Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
getscreen-868841125.exe

Overview

General Information

Sample name:getscreen-868841125.exe
Analysis ID:1550005
MD5:9a5c564f4095f7232dc6d422e12689fe
SHA1:ac6f4faa193de3e332faea713335f7596219b2ce
SHA256:c9a8360c43e59b41a21c155be136a6a3d9b75519a200607277ef2de2e17057a5
Infos:

Detection

Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:62
Range:0 - 100

Signatures

Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to disable installed Antivirus / HIPS / PFW
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64native
  • getscreen-868841125.exe (PID: 1696 cmdline: "C:\Users\user\Desktop\getscreen-868841125.exe" MD5: 9A5C564F4095F7232DC6D422E12689FE)
    • getscreen-868841125.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\getscreen-868841125.exe" -gpipe \\.\pipe\PCommand97qceoadxhjigniec -gui MD5: 9A5C564F4095F7232DC6D422E12689FE)
    • getscreen-868841125.exe (PID: 1920 cmdline: "C:\Users\user\Desktop\getscreen-868841125.exe" -cpipe \\.\pipe\PCommand96azxqbincrzvxqvm -cmem 0000pipe0PCommand96azxqbincrzvxqvmsu32vpy4rp6lszo -child MD5: 9A5C564F4095F7232DC6D422E12689FE)
  • asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe (PID: 4408 cmdline: "C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe" -elevate \\.\pipe\elevateGS512asbjbuwegsczkjgwrynrzmlvudgqspc MD5: 9A5C564F4095F7232DC6D422E12689FE)
  • svchost.exe (PID: 4844 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: getscreen-868841125.exe PID: 1696JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

    Sigma Signatures

    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 860, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, ProcessId: 4844, ProcessName: svchost.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    Compliance

    barindex
    PE / OLE file has a valid certificate
    Source: getscreen-868841125.exeStatic PE information: certificate valid
    Contains modern PE file flags such as dynamic base (ASLR) or NX
    Source: getscreen-868841125.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Binary contains paths to debug symbols
    Source: Binary string: fwbase.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223556000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.00000242206AB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider64.pdbb source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220614000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdbpdbdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222BE0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220542000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msi.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242228D5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: <9top\dll\rasadhlp.pdbbg\* source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222DB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222E76000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222B21000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mpr.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222877000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223309000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222BE0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdblaPru source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223F24000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242225B6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422321E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.000002422014B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078832413.000002422053C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223734000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222E76000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdbm source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Kernel.Appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223556000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242234FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E85000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222E14000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222A65000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223E19000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222C5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222A0A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbdbN source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220511000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024224182000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242235B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: :samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221B33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Windows.UI.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbdbb source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422372E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223279000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223105000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222C5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E73000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223775000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024224182000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.000002422053C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422304E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222D4E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223F24000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220614000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222D4E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223775000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FirewallAPI.pdb]B source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: $.0x140D5D2E2841125.exeorye.pdbD!jQ" source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220121000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222E14000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223734000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078246018.000002422014B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222A0A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222FEF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdba.pdbX source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220145000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222EDB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdbdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220511000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223757000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FirewallAPI.pdbckr source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdbK![Q source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220121000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422373A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdbpdbM source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222FEF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024224244000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223EBE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdbs.datG source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220511000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222AC6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242228D5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wtsapi32.pdbbg source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.000002422268B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mpr.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222877000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\advapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E6D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: avrt.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223740000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\InputHost.pdbB source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222AC6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbdll source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\audioses.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223E13000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024224244000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223EBE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422304E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223751000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DRV\winspool.pdbb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: win32u.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E79000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider64.pdb\*# source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E7F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.00000242241DC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422321E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\cfgmgr32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223E19000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.0000024222691000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdbb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242226EC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\bcryptprimitives.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UxTheme.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223160000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdbssObjectm source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FWPolicyIOMgr.pdb5 source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422377B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdbdb5 source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222DB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242233D1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422372E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223E0D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223365000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422361A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\comctl32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078832413.00000242206AB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E6D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.000002422268B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242235B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422373A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422361A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242233D1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UxTheme.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223160000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\cryptbase.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-868841125.exet.pdb*ha source: getscreen-868841125.exe, 00000000.00000002.20077502697.000002421E608000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E8B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220536000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: win32u.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E79000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078246018.000002422013F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WinTypes.pdbb.pdbM source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222BF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422374B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223F2A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220121000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223F2A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222BF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422375D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242226EC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220542000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Kernel.Appcore.pdbE source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdb.5 source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220511000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SAS.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222CF4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422376F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdb\*b source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: msvcp_win.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb64.dbg= source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222B21000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: version.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222C3C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422336B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222F94000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242234FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SAS.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222CF4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdb.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223105000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422377B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220536000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223751000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E8B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422376F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220145000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223757000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223279000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\kernelbase.pdb] source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222CB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E73000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\CoreUIComponents.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422342C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223DB3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.0000024222691000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222B81000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422375D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222A65000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E7F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223F1E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222C96000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbpdbdbQ source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.00000242241DC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: avrt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223740000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\audioses.pdbpdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System32\en-US\fwpuclnt.dll.mui.pdb{ source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E85000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-868841125.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220511000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242225B6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\JSAMSIProvider64.pdbdb- source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223F1E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223365000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdbK source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220511000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223309000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220614000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222F94000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdbll% source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: version.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222C3C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\JSAMSIProvider64.pdbdbdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422336B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: orye.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220121000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\TextInputFramework.pdb\* source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WinTypes.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MFWMAAEC.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.000002422013F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222EDB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222CB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.00000242206A5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223DB3000.00000004.00000020.00020000.00000000.sdmp
    Source: Joe Sandbox ViewIP Address: 78.47.165.25 78.47.165.25
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/3.1.5 (Win64, getscreen.me, 228)
    Source: global trafficDNS traffic detected: DNS query: getscreen.me
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: getscreen-868841125.exe, 00000000.00000002.20078832413.00000242204C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digic
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://proxy.contoso.com:3128/
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01http://www.webrtc.org/exper
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-timeurn:3gpp:video-orientationhttp://www.we
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
    Source: getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-frame-tracking-id
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.g
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.ge
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsa
    Source: getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsc
    Source: getscreen-868841125.exe, 00000004.00000002.20131438796.000002288EDA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscre
    Source: getscreen-868841125.exe, 00000005.00000003.20103450809.000001D106222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/privacy-policy/
    Source: getscreen-868841125.exe, 00000005.00000003.20103450809.000001D106222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/terms-of-use/
    Source: getscreen-868841125.exe, 00000004.00000003.20111520772.0000022895462000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000002.20135395088.0000022895496000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20105908331.0000022895496000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20070244582.0000022895495000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000002.20135236501.0000022895461000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20116824816.000002289545E000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000002.20134597447.00000228952FD000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20109273518.00000228952FA000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20114055296.0000022895496000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20129880855.0000022895460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/user-guides/agent/
    Source: getscreen-868841125.exe, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
    Source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242220DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NtUserGetRawInputDatamemstr_af0dea05-3
    Source: Yara matchFile source: Process Memory Space: getscreen-868841125.exe PID: 1696, type: MEMORYSTR
    Source: getscreen-868841125.exeStatic PE information: Resource name: LANG type: DOS executable (COM)
    Source: getscreen-868841125.exeStatic PE information: Resource name: RT_ICON type: COM executable for DOS
    Source: asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drStatic PE information: Resource name: LANG type: DOS executable (COM)
    Source: asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
    Source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220121000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220121000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxgi.dllj% vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000002.20081136428.000002422223C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSAMLib.DLLj% vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMMDevAPI.Dll.MUIj% vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000000.20024888627.00007FF776D39000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000000.00000002.20096231759.00007FF776D39000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000004.00000002.20141596229.00007FF776D39000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000004.00000000.20064975823.00007FF776D39000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000005.00000000.20065269704.00007FF776D39000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: getscreen-868841125.exe, 00000005.00000002.20110450481.00007FF776D39000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: getscreen-868841125.exeBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-868841125.exe
    Source: classification engineClassification label: mal51.evad.winEXE@8/10@1/1
    Source: C:\Users\user\Desktop\getscreen-868841125.exeFile created: C:\Users\user\AppData\Local\Getscreen.meJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeMutant created: \Sessions\1\BaseNamedObjects\Global\PCommandMutextTurbo96phqghum
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-868841125.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeFile read: C:\Users\user\Desktop\getscreen-868841125.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\getscreen-868841125.exe "C:\Users\user\Desktop\getscreen-868841125.exe"
    Source: unknownProcess created: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe "C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe" -elevate \\.\pipe\elevateGS512asbjbuwegsczkjgwrynrzmlvudgqspc
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess created: C:\Users\user\Desktop\getscreen-868841125.exe "C:\Users\user\Desktop\getscreen-868841125.exe" -gpipe \\.\pipe\PCommand97qceoadxhjigniec -gui
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess created: C:\Users\user\Desktop\getscreen-868841125.exe "C:\Users\user\Desktop\getscreen-868841125.exe" -cpipe \\.\pipe\PCommand96azxqbincrzvxqvm -cmem 0000pipe0PCommand96azxqbincrzvxqvmsu32vpy4rp6lszo -child
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess created: C:\Users\user\Desktop\getscreen-868841125.exe "C:\Users\user\Desktop\getscreen-868841125.exe" -gpipe \\.\pipe\PCommand97qceoadxhjigniec -guiJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-868841125.exe "C:\Users\user\Desktop\getscreen-868841125.exe" -cpipe \\.\pipe\PCommand96azxqbincrzvxqvm -cmem 0000pipe0PCommand96azxqbincrzvxqvmsu32vpy4rp6lszo -childJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mmdevapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mfwmaaec.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: audioses.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: symsrv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: mpr.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: msi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: sas.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: secur32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: userenv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: usp10.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: version.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: wininet.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: winmm.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: samcli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: netutils.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: wldp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: seclogon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: d2d1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: directmanipulation.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mscms.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coloradapterclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: icm32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32Jump to behavior
    Source: getscreen-868841125.exeStatic PE information: certificate valid
    Source: getscreen-868841125.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: getscreen-868841125.exeStatic file information: File size 7627560 > 1048576
    Source: getscreen-868841125.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x740200
    Source: getscreen-868841125.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: fwbase.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223556000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.00000242206AB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider64.pdbb source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220614000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdbpdbdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222BE0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220542000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msi.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242228D5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: <9top\dll\rasadhlp.pdbbg\* source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222DB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222E76000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222B21000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mpr.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222877000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223309000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222BE0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdblaPru source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223F24000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242225B6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422321E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.000002422014B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078832413.000002422053C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223734000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222E76000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdbm source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Kernel.Appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223556000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242234FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E85000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222E14000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222A65000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223E19000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222C5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222A0A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbdbN source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220511000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024224182000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242235B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: :samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221B33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Windows.UI.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbdbb source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422372E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223279000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223105000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222C5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E73000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223775000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024224182000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.000002422053C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422304E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222D4E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223F24000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220614000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222D4E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223775000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FirewallAPI.pdb]B source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: $.0x140D5D2E2841125.exeorye.pdbD!jQ" source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220121000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222E14000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223734000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078246018.000002422014B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222A0A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222FEF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdba.pdbX source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220145000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222EDB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdbdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220511000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223757000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FirewallAPI.pdbckr source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdbK![Q source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220121000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422373A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdbpdbM source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222FEF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024224244000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223EBE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdbs.datG source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220511000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222AC6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242228D5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wtsapi32.pdbbg source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.000002422268B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mpr.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222877000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\advapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E6D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: avrt.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223740000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\InputHost.pdbB source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222AC6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbdll source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\audioses.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223E13000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024224244000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223EBE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422304E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223751000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DRV\winspool.pdbb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: win32u.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E79000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider64.pdb\*# source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E7F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.00000242241DC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422321E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\cfgmgr32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223E19000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.0000024222691000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdbb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242226EC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\bcryptprimitives.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UxTheme.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223160000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdbssObjectm source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FWPolicyIOMgr.pdb5 source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422377B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdbdb5 source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222DB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242233D1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422372E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223E0D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223365000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422361A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\comctl32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078832413.00000242206AB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E6D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.000002422268B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242235B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422373A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422361A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242233D1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UxTheme.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223160000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\cryptbase.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-868841125.exet.pdb*ha source: getscreen-868841125.exe, 00000000.00000002.20077502697.000002421E608000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E8B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220536000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: win32u.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E79000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078246018.000002422013F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WinTypes.pdbb.pdbM source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222BF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422374B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223F2A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220121000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223F2A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222BF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422375D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242226EC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220542000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Kernel.Appcore.pdbE source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdb.5 source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220511000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SAS.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222CF4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422376F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdb\*b source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: msvcp_win.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb64.dbg= source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222B21000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: version.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222C3C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422336B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222F94000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.00000242234FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SAS.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222CF4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdb.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223105000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422377B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220536000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223751000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E8B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422376F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220145000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223757000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223279000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\kernelbase.pdb] source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222CB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E73000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\CoreUIComponents.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422342C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223DB3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20081136428.0000024222691000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222B81000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422375D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222A65000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E7F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223F1E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222C96000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbpdbdbQ source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20089107523.00000242241DC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: avrt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223740000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\audioses.pdbpdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System32\en-US\fwpuclnt.dll.mui.pdb{ source: getscreen-868841125.exe, 00000000.00000002.20078246018.00000242200F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb source: getscreen-868841125.exe, 00000000.00000002.20080139153.0000024221E85000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-868841125.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220511000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242225B6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\JSAMSIProvider64.pdbdb- source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223F1E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223365000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdbK source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220511000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024223309000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20078832413.0000024220614000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb0 source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222F94000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdbll% source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: version.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222C3C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\JSAMSIProvider64.pdbdbdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.000002422336B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: orye.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220121000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\TextInputFramework.pdb\* source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WinTypes.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MFWMAAEC.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.0000024220107000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb source: getscreen-868841125.exe, 00000000.00000002.20078246018.000002422013F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-868841125.exe, 00000000.00000002.20083200217.0000024222EDB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-868841125.exe, 00000000.00000002.20081136428.00000242222CB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-868841125.exe, 00000000.00000002.20078832413.00000242206A5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb source: getscreen-868841125.exe, 00000000.00000002.20089107523.0000024223DB3000.00000004.00000020.00020000.00000000.sdmp
    Source: asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe.0.drStatic PE information: real checksum: 0x7518c8 should be: 0x74d76b
    Source: getscreen-868841125.exeStatic PE information: real checksum: 0x7518c8 should be: 0x74d76b
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: C:\Users\user\Desktop\getscreen-868841125.exeFile created: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-868841125.exeFile created: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries memory information (via WMI often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Size FROM Win32_DiskDrive
    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 8
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 8
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 7
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 7
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, VolumeName, FileSystem, Size, FreeSpace FROM Win32_LogicalDisk
    Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
    Query firmware table information (likely to detect VMs)
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exe TID: 4780Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exe TID: 2396Thread sleep count: 228 > 30Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-868841125.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-868841125.exeLast function: Thread delayed
    Source: getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Hyper-V console (use port 2179, disable negotiation)
    Source: getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMnet
    Source: getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=
    Source: getscreen-868841125.exe, 00000004.00000003.20125926193.000002289094F000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20126824847.0000022890959000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000002.20131438796.000002288EDA2000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20129734098.000002289095E000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20116747246.000002289094D000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20114811845.0000022890945000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: getscreen-868841125.exe, 00000004.00000003.20125926193.000002289094F000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20126824847.0000022890959000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20129734098.000002289095E000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20116747246.000002289094D000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20114811845.0000022890945000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
    Source: getscreen-868841125.exe, 00000000.00000002.20077502697.000002421E655000.00000004.00000020.00020000.00000000.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047037603.0000020551A81000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000005.00000003.20102988131.000001D1061E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-868841125.exe "C:\Users\user\Desktop\getscreen-868841125.exe" -cpipe \\.\pipe\PCommand96azxqbincrzvxqvm -cmem 0000pipe0PCommand96azxqbincrzvxqvmsu32vpy4rp6lszo -childJump to behavior
    Source: C:\Users\user\Desktop\getscreen-868841125.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: getscreen-868841125.exe, 00000000.00000002.20081136428.000002422216D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
    Source: getscreen-868841125.exe, 00000000.00000002.20081136428.000002422216D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
    Source: C:\Users\user\Desktop\getscreen-868841125.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts631
    Windows Management Instrumentation    		1
    DLL Side-Loading    		12
    Process Injection    		1
    Masquerading    		11
    Input Capture    		731
    Security Software Discovery    		Remote Services11
    Input Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Disable or Modify Tools    		LSASS Memory541
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)541
    Virtualization/Sandbox Evasion    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
    Process Injection    		NTDS132
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Software Packing    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    getscreen-868841125.exe0%ReversingLabs

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://docs.getscre0%Avira URL Cloudsafe
    https://docs.getsa0%Avira URL Cloudsafe
    https://docs.getsc0%Avira URL Cloudsafe
    https://docs.getscreen.me/user-guides/agent/0%Avira URL Cloudsafe
    https://docs.ge0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/terms-of-use/0%Avira URL Cloudsafe
    http://proxy.contoso.com:3128/0%Avira URL Cloudsafe
    https://docs.g0%Avira URL Cloudsafe
    http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
    http://crl3.digic0%Avira URL Cloudsafe
    https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/privacy-policy/0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    getscreen.me
    		78.47.165.25
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://getscreen.me/signal/agentfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://docs.gegetscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://proxy.contoso.com:3128/getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscreen.me/user-guides/agent/getscreen-868841125.exe, 00000004.00000003.20111520772.0000022895462000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000002.20135395088.0000022895496000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20105908331.0000022895496000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20070244582.0000022895495000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000002.20135236501.0000022895461000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20116824816.000002289545E000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000002.20134597447.00000228952FD000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20109273518.00000228952FA000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20114055296.0000022895496000.00000004.00000020.00020000.00000000.sdmp, getscreen-868841125.exe, 00000004.00000003.20129880855.0000022895460000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscregetscreen-868841125.exe, 00000004.00000002.20131438796.000002288EDA2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://crl3.digicgetscreen-868841125.exe, 00000000.00000002.20078832413.00000242204C5000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.winimage.com/zLibDllgetscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.ggetscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscreen.me/en/rules/terms-of-use/getscreen-868841125.exe, 00000005.00000003.20103450809.000001D106222000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscgetscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getsagetscreen-868841125.exe, 00000000.00000002.20091890010.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B06BC000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF775A4C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01getscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpfalse
          		high
          https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extensiongetscreen-868841125.exe, 00000000.00000002.20091890010.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe, 00000002.00000002.20047677032.00007FF7B0221000.00000040.00000001.01000000.00000004.sdmp, getscreen-868841125.exe, 00000004.00000002.20137396403.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-868841125.exe, 00000005.00000002.20105557279.00007FF7755B1000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docs.getscreen.me/en/rules/privacy-policy/getscreen-868841125.exe, 00000005.00000003.20103450809.000001D106222000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          78.47.165.25
          		getscreen.meGermany
          		24940HETZNER-ASDEfalse

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1550005
          Start date and time:2024-11-06 10:41:33 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 7m 24s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
          Run name:Suspected VM Detection
          Number of analysed new started processes analysed:6
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:getscreen-868841125.exe
          Detection:MAL
          Classification:mal51.evad.winEXE@8/10@1/1
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.
          • VT rate limit hit for: getscreen-868841125.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          04:43:44API Interceptor1x Sleep call for process: getscreen-868841125.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          78.47.165.25getscreen-120727697-x86.exeGet hashmaliciousUnknownBrowse
            getscreen-669912037.exeGet hashmaliciousUnknownBrowse
              getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                  getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                    getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                      getscreen-156413884-x86.exeGet hashmaliciousUnknownBrowse
                        getscreen-156413884-x86.exeGet hashmaliciousUnknownBrowse
                          getscreen-511588515.exeGet hashmaliciousUnknownBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            getscreen.megetscreen-227149269.exeGet hashmaliciousUnknownBrowse
                            • 5.75.168.191
                            getscreen-227149269.exeGet hashmaliciousUnknownBrowse
                            • 5.75.168.191
                            getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                            • 51.89.95.37
                            getscreen-120727697-x86.exeGet hashmaliciousUnknownBrowse
                            • 51.89.95.37
                            getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                            • 5.75.168.191
                            getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                            • 78.47.165.25
                            getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                            • 5.75.168.191
                            getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                            • 78.47.165.25
                            getscreen-941605629-x86.exeGet hashmaliciousUnknownBrowse
                            • 5.75.168.191

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            HETZNER-ASDEAnfrage24438.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 188.40.95.144
                            Anfrage24438.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 188.40.95.144
                            DeGrsOm654.exeGet hashmaliciousQuasarBrowse
                            • 195.201.57.90
                            PO_11000262.vbsGet hashmaliciousFormBookBrowse
                            • 148.251.114.233
                            5112024976.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 188.40.95.144
                            5112024976.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 188.40.95.144
                            https://me-qr.com/f/tritonstone?hash=Get hashmaliciousUnknownBrowse
                            • 49.12.126.78
                            EQ_AW24 New Order Request.xlx.exeGet hashmaliciousGuLoader, StormKitty, XWormBrowse
                            • 176.9.162.125
                            En88bvC0fc.exeGet hashmaliciousFormBookBrowse
                            • 195.201.82.185

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):7627560
                            Entropy (8bit):7.943908022770192
                            Encrypted:false
                            SSDEEP:98304:iT0vaR0C912Is4uDTlWDxqi/S/YMUXhoXueFkEu1WefOo6CMCFiATJsqU:E0sN4P3nixx/kYMUxaue+EuwcwCRo
                            MD5:9A5C564F4095F7232DC6D422E12689FE
                            SHA1:AC6F4FAA193DE3E332FAEA713335F7596219B2CE
                            SHA-256:C9A8360C43E59B41A21C155BE136A6A3D9B75519A200607277EF2DE2E17057A5
                            SHA-512:EF740ACA09E47A27086FB53C93371C7AFF383E981E54770A7568FAB9377E18574DA135D6D292D3A5AEB1930C4146605FF655E4D5E82B070449770EDBB8F8B277
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Reputation:low
                            Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......n.\g*t24*t24*t24a.15.t24...4"t24..65>t24>.65.t24*t24.s24a.55+t24..15$t24..75St24a.75.t24a.65~t24a.45(t24a.35gt24*t34.w249.;5.v249.25+t249..4+t24*t.4+t249.05+t24Rich*t24........................PE..d...r..g.........."....(..t..0...p...y.........@......................................u...`.........................................p....T..8...........8#.......#...4t.(/......,...........................@|..(...0...@...........................................UPX0.....p..............................UPX1......t.......t.................@....rsrc....0............t.............@..............................................................................................................................................................................................................................................................................................4.22.UPX!.$..

                            C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview:[ZoneTransfer]....ZoneId=0

                            C:\ProgramData\Getscreen.me\crashlogs\91a3a23929fc3f88ddb8135c82dc2c062f72a595.log

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                            File Type:ASCII text
                            Category:modified
                            Size (bytes):17317
                            Entropy (8bit):5.470631995526038
                            Encrypted:false
                            SSDEEP:384:xFY5ZxYRZauO4rdGLvwPKWW7A+kGULGLvwUzLvwd8ZGLvwaGLvwLLvw68p80uO42:Zbqs1LjkLXBl
                            MD5:17856BE64A300E4E9CE31E7454601E47
                            SHA1:80E73511692F8F811823C3F710509260B957DC57
                            SHA-256:C269BCFFE984110D2C692CC335D2BEE8D3CC19A95CAB0C0287BE9DB1E9CB68D3
                            SHA-512:9C9D67FA29511862A3559B7C9F7EFD7ECE1619DC74A743C46FAE61489E2DDA2D10A5150F8CA992D1D1E8CCC81CE46956EC411192BBF33F5B6F19E71EC6905BD3
                            Malicious:false
                            Reputation:low
                            Preview:Filename.: getscreen-868841125.exe-91a3a23929fc3f88ddb8135c82dc2c062f72a595.crash.SHA1..: 91a3a23929fc3f88ddb8135c82dc2c062f72a595.Time..: 2024.11.6 9:44.Program..: Getscreen.me.Version..: 3.1.5.OS...: Windows 10 build 19042, x64.BIOS..: .Explorer.: 11.789.19041.0.Processors.: 0 x .Video..: .Computer.: .Memory..: 13 free of 15 Gb.Handles..: 428.Image Base.: 0x140000000..Exception.: 0xC0000005 at 0x00007FF7751A47BC (getscreen-868841125.exe.$0x5F47BC)..Modules...: C:\Users\user\Desktop\getscreen-868841125.exe (3.1.5.0)...: C:\Windows\SYSTEM32\ntdll.dll (10.0.19041.1110)...: C:\Windows\System32\KERNEL32.DLL (10.0.19041.1151)...: C:\Windows\System32\KERNELBASE.dll (10.0.19041.1151)...: C:\Windows\System32\ADVAPI32.dll (10.0.19041.1052)...: C:\Windows\System32\msvcrt.dll (7.0.19041.546)...: C:\Windows\System32\sechost.dll (10.0.19041.906)...: C:\Windows\System32\RPCRT4.dll (10.0.19041.1081)...: C:\Windows\System32\COMDLG32.dll (10.0.19041.906)...: C:\Windows\System32\combase.dll (10.0.190

                            C:\ProgramData\Getscreen.me\folder\settings.dat

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):5.8125
                            Encrypted:false
                            SSDEEP:3:Bv9eQGacrJIOM+C8uzP:PPGa6JRJuj
                            MD5:68639CD463CC5673DF2B10C0DDF8EFBB
                            SHA1:58B542E6ADAEA0F7C966B44DF849215465B6D997
                            SHA-256:6DCB3A0BB33F4C9DC40D31FD6F071D6DFC16FDFB90CD7998736452519DB160AC
                            SHA-512:FC5CBF6AC3ED9BDD0C27F5F0B2B1A9BF45750402FE44CCBB06101BB24E0D7CDD26488AB4E0A33771BE86DD0155E81CFE633A97F4A0C167AAD14725ECE2E41E5C
                            Malicious:false
                            Preview:...J.+.q....:.OXi.........y.. ^....,.6.<.....2.@\.%.+.#.K.jK..

                            C:\ProgramData\Getscreen.me\logs\20241106.capture.log

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):912
                            Entropy (8bit):4.933868301060087
                            Encrypted:false
                            SSDEEP:24:Trps8zA71RR8zA71RU8zA71REgAHHt5bnogP7y2:Trp9zszmzszlzszFSX
                            MD5:E649E6AABC2B971BA856791176FFB0DD
                            SHA1:9F3372E7E2CED284678CC0DD953762E6BACE8B5A
                            SHA-256:811C34320C0D204C18CA85D504A93159D9CEADDFD7B1A8E128EADECDA8AEE36B
                            SHA-512:56B523DDBB08217C9970340B716EEB18FD1F98F2FEFBF971D2EB7D9E2B1B74946DD610BAA397C01DBE022540ADC2882DE469F45A028435BD85C4692F64A1F2E8
                            Malicious:false
                            Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..09:43:44.524.WARNING.Mouse relative mode disabled..09:43:44.540.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1080-0:1920 desktop: 0:1080-0:1920..09:43:44.540.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1080-0:1920 desktop: 0:1080-0:1920..09:43:44.540.INFO.BlackScreen initialized..09:43:44.540.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1080-0:1920 desktop: 0:1080-0:1920..09:43:44.540.INFO.Capture select monitor '\\.\DISPLAY1'..09:43:44.592.INFO.Capture set frame rate to 30..09:43:44.592.INFO.Child frame mark off..09:43:44.593.INFO.FrameMark hide frame..09:43:48.138.INFO.Child get stop message..09:43:48.141.INFO.Opus compress stop..09:43:48.141.INFO.Capture capture stopped..

                            C:\ProgramData\Getscreen.me\logs\20241106.gui.log

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):2962
                            Entropy (8bit):4.8459496171125425
                            Encrypted:false
                            SSDEEP:24:TMG/qHtXB35TH83iuTtVG3XLZ33UB/+E8BrjvFr5:TMGSH1J5ngtVeUoE8Rjvx5
                            MD5:0C061A16E8C4CAA47F389EF2BE8F2B34
                            SHA1:70BA4C7FA27364EFAC3287B3A18170BCC7C1E89D
                            SHA-256:0FCBEBEF1A711BCE052C262321F263FA366DE6B6B0108E07A345D3BB95F78817
                            SHA-512:29EBE9E686B99314ACD410162D3F373E8A83FAEE6CEDB6E695AD7ACA55A2E8A1725B69D918653AA6A03BD683CAA7F25A05A147D78907B3C946E5CA7A73F7721A
                            Malicious:false
                            Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..09:43:44.506.INFO.Gui GUI started..09:43:44.584.INFO.Gui load data: 'this://app/main-turbo.htm'..09:43:44.600.INFO.Gui load data: 'this://app/common/zepto.min.js'..09:43:44.604.INFO.Gui load data: 'this://app/common/sciter.js'..09:43:44.607.INFO.Gui load data: 'this://app/ico/favicon.ico'..09:43:44.627.INFO.Gui document ready..09:43:44.645.INFO.Gui load data: 'this://app/lang/en.json'..09:43:44.650.INFO.Gui send event event-application-status: {"value":"connecting"}'..09:43:44.652.INFO.Gui send event event-install-status: {"value":false}'..09:43:44.750.INFO.Gui send event event-domain: {"value":""}'..09:43:44.750.INFO.Gui send event event-fastaccess-url: {"value":""}'..09:43:44.751.INFO.Gui send event event-fastaccess-code: {"value":""}'..09:43:44.751.INFO.Gui send eve

                            C:\ProgramData\Getscreen.me\logs\20241106.log

                            Download File
                            Process:C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):2597
                            Entropy (8bit):5.149777309055748
                            Encrypted:false
                            SSDEEP:48:T4PV8IX8RYNnHXJIK3pJIKV28bLcK4IKxsVeKGIfI+RhGEMeVZcK4IK3vSQ2PL:ktJZ3rxL7M+eKGIfI+RhGIZ7MfSQ2PL
                            MD5:88E97770D986C02D9E7978B016E2EE33
                            SHA1:C5E6B213440766FE3AED41F8B029D9A384F22CCF
                            SHA-256:E0DF7443C69B1CB0C3803BE28C8D0D0B3605E4523791F6B53F1716D62A5BA772
                            SHA-512:FC5691E89F798073EF9FEA8111825713B63DD8B7BFD8DF950D5346E2FB2B4F8F4026204F314BC64588D34E8F87DE3E6383671E31546C9E33A44F6BF34F6FB337
                            Malicious:false
                            Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..09:43:40.732.INFO.Server start server run....09:43:40.732.INFO.Start Getscreen.me v 3.1.5 build 228 revision 0..09:43:41.721.ERROR.Service service 'GetscreenSV' not found..09:43:42.101.INFO.Service service 'GetscreenSV' installed..09:43:42.488.INFO.Service service 'GetscreenSV' start success..09:43:42.482.INFO.Service get control message 1..09:43:42.519.INFO.Capture capture stopped..09:43:42.525.INFO.FrameMark hide frame..09:43:43.257.INFO.Service service 'GetscreenSV' stop [0] (0)..09:43:43.765.INFO.Service service 'GetscreenSV' removed..09:43:43.781.INFO.Child success get system token..09:43:43.782.INFO.Child start child process simply..09:43:43.782.INFO.Shared remove shared memory 0000pipe0PCommand96azxqbincrzvxqvmsu32vpy4rp6lszo..09:43:43.782.INFO.Shared create shared memory 0000pipe0PCommand96azxqbin

                            C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96azxqbincrzvxqvmsu32vpy4rp6lszo

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):16777520
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:76E060E929A27A8F50A5EA6EDFC52356
                            SHA1:91B7BC99D759D84720B376F69BC934D75D9EC549
                            SHA-256:95F95F6678AD42DE249FE02F78472B553837B1E2AECD2F43B5715FAE9187FEAE
                            SHA-512:F1A361F28A87B18B8B5707BD3332E751EE30DFC5C9A32A4BBC39B7E8D5AC34385E96B49546003741A797C1A8E53537A91D5345DFCB1707BC65A483D458FD38FE
                            Malicious:false
                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\LocalLow\Intel\ShaderCache\9845761237b5d7834b471dd8a27dbf637e319efe17881ac40e55dd6dfa877cbe

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):7553
                            Entropy (8bit):7.855584373916976
                            Encrypted:false
                            SSDEEP:192:Qv1k1pQmUNkv1EikskxV6T87dqDw1ZBky2hRPg6:QvOVUmv1pVo6T88w5k1RPg6
                            MD5:10391F60B4E6A29CD3AEFD02E6A0E329
                            SHA1:13E4A893F82E838EC49BB1740666EC24216DC8B3
                            SHA-256:9004819DCEC8F0F39184C116BC5EBFFBAB45F458D852B7C72E70BBDB46F5286C
                            SHA-512:039AC45644E7CA9771EA47692623E76680653E95DB6ADFFFDF99B2CF2D8650C0AB75EC230E1C068A156ECA422D218E4D6D871519331839296608E997303808AC
                            Malicious:false
                            Preview:INSC.>.....Mar222021151921"......!..;T.0.g..`5..S...m....+....+7.....................l...Qx.hx.c`@......010...#...`4..c.\..s........K@....Q....L...01...RD.....b.~...=..........\...0......?z!......!C............81Eod0....`...a..u.=....o....Q...|..Y&..zF.FnF..r..]..`..&.................C.Z..]'.Q_...........j....A|).R0U..Nf.......[u>......w...i..hs....(cI.....................GC..` .x..SAJ.@..IL.Z.XA\..#% tc..w.U..B..5K7B{...#...G.Fp%...ef..BK.B....._...n..-}m6.....&..|0Q1..D..&...`....&..-0....8..............%.-C.D....s.P.8....lI...<s.9.\...&G..7e.........m......[.|(..q"...1%m..X:.d.+7...n..v.'.Y\..U..&.3U<.......>.gh.Y..J......z.Eo.!..n2..=.zT.z\...<H........?.......coR...^..&......Xe..h.H..g...,.,.t...m..p...c......M..Q..K ..[b....gV./^>..[.......r.A?4m........D................?.......x.c`@..I3..010...#...........|gA.....q.P^.a.....)...h.......F..A...0..*i.>..f.fP`/e........B..Ah.f.........B...E..+00\.......#C.....z..z..;F.d0`..x...h.+.q..$o.@..+{.

                            C:\Users\user\AppData\Local\Getscreen.me\folder\settings.dat

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-868841125.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):5.84375
                            Encrypted:false
                            SSDEEP:3:Bv9eQGacrJIOMpFl8g:PPGa6JROFz
                            MD5:90CD244C42D7D0A017F7393B5D262DFB
                            SHA1:CA6EFBE330ABFF2687D8363ACA21BA4BB1C93592
                            SHA-256:CBBB920B90096575096A24C42A7020794327DAD93AD7AFF16407347B246D8619
                            SHA-512:7B0BE366004D3EF3C06D6090E4A8A3B4E2541ADDC6B3521562D8B5E5D95AD5EFC7A0FBC8928B7E1A83666527537B3C1ABCA404CE3E672838F29FB75D7EA64001
                            Malicious:false
                            Preview:...J.+.q....:.OXi.........y.. ^....,.6.<.....2.8UO..u.C/.A{;

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                            Entropy (8bit):7.943908022770192
                            TrID:
                            • Win64 Executable GUI (202006/5) 81.26%
                            • UPX compressed Win32 Executable (30571/9) 12.30%
                            • Win64 Executable (generic) (12005/4) 4.83%
                            • Generic Win/DOS Executable (2004/3) 0.81%
                            • DOS Executable Generic (2002/1) 0.81%
                            File name:getscreen-868841125.exe
                            File size:7'627'560 bytes
                            MD5:9a5c564f4095f7232dc6d422e12689fe
                            SHA1:ac6f4faa193de3e332faea713335f7596219b2ce
                            SHA256:c9a8360c43e59b41a21c155be136a6a3d9b75519a200607277ef2de2e17057a5
                            SHA512:ef740aca09e47a27086fb53c93371c7aff383e981e54770a7568fab9377e18574da135d6d292d3a5aeb1930c4146605ff655e4d5e82b070449770edbb8f8b277
                            SSDEEP:98304:iT0vaR0C912Is4uDTlWDxqi/S/YMUXhoXueFkEu1WefOo6CMCFiATJsqU:E0sN4P3nixx/kYMUxaue+EuwcwCRo
                            TLSH:0276337A944E146DC6738276AE541E932E0B930DA4435AE8D68C9B9F1374EF00FE7387
                            File Content Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......n.\g*t24*t24*t24a.15.t24...4"t24..65>t24>.65.t24*t24.s24a.55+t24..15$t24..75St24a.75.t24a.65~t24a.45(t24a.35gt24*t34.w249.;5.v2

                            File Icon

                            Icon Hash:418c6963696c9643

                            Static PE Info

                            General

                            Entrypoint:0x1421879d0
                            Entrypoint Section:UPX1
                            Digitally signed:true
                            Imagebase:0x140000000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x67178872 [Tue Oct 22 11:11:46 2024 UTC]
                            TLS Callbacks:0x42187c18, 0x1
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:7c27dce4bef0d003a570ce3109e1f949

                            Authenticode Signature

                            Signature Valid:true
                            Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                            Signature Validation Error:The operation completed successfully
                            Error Number:0
                            Not Before, Not After
                            • 28/05/2024 15:50:28 28/06/2026 16:36:10
                            Subject Chain
                            • CN=POINT B LTD, O=POINT B LTD, L=Limassol, S=Limassol, C=CY, OID.1.3.6.1.4.1.311.60.2.1.3=CY, SERIALNUMBER=HE 430957, OID.2.5.4.15=Private Organization
                            Version:3
                            Thumbprint MD5:9B083870477F4699693EEECABF351BF8
                            Thumbprint SHA-1:B3C999E29AED18DEA59733F3CAA94E788B1AC3A1
                            Thumbprint SHA-256:3E73B7C28C18DC6A03B9816F200365F1DF1FF80A7BD0D55DB920F1B24BBD74E7
                            Serial:7AE0E9C1CFE2DCE0E21C4327

                            Entrypoint Preview

                            Instruction
                            push ebx
                            push esi
                            push edi
                            push ebp
                            dec eax
                            lea esi, dword ptr [FF8C0625h]
                            dec eax
                            lea edi, dword ptr [esi-01A47000h]
                            push edi
                            xor ebx, ebx
                            xor ecx, ecx
                            dec eax
                            or ebp, FFFFFFFFh
                            call 00007FCD7CFAB305h
                            add ebx, ebx
                            je 00007FCD7CFAB2B4h
                            rep ret
                            mov ebx, dword ptr [esi]
                            dec eax
                            sub esi, FFFFFFFCh
                            adc ebx, ebx
                            mov dl, byte ptr [esi]
                            rep ret
                            dec eax
                            lea eax, dword ptr [edi+ebp]
                            cmp ecx, 05h
                            mov dl, byte ptr [eax]
                            jbe 00007FCD7CFAB2D3h
                            dec eax
                            cmp ebp, FFFFFFFCh
                            jnbe 00007FCD7CFAB2CDh
                            sub ecx, 04h
                            mov edx, dword ptr [eax]
                            dec eax
                            add eax, 04h
                            sub ecx, 04h
                            mov dword ptr [edi], edx
                            dec eax
                            lea edi, dword ptr [edi+04h]
                            jnc 00007FCD7CFAB2A1h
                            add ecx, 04h
                            mov dl, byte ptr [eax]
                            je 00007FCD7CFAB2C2h
                            dec eax
                            inc eax
                            mov byte ptr [edi], dl
                            sub ecx, 01h
                            mov dl, byte ptr [eax]
                            dec eax
                            lea edi, dword ptr [edi+01h]
                            jne 00007FCD7CFAB2A2h
                            rep ret
                            cld
                            inc ecx
                            pop ebx
                            jmp 00007FCD7CFAB2BAh
                            dec eax
                            inc esi
                            mov byte ptr [edi], dl
                            dec eax
                            inc edi
                            mov dl, byte ptr [esi]
                            add ebx, ebx
                            jne 00007FCD7CFAB2BCh
                            mov ebx, dword ptr [esi]
                            dec eax
                            sub esi, FFFFFFFCh
                            adc ebx, ebx
                            mov dl, byte ptr [esi]
                            jc 00007FCD7CFAB298h
                            lea eax, dword ptr [ecx+01h]
                            jmp 00007FCD7CFAB2B9h
                            dec eax
                            inc ecx
                            call ebx
                            adc eax, eax
                            inc ecx
                            call ebx
                            adc eax, eax
                            add ebx, ebx
                            jne 00007FCD7CFAB2BCh
                            mov ebx, dword ptr [esi]
                            dec eax
                            sub esi, FFFFFFFCh
                            adc ebx, ebx
                            mov dl, byte ptr [esi]
                            jnc 00007FCD7CFAB296h
                            sub eax, 03h
                            jc 00007FCD7CFAB2CBh
                            shl eax, 08h
                            movzx edx, dl
                            or eax, edx
                            dec eax
                            inc esi
                            xor eax, FFFFFFFFh
                            je 00007FCD7CFAB30Ah
                            sar eax, 1

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x111cc700x548cUPX0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x218b3380x8d8.rsrc
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x21890000x2338.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x20a80000x723c0UPX1
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x7434000x2f28UPX0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x218bc100x2c.rsrc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x2187c400x28UPX1
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x21880300x140UPX1
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            UPX00x10000x1a470000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            UPX10x1a480000x7410000x7402004c967097f131aff1e1780575ff9d7f14unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x21890000x30000x2e000577af4204cd6272d7113f80c4460d0dFalse0.5467900815217391data5.88972477976154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            AFX_DIALOG_LAYOUT0x211b9e00x2ASCII text, with no line terminatorsRussianRussia5.0
                            INI0x2149d180xadataRussianRussia1.8
                            LANG0x211e9200x21ecdataRussianRussia0.9705204974666053
                            LANG0x2120b100x33d9dataRussianRussia0.970617042115573
                            LANG0x2123ef00x2454dataRussianRussia0.34720430107526884
                            LANG0x21263480x25b3dataRussianRussia0.9348254066936069
                            LANG0x21289000x2454dataRussianRussia0.9278494623655914
                            LANG0x212ad580x289bdataRussianRussia0.9302549302549302
                            LANG0x212d5f80x252cdataRussianRussia0.9330601092896175
                            LANG0x212fb280x1f5fdataRussianRussia0.9346283152782966
                            LANG0x2131a880x23cedataRussianRussia0.9368317695832424
                            LANG0x2133e580x242eDOS executable (COM)RussianRussia0.9326279421291298
                            LANG0x214ad000x2499dataEnglishUnited States0.9260326609029779
                            OPUS0x21362880xa5e5dataRussianRussia0.9198003249428995
                            OPUS0x21408700x94a4dataRussianRussia0.9161673499421844
                            RT_ICON0x211b9e80x139dataRussianRussia1.035143769968051
                            RT_ICON0x211bb280x1efdataRussianRussia1.0222222222222221
                            RT_ICON0x211bd180x225dataRussianRussia1.0200364298724955
                            RT_ICON0x211bf400x26bdataRussianRussia1.0177705977382876
                            RT_ICON0x211c1b00x326dataRussianRussia1.0024813895781637
                            RT_ICON0x211c4d80x402dataRussianRussia1.010721247563353
                            RT_ICON0x21899e00x13bPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedRussianRussia1.034920634920635
                            RT_ICON0x2189b200x1c5PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedRussianRussia1.0242825607064017
                            RT_ICON0x2189cec0x1eePNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedRussianRussia1.0222672064777327
                            RT_ICON0x2189ee00x253PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedRussianRussia1.0184873949579831
                            RT_ICON0x218a1380x2e7PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedRussianRussia1.0148048452220726
                            RT_ICON0x218a4240x3adPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedRussianRussia1.0116896918172158
                            RT_ICON0x211d7880x159dataRussianRussia1.0318840579710145
                            RT_ICON0x211d8e80x1e6dataRussianRussia1.022633744855967
                            RT_ICON0x211dad00x1f6dataRussianRussia0.99800796812749
                            RT_ICON0x211dcc80x26ddataRussianRussia1.0177133655394526
                            RT_ICON0x211df380x31bdataRussianRussia1.0138364779874214
                            RT_ICON0x211e2580x3e7COM executable for DOSRussianRussia0.977977977977978
                            RT_ICON0x2149d280x163data1.0309859154929577
                            RT_ICON0x2149e900x20ddata1.020952380952381
                            RT_ICON0x214a0a00x21bdata1.0204081632653061
                            RT_ICON0x214a2c00x282data1.017133956386293
                            RT_ICON0x214a5480x33cdata0.9963768115942029
                            RT_ICON0x214a8880x413data0.9798657718120806
                            RT_STRING0x214d1a00x38dataRussianRussia1.1964285714285714
                            RT_GROUP_ICON0x218a7d80x5adataRussianRussia0.8
                            RT_GROUP_ICON0x211c8e00x5adataRussianRussia1.1222222222222222
                            RT_GROUP_ICON0x214aca00x5adata1.1222222222222222
                            RT_GROUP_ICON0x211e6400x5adataRussianRussia1.1222222222222222
                            RT_VERSION0x218a8380x27cdataRussianRussia0.4748427672955975
                            RT_MANIFEST0x218aab80x87fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2115), with CRLF line terminatorsEnglishUnited States0.31264367816091954

                            Imports

                            DLLImport
                            ADVAPI32.dllFreeSid
                            COMCTL32.dllImageList_DrawEx
                            COMDLG32.dllPrintDlgW
                            d3d11.dllD3D11CreateDevice
                            dbghelp.dllSymFromAddr
                            dxgi.dllCreateDXGIFactory1
                            GDI32.dllLineTo
                            gdiplus.dllGdipFree
                            IMM32.dllImmIsIME
                            IPHLPAPI.DLLGetIfEntry2
                            KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                            MPR.dllWNetGetConnectionW
                            msdmo.dllMoInitMediaType
                            msi.dll
                            NETAPI32.dllNetUserGetInfo
                            ntdll.dllRtlGetVersion
                            NTDSAPI.dllDsMakeSpnW
                            ole32.dllDoDragDrop
                            OLEACC.dllLresultFromObject
                            OLEAUT32.dllSafeArrayGetElement
                            POWRPROF.dllPowerGetActiveScheme
                            RPCRT4.dllUuidEqual
                            SAS.dllSendSAS
                            Secur32.dllDeleteSecurityContext
                            SHELL32.dll
                            SHLWAPI.dllPathIsRelativeA
                            USER32.dllGetDC
                            USERENV.dllCreateEnvironmentBlock
                            USP10.dllScriptPlace
                            VERSION.dllVerQueryValueW
                            WINHTTP.dllWinHttpOpen
                            WININET.dllInternetOpenA
                            WINMM.dllwaveInOpen
                            WINSPOOL.DRV
                            WS2_32.dllaccept
                            WTSAPI32.dllWTSFreeMemory

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            RussianRussia
                            EnglishUnited States

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 6, 2024 10:43:45.254873037 CET49750443192.168.11.2078.47.165.25
                            Nov 6, 2024 10:43:45.254925013 CET4434975078.47.165.25192.168.11.20
                            Nov 6, 2024 10:43:45.255287886 CET49750443192.168.11.2078.47.165.25
                            Nov 6, 2024 10:43:45.255481958 CET49750443192.168.11.2078.47.165.25
                            Nov 6, 2024 10:43:45.255526066 CET4434975078.47.165.25192.168.11.20
                            Nov 6, 2024 10:43:45.652278900 CET4434975078.47.165.25192.168.11.20
                            Nov 6, 2024 10:43:45.652903080 CET49750443192.168.11.2078.47.165.25
                            Nov 6, 2024 10:43:45.652920961 CET4434975078.47.165.25192.168.11.20
                            Nov 6, 2024 10:43:45.655400038 CET4434975078.47.165.25192.168.11.20
                            Nov 6, 2024 10:43:45.655594110 CET49750443192.168.11.2078.47.165.25
                            Nov 6, 2024 10:43:45.656480074 CET49750443192.168.11.2078.47.165.25
                            Nov 6, 2024 10:43:45.656594038 CET4434975078.47.165.25192.168.11.20
                            Nov 6, 2024 10:43:45.656888008 CET49750443192.168.11.2078.47.165.25
                            Nov 6, 2024 10:43:45.656904936 CET4434975078.47.165.25192.168.11.20
                            Nov 6, 2024 10:43:45.703751087 CET49750443192.168.11.2078.47.165.25
                            Nov 6, 2024 10:43:46.064153910 CET4434975078.47.165.25192.168.11.20
                            Nov 6, 2024 10:43:46.064246893 CET4434975078.47.165.25192.168.11.20
                            Nov 6, 2024 10:43:46.064464092 CET49750443192.168.11.2078.47.165.25
                            Nov 6, 2024 10:43:46.066777945 CET49750443192.168.11.2078.47.165.25
                            Nov 6, 2024 10:43:46.066804886 CET4434975078.47.165.25192.168.11.20

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 6, 2024 10:43:45.137999058 CET5993353192.168.11.201.1.1.1
                            Nov 6, 2024 10:43:45.252707005 CET53599331.1.1.1192.168.11.20

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Nov 6, 2024 10:43:45.137999058 CET192.168.11.201.1.1.10x14c4Standard query (0)getscreen.meA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Nov 6, 2024 10:43:45.252707005 CET1.1.1.1192.168.11.200x14c4No error (0)getscreen.me78.47.165.25A (IP address)IN (0x0001)false
                            Nov 6, 2024 10:43:45.252707005 CET1.1.1.1192.168.11.200x14c4No error (0)getscreen.me51.89.95.37A (IP address)IN (0x0001)false
                            Nov 6, 2024 10:43:45.252707005 CET1.1.1.1192.168.11.200x14c4No error (0)getscreen.me5.75.168.191A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • getscreen.me

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.11.204975078.47.165.254431696C:\Users\user\Desktop\getscreen-868841125.exe
                            TimestampBytes transferredDirectionData
                            2024-11-06 09:43:45 UTC363OUTGET /signal/agent HTTP/1.1
                            Host: getscreen.me
                            Upgrade: websocket
                            Connection: Upgrade
                            Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
                            Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                            Origin: https://getscreen.me
                            Sec-WebSocket-Protocol: chat, superchat
                            Sec-WebSocket-Version: 13
                            User-Agent: Getscreen.me/3.1.5 (Win64, getscreen.me, 228)
                            2024-11-06 09:43:46 UTC354INHTTP/1.1 400 Bad Request
                            access-control-expose-headers: X-Js-Cache
                            content-type: text/plain; charset=utf-8
                            sec-websocket-version: 13
                            x-content-type-options: nosniff
                            x-js-cache: 82fdad5dae26df67fe35db92c8947469
                            date: Wed, 06 Nov 2024 09:43:45 GMT
                            content-length: 12
                            x-envoy-upstream-service-time: 1
                            server: lb1.getscreen.me
                            connection: close
                            2024-11-06 09:43:46 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                            Data Ascii: Bad Request


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:04:43:40
                            Start date:06/11/2024
                            Path:C:\Users\user\Desktop\getscreen-868841125.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\getscreen-868841125.exe"
                            Imagebase:0x7ff774bb0000
                            File size:7'627'560 bytes
                            MD5 hash:9A5C564F4095F7232DC6D422E12689FE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:04:43:42
                            Start date:06/11/2024
                            Path:C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\ProgramData\Getscreen.me\asbjbuwegsczkjgwrynrzmlvudgqspc-elevate.exe" -elevate \\.\pipe\elevateGS512asbjbuwegsczkjgwrynrzmlvudgqspc
                            Imagebase:0x7ff7af820000
                            File size:7'627'560 bytes
                            MD5 hash:9A5C564F4095F7232DC6D422E12689FE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:04:43:43
                            Start date:06/11/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                            Imagebase:0x7ff648860000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:false

                            General

                            Target ID:4
                            Start time:04:43:44
                            Start date:06/11/2024
                            Path:C:\Users\user\Desktop\getscreen-868841125.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\getscreen-868841125.exe" -gpipe \\.\pipe\PCommand97qceoadxhjigniec -gui
                            Imagebase:0x7ff774bb0000
                            File size:7'627'560 bytes
                            MD5 hash:9A5C564F4095F7232DC6D422E12689FE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:5
                            Start time:04:43:44
                            Start date:06/11/2024
                            Path:C:\Users\user\Desktop\getscreen-868841125.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\getscreen-868841125.exe" -cpipe \\.\pipe\PCommand96azxqbincrzvxqvm -cmem 0000pipe0PCommand96azxqbincrzvxqvmsu32vpy4rp6lszo -child
                            Imagebase:0x7ff774bb0000
                            File size:7'627'560 bytes
                            MD5 hash:9A5C564F4095F7232DC6D422E12689FE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            Disassembly

                            No disassembly