214ad000x2499dataEnglishUnited States0.9260326609029779
                                                            OPUS0x21362880xa5e5dataRussianRussia0.9198003249428995
                                                            OPUS0x21408700x94a4dataRussianRussia0.9161673499421844
                                                            RT_ICON0x211b9e80x139dataRussianRussia1.035143769968051
                                                            RT_ICON0x211bb280x1efdataRussianRussia1.0222222222222221
                                                            RT_ICON0x211bd180x225dataRussianRussia1.0200364298724955
                                                            RT_ICON0x211bf400x26bdataRussianRussia1.0177705977382876
                                                            RT_ICON0x211c1b00x326dataRussianRussia1.0024813895781637
                                                            RT_ICON0x211c4d80x402dataRussianRussia1.010721247563353
                                                            RT_ICON0x21899e00x13bPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedRussianRussia1.034920634920635
                                                            RT_ICON0x2189b200x1c5PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedRussianRussia1.0242825607064017
                                                            RT_ICON0x2189cec0x1eePNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedRussianRussia1.0222672064777327
                                                            RT_ICON0x2189ee00x253PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedRussianRussia1.0184873949579831
                                                            RT_ICON0x218a1380x2e7PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedRussianRussia1.0148048452220726
                                                            RT_ICON0x218a4240x3adPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedRussianRussia1.0116896918172158
                                                            RT_ICON0x211d7880x159dataRussianRussia1.0318840579710145
                                                            RT_ICON0x211d8e80x1e6dataRussianRussia1.022633744855967
                                                            RT_ICON0x211dad00x1f6dataRussianRussia0.99800796812749
                                                            RT_ICON0x211dcc80x26ddataRussianRussia1.0177133655394526
                                                            RT_ICON0x211df380x31bdataRussianRussia1.0138364779874214
                                                            RT_ICON0x211e2580x3e7COM executable for DOSRussianRussia0.977977977977978
                                                            RT_ICON0x2149d280x163data1.0309859154929577
                                                            RT_ICON0x2149e900x20ddata1.020952380952381
                                                            RT_ICON0x214a0a00x21bdata1.0204081632653061
                                                            RT_ICON0x214a2c00x282data1.017133956386293
                                                            RT_ICON0x214a5480x33cdata0.9963768115942029
                                                            RT_ICON0x214a8880x413data0.9798657718120806
                                                            RT_STRING0x214d1a00x38dataRussianRussia1.1964285714285714
                                                            RT_GROUP_ICON0x218a7d80x5adataRussianRussia0.8
                                                            RT_GROUP_ICON0x211c8e00x5adataRussianRussia1.1222222222222222
                                                            RT_GROUP_ICON0x214aca00x5adata1.1222222222222222
                                                            RT_GROUP_ICON0x211e6400x5adataRussianRussia1.1222222222222222
                                                            RT_VERSION0x218a8380x27cdataRussianRussia0.4748427672955975
                                                            RT_MANIFEST0x218aab80x87fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2115), with CRLF line terminatorsEnglishUnited States0.31264367816091954

                                                            Imports

                                                            DLLImport
                                                            ADVAPI32.dllFreeSid
                                                            COMCTL32.dllImageList_DrawEx
                                                            COMDLG32.dllPrintDlgW
                                                            d3d11.dllD3D11CreateDevice
                                                            dbghelp.dllSymFromAddr
                                                            dxgi.dllCreateDXGIFactory1
                                                            GDI32.dllLineTo
                                                            gdiplus.dllGdipFree
                                                            IMM32.dllImmIsIME
                                                            IPHLPAPI.DLLGetIfEntry2
                                                            KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                                            MPR.dllWNetGetConnectionW
                                                            msdmo.dllMoInitMediaType
                                                            msi.dll
                                                            NETAPI32.dllNetUserGetInfo
                                                            ntdll.dllRtlGetVersion
                                                            NTDSAPI.dllDsMakeSpnW
                                                            ole32.dllDoDragDrop
                                                            OLEACC.dllLresultFromObject
                                                            OLEAUT32.dllSafeArrayGetElement
                                                            POWRPROF.dllPowerGetActiveScheme
                                                            RPCRT4.dllUuidEqual
                                                            SAS.dllSendSAS
                                                            Secur32.dllDeleteSecurityContext
                                                            SHELL32.dll
                                                            SHLWAPI.dllPathIsRelativeA
                                                            USER32.dllGetDC
                                                            USERENV.dllCreateEnvironmentBlock
                                                            USP10.dllScriptPlace
                                                            VERSION.dllVerQueryValueW
                                                            WINHTTP.dllWinHttpOpen
                                                            WININET.dllInternetOpenA
                                                            WINMM.dllwaveInOpen
                                                            WINSPOOL.DRV
                                                            WS2_32.dllaccept
                                                            WTSAPI32.dllWTSFreeMemory

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            RussianRussia
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-11-06T10:36:14.380599+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.549712TCP
                                                            2024-11-06T10:36:53.152496+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.549913TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 6, 2024 10:36:00.297341108 CET49706443192.168.2.551.89.95.37
                                                            Nov 6, 2024 10:36:00.297362089 CET4434970651.89.95.37192.168.2.5
                                                            Nov 6, 2024 10:36:00.297432899 CET49706443192.168.2.551.89.95.37
                                                            Nov 6, 2024 10:36:00.297735929 CET49706443192.168.2.551.89.95.37
                                                            Nov 6, 2024 10:36:00.297746897 CET4434970651.89.95.37192.168.2.5
                                                            Nov 6, 2024 10:36:01.153270960 CET4434970651.89.95.37192.168.2.5
                                                            Nov 6, 2024 10:36:01.162885904 CET49706443192.168.2.551.89.95.37
                                                            Nov 6, 2024 10:36:01.162899017 CET4434970651.89.95.37192.168.2.5
                                                            Nov 6, 2024 10:36:01.164196968 CET4434970651.89.95.37192.168.2.5
                                                            Nov 6, 2024 10:36:01.164259911 CET49706443192.168.2.551.89.95.37
                                                            Nov 6, 2024 10:36:01.178216934 CET49706443192.168.2.551.89.95.37
                                                            Nov 6, 2024 10:36:01.178283930 CET4434970651.89.95.37192.168.2.5
                                                            Nov 6, 2024 10:36:01.178358078 CET49706443192.168.2.551.89.95.37
                                                            Nov 6, 2024 10:36:01.178361893 CET4434970651.89.95.37192.168.2.5
                                                            Nov 6, 2024 10:36:01.227056026 CET49706443192.168.2.551.89.95.37
                                                            Nov 6, 2024 10:36:01.433317900 CET4434970651.89.95.37192.168.2.5
                                                            Nov 6, 2024 10:36:01.433379889 CET4434970651.89.95.37192.168.2.5
                                                            Nov 6, 2024 10:36:01.433491945 CET49706443192.168.2.551.89.95.37
                                                            Nov 6, 2024 10:36:01.822873116 CET49706443192.168.2.551.89.95.37
                                                            Nov 6, 2024 10:36:01.822905064 CET4434970651.89.95.37192.168.2.5
                                                            Nov 6, 2024 10:36:13.012240887 CET49714443192.168.2.578.47.165.25
                                                            Nov 6, 2024 10:36:13.012274027 CET4434971478.47.165.25192.168.2.5
                                                            Nov 6, 2024 10:36:13.012358904 CET49714443192.168.2.578.47.165.25
                                                            Nov 6, 2024 10:36:13.012569904 CET49714443192.168.2.578.47.165.25
                                                            Nov 6, 2024 10:36:13.012584925 CET4434971478.47.165.25192.168.2.5
                                                            Nov 6, 2024 10:36:13.871011972 CET4434971478.47.165.25192.168.2.5
                                                            Nov 6, 2024 10:36:13.871401072 CET49714443192.168.2.578.47.165.25
                                                            Nov 6, 2024 10:36:13.871416092 CET4434971478.47.165.25192.168.2.5
                                                            Nov 6, 2024 10:36:13.872564077 CET4434971478.47.165.25192.168.2.5
                                                            Nov 6, 2024 10:36:13.872631073 CET49714443192.168.2.578.47.165.25
                                                            Nov 6, 2024 10:36:13.873138905 CET49714443192.168.2.578.47.165.25
                                                            Nov 6, 2024 10:36:13.873202085 CET4434971478.47.165.25192.168.2.5
                                                            Nov 6, 2024 10:36:13.873341084 CET49714443192.168.2.578.47.165.25
                                                            Nov 6, 2024 10:36:13.873346090 CET4434971478.47.165.25192.168.2.5
                                                            Nov 6, 2024 10:36:13.914397955 CET49714443192.168.2.578.47.165.25
                                                            Nov 6, 2024 10:36:14.133685112 CET4434971478.47.165.25192.168.2.5
                                                            Nov 6, 2024 10:36:14.133749008 CET4434971478.47.165.25192.168.2.5
                                                            Nov 6, 2024 10:36:14.133836985 CET49714443192.168.2.578.47.165.25
                                                            Nov 6, 2024 10:36:14.138060093 CET49714443192.168.2.578.47.165.25
                                                            Nov 6, 2024 10:36:14.138068914 CET4434971478.47.165.25192.168.2.5

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 6, 2024 10:36:00.279138088 CET5064553192.168.2.51.1.1.1
                                                            Nov 6, 2024 10:36:00.286772013 CET53506451.1.1.1192.168.2.5
                                                            Nov 6, 2024 10:36:13.002764940 CET6208153192.168.2.51.1.1.1
                                                            Nov 6, 2024 10:36:13.011508942 CET53620811.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 6, 2024 10:36:00.279138088 CET192.168.2.51.1.1.10xc07Standard query (0)getscreen.meA (IP address)IN (0x0001)false
                                                            Nov 6, 2024 10:36:13.002764940 CET192.168.2.51.1.1.10x63bcStandard query (0)getscreen.meA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 6, 2024 10:36:00.286772013 CET1.1.1.1192.168.2.50xc07No error (0)getscreen.me51.89.95.37A (IP address)IN (0x0001)false
                                                            Nov 6, 2024 10:36:00.286772013 CET1.1.1.1192.168.2.50xc07No error (0)getscreen.me78.47.165.25A (IP address)IN (0x0001)false
                                                            Nov 6, 2024 10:36:00.286772013 CET1.1.1.1192.168.2.50xc07No error (0)getscreen.me5.75.168.191A (IP address)IN (0x0001)false
                                                            Nov 6, 2024 10:36:13.011508942 CET1.1.1.1192.168.2.50x63bcNo error (0)getscreen.me78.47.165.25A (IP address)IN (0x0001)false
                                                            Nov 6, 2024 10:36:13.011508942 CET1.1.1.1192.168.2.50x63bcNo error (0)getscreen.me51.89.95.37A (IP address)IN (0x0001)false
                                                            Nov 6, 2024 10:36:13.011508942 CET1.1.1.1192.168.2.50x63bcNo error (0)getscreen.me5.75.168.191A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • getscreen.me

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.54970651.89.95.374436460C:\Users\user\Desktop\getscreen-868841125.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-11-06 09:36:01 UTC363OUTGET /signal/agent HTTP/1.1
                                                            Host: getscreen.me
                                                            Upgrade: websocket
                                                            Connection: Upgrade
                                                            Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
                                                            Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                                                            Origin: https://getscreen.me
                                                            Sec-WebSocket-Protocol: chat, superchat
                                                            Sec-WebSocket-Version: 13
                                                            User-Agent: Getscreen.me/3.1.5 (Win64, getscreen.me, 228)
                                                            2024-11-06 09:36:01 UTC354INHTTP/1.1 400 Bad Request
                                                            access-control-expose-headers: X-Js-Cache
                                                            content-type: text/plain; charset=utf-8
                                                            sec-websocket-version: 13
                                                            x-content-type-options: nosniff
                                                            x-js-cache: 82fdad5dae26df67fe35db92c8947469
                                                            date: Wed, 06 Nov 2024 09:36:01 GMT
                                                            content-length: 12
                                                            x-envoy-upstream-service-time: 6
                                                            server: ov1.getscreen.me
                                                            connection: close
                                                            2024-11-06 09:36:01 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                                                            Data Ascii: Bad Request


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.54971478.47.165.254436460C:\Users\user\Desktop\getscreen-868841125.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-11-06 09:36:13 UTC363OUTGET /signal/agent HTTP/1.1
                                                            Host: getscreen.me
                                                            Upgrade: websocket
                                                            Connection: Upgrade
                                                            Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
                                                            Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                                                            Origin: https://getscreen.me
                                                            Sec-WebSocket-Protocol: chat, superchat
                                                            Sec-WebSocket-Version: 13
                                                            User-Agent: Getscreen.me/3.1.5 (Win64, getscreen.me, 228)
                                                            2024-11-06 09:36:14 UTC354INHTTP/1.1 400 Bad Request
                                                            access-control-expose-headers: X-Js-Cache
                                                            content-type: text/plain; charset=utf-8
                                                            sec-websocket-version: 13
                                                            x-content-type-options: nosniff
                                                            x-js-cache: 82fdad5dae26df67fe35db92c8947469
                                                            date: Wed, 06 Nov 2024 09:36:14 GMT
                                                            content-length: 12
                                                            x-envoy-upstream-service-time: 2
                                                            server: lb1.getscreen.me
                                                            connection: close
                                                            2024-11-06 09:36:14 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                                                            Data Ascii: Bad Request


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:04:35:55
                                                            Start date:06/11/2024
                                                            Path:C:\Users\user\Desktop\getscreen-868841125.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\getscreen-868841125.exe"
                                                            Imagebase:0x7ff6edb60000
                                                            File size:7'627'560 bytes
                                                            MD5 hash:9A5C564F4095F7232DC6D422E12689FE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:04:35:56
                                                            Start date:06/11/2024
                                                            Path:C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\ProgramData\Getscreen.me\cuvzruqaiugsbcrywmwtwnufwuzsdlu-elevate.exe" -elevate \\.\pipe\elevateGS512cuvzruqaiugsbcrywmwtwnufwuzsdlu
                                                            Imagebase:0x7ff6e9cd0000
                                                            File size:7'627'560 bytes
                                                            MD5 hash:9A5C564F4095F7232DC6D422E12689FE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 0%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:04:35:59
                                                            Start date:06/11/2024
                                                            Path:C:\Users\user\Desktop\getscreen-868841125.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\getscreen-868841125.exe" -gpipe \\.\pipe\PCommand97mtndswofgjjkzzi -gui
                                                            Imagebase:0x7ff6edb60000
                                                            File size:7'627'560 bytes
                                                            MD5 hash:9A5C564F4095F7232DC6D422E12689FE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:04:35:59
                                                            Start date:06/11/2024
                                                            Path:C:\Windows\System32\svchost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                                                            Imagebase:0x7ff7e52b0000
                                                            File size:55'320 bytes
                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:5
                                                            Start time:04:35:59
                                                            Start date:06/11/2024
                                                            Path:C:\Users\user\Desktop\getscreen-868841125.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\getscreen-868841125.exe" -cpipe \\.\pipe\PCommand96jbkhndtrtyjfwyx -cmem 0000pipe0PCommand96jbkhndtrtyjfwyxgm1mii67kk80a3y -child
                                                            Imagebase:0x7ff6edb60000
                                                            File size:7'627'560 bytes
                                                            MD5 hash:9A5C564F4095F7232DC6D422E12689FE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:04:36:00
                                                            Start date:06/11/2024
                                                            Path:C:\Windows\System32\svchost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                            Imagebase:0x7ff7e52b0000
                                                            File size:55'320 bytes
                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            Disassembly

                                                            No disassembly