Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
getscreen-524501439.exe

Overview

General Information

Sample name:getscreen-524501439.exe
Analysis ID:1584647
MD5:00d07884f13526fa6becbe099a3e0aa0
SHA1:227caf73541a654e5ba35b25922bccd63ee507d6
SHA256:fe6b1c9250d666713e5b1ceabcb9c1c5030556ea061bfcb3c8b1d91af45ba0dd
Tags:exeuser-cisdemo
Infos:

Detection

Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:62
Range:0 - 100

Signatures

Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to disable installed Antivirus / HIPS / PFW
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • getscreen-524501439.exe (PID: 7640 cmdline: "C:\Users\user\Desktop\getscreen-524501439.exe" MD5: 00D07884F13526FA6BECBE099A3E0AA0)
    • getscreen-524501439.exe (PID: 7832 cmdline: "C:\Users\user\Desktop\getscreen-524501439.exe" -gpipe \\.\pipe\PCommand97zgzpntwbganyddi -gui MD5: 00D07884F13526FA6BECBE099A3E0AA0)
    • getscreen-524501439.exe (PID: 7852 cmdline: "C:\Users\user\Desktop\getscreen-524501439.exe" -cpipe \\.\pipe\PCommand96gkkfxvsnstbbdol -cmem 0000pipe0PCommand96gkkfxvsnstbbdol2chiodsfu2cltpv -child MD5: 00D07884F13526FA6BECBE099A3E0AA0)
  • mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe (PID: 7672 cmdline: "C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe" -elevate \\.\pipe\elevateGS512mjzdpzvkpojpjfpkrhiihaxlnhqtrbo MD5: 00D07884F13526FA6BECBE099A3E0AA0)
  • svchost.exe (PID: 7788 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7948 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: getscreen-524501439.exe PID: 7640JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

    Sigma Signatures

    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, ProcessId: 7788, ProcessName: svchost.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    Compliance

    barindex
    PE / OLE file has a valid certificate
    Source: getscreen-524501439.exeStatic PE information: certificate valid
    Contains modern PE file flags such as dynamic base (ASLR) or NX
    Source: getscreen-524501439.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Binary contains paths to debug symbols
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9976000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-524501439.exelib.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8C0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEF20000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD015000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-524501439.exec6.pdbl source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-524501439.exet.pdbpdb$ source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD02D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB729000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD83A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD81C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FDF40000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE3FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mpr.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFF2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\WindowManagementAPI.pdb7c source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD02D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdb_b/D9 source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FED41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFE4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE310000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9904000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8B4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oses.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FDA4D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ZwWaitForMultipleObjectssExhttp.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB723000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE888000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FDF40000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: getscreen-524501439.exemsvcp_win.pdb) source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE5EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB69E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD00F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF025000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6BC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD009000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF295000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEB0E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE6A9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.dllorye.pdb, source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: <;op\symbols\dll\samlib.pdbb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9904000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE81E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8BA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE36B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD840000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD015000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6BC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\WindowManagementAPI.pdbb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FECD7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF295000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB723000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD834000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD810000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FECD7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE7C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB698000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8B4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD009000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6B0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD82E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD822000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ZwWaitForMultipleObjectssExhttp.pdbh source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD816000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEB6D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: BaseThreadInitThunkexesExypi.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEDF7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdbp source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD82E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF357000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEF26000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-524501439.exet.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8BA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6D3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdbOb?D; source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mpr.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFF2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdbatu source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9976000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8D7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\gdi32full.pdbwbGD4 source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8A8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFFD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\gdi32full.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEDF7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEF2C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF357000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD74D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEF26000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD834000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEBC7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEF2C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: (26FWPolicyIOMgr.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FDAB2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF2EF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nt.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE582000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD021000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEB0E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-524501439.exet.pdbuiF source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE310000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF025000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFEA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ypi.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEE62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD003000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE4C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEF20000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE81E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE456000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD027000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8C0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FED41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FirewallAPI.pdbpdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8D7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\cryptbase.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbdb?b source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE6A9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE4C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD021000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6AA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB71D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: win32u.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8D1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD822000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6B6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF238000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FED9C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdblbWc'E source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF238000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6B6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFEA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB729000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE51D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: putHost.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SAS.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD01B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEC7D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: msvcp_win.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdbJ source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ox.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD81C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: version.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD7FF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE45C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD828000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6B0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE5EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SAS.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD01B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD840000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEE62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB71D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEBC7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6AA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEC7D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdbOS source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9976000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEB6D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE36B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: BaseThreadInitThunkexelox.pdbw source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE51D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEEC6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE582000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD027000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FED9C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8A8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD00F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF031000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF2EF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB69E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE7C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFE4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\TextInputFramework.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NtDelayExecution439.exellnt.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF031000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE456000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-524501439.exelib.pdbbX source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE3FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD828000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: version.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD7FF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Windows.Storage.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\msvcp_win.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: getscreen-524501439.exemswsock.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE45C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: orye.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD83A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: $.0x1405FE40F2.dllputHost.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB717000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD816000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB698000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdbb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9904000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEEC6000.00000004.00000020.00020000.00000000.sdmp
    Source: Joe Sandbox ViewIP Address: 78.47.165.25 78.47.165.25
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/3.1.5 (Win64, getscreen.me, 228)
    Source: global trafficDNS traffic detected: DNS query: getscreen.me
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: svchost.exe, 00000005.00000002.2924527429.0000018C79000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: svchost.exe, 00000005.00000003.1696828733.0000018C79218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
    Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
    Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
    Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
    Source: svchost.exe, 00000005.00000003.1696828733.0000018C79218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
    Source: svchost.exe, 00000005.00000003.1696828733.0000018C79218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
    Source: svchost.exe, 00000005.00000003.1696828733.0000018C7924D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
    Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://proxy.contoso.com:3128/
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01http://www.webrtc.org/exper
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-timeurn:3gpp:video-orientationhttp://www.we
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
    Source: getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-frame-tracking-id
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.g
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.ge
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsa
    Source: getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsc
    Source: getscreen-524501439.exe, 00000004.00000002.1731022451.000001EA72590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscre
    Source: getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F2188000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000003.1730276155.000001EA725EB000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000004.00000002.1731296103.000001EA725FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/privacy-policy/
    Source: getscreen-524501439.exe, 00000004.00000002.1730505971.000000D3562F5000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/te
    Source: getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F2188000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000003.1730276155.000001EA725EB000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000004.00000002.1731296103.000001EA725FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/terms-of-use/
    Source: getscreen-524501439.exe, 00000003.00000003.1741425324.00000224DAE73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/user-guides/agent/
    Source: getscreen-524501439.exe, 00000003.00000003.1743659448.00000224DADF8000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000003.00000003.1768740692.00000224DAE2D000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000003.00000003.1744174474.00000224DAE23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/user-guides/agent/div
    Source: svchost.exe, 00000005.00000003.1696828733.0000018C792C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
    Source: svchost.exe, 00000005.00000003.1696828733.0000018C792C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
    Source: svchost.exe, 00000005.00000003.1696828733.0000018C792C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
    Source: edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD156000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_e4e685cf-c
    Source: Yara matchFile source: Process Memory Space: getscreen-524501439.exe PID: 7640, type: MEMORYSTR
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
    Source: getscreen-524501439.exeStatic PE information: Resource name: LANG type: DOS executable (COM)
    Source: getscreen-524501439.exeStatic PE information: Resource name: RT_ICON type: COM executable for DOS
    Source: mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drStatic PE information: Resource name: LANG type: DOS executable (COM)
    Source: mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
    Source: getscreen-524501439.exe, 00000000.00000003.1681532461.000001E0FB6E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000000.00000002.1722788532.00007FF7F2269000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD44C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSAMLib.DLLj% vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000000.00000000.1655771606.00007FF7F2269000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB605000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F98B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMMDevAPI.Dll.MUIj% vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000003.00000000.1691680456.00007FF7F2269000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000003.00000002.1777355393.00007FF7F2269000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000004.00000000.1689007317.00007FF7F2269000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000004.00000002.1737831497.00007FF7F2269000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: classification engineClassification label: mal51.evad.winEXE@9/13@1/2
    Source: C:\Users\user\Desktop\getscreen-524501439.exeFile created: C:\Users\user\AppData\Local\Getscreen.meJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeMutant created: \Sessions\1\BaseNamedObjects\Global\PCommandMutextTurbo96phqghum
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-524501439.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeFile read: C:\Users\user\Desktop\getscreen-524501439.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\getscreen-524501439.exe "C:\Users\user\Desktop\getscreen-524501439.exe"
    Source: unknownProcess created: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe "C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe" -elevate \\.\pipe\elevateGS512mjzdpzvkpojpjfpkrhiihaxlnhqtrbo
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess created: C:\Users\user\Desktop\getscreen-524501439.exe "C:\Users\user\Desktop\getscreen-524501439.exe" -gpipe \\.\pipe\PCommand97zgzpntwbganyddi -gui
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess created: C:\Users\user\Desktop\getscreen-524501439.exe "C:\Users\user\Desktop\getscreen-524501439.exe" -cpipe \\.\pipe\PCommand96gkkfxvsnstbbdol -cmem 0000pipe0PCommand96gkkfxvsnstbbdol2chiodsfu2cltpv -child
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess created: C:\Users\user\Desktop\getscreen-524501439.exe "C:\Users\user\Desktop\getscreen-524501439.exe" -gpipe \\.\pipe\PCommand97zgzpntwbganyddi -guiJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-524501439.exe "C:\Users\user\Desktop\getscreen-524501439.exe" -cpipe \\.\pipe\PCommand96gkkfxvsnstbbdol -cmem 0000pipe0PCommand96gkkfxvsnstbbdol2chiodsfu2cltpv -childJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mmdevapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mfwmaaec.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: audioses.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: symsrv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: mpr.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: msi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: sas.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: secur32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: userenv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: usp10.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: version.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: wininet.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: winmm.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: samcli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: netutils.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: wldp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: seclogon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: d2d1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: directmanipulation.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mscms.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coloradapterclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: icm32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32Jump to behavior
    Source: getscreen-524501439.exeStatic PE information: certificate valid
    Source: getscreen-524501439.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: getscreen-524501439.exeStatic file information: File size 7627552 > 1048576
    Source: getscreen-524501439.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x740200
    Source: getscreen-524501439.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9976000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-524501439.exelib.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8C0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEF20000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD015000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-524501439.exec6.pdbl source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-524501439.exet.pdbpdb$ source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD02D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB729000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD83A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD81C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FDF40000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE3FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mpr.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFF2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\WindowManagementAPI.pdb7c source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD02D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdb_b/D9 source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FED41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFE4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE310000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9904000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8B4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oses.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FDA4D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ZwWaitForMultipleObjectssExhttp.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB723000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE888000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FDF40000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: getscreen-524501439.exemsvcp_win.pdb) source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE5EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB69E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD00F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF025000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6BC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD009000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF295000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEB0E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE6A9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.dllorye.pdb, source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: <;op\symbols\dll\samlib.pdbb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9904000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE81E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8BA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE36B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD840000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD015000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6BC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\WindowManagementAPI.pdbb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FECD7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF295000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB723000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD834000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD810000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FECD7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE7C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB698000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8B4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD009000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6B0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD82E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD822000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ZwWaitForMultipleObjectssExhttp.pdbh source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD816000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEB6D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: BaseThreadInitThunkexesExypi.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEDF7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdbp source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD82E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF357000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEF26000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-524501439.exet.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8BA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6D3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdbOb?D; source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mpr.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFF2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdbatu source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9976000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8D7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\gdi32full.pdbwbGD4 source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8A8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFFD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\gdi32full.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEDF7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEF2C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF357000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD74D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEF26000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD834000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEBC7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEF2C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: (26FWPolicyIOMgr.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FDAB2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF2EF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nt.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE582000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD021000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEB0E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-524501439.exet.pdbuiF source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE310000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF025000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFEA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ypi.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEE62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD003000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE4C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEF20000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE81E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE456000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD027000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8C0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FED41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FirewallAPI.pdbpdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8D7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\cryptbase.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbdb?b source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE6A9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE4C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD021000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6AA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB71D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: win32u.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8D1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD822000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6B6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF238000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FED9C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdblbWc'E source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF238000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6B6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFEA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB729000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE51D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: putHost.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SAS.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD01B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEC7D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: msvcp_win.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdbJ source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ox.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD81C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: version.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD7FF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE45C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD828000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6B0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE5EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SAS.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD01B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD840000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEE62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB71D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEBC7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6AA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEC7D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdbOS source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9976000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEB6D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE36B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: BaseThreadInitThunkexelox.pdbw source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE51D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEEC6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE582000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD027000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FED9C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8A8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FD00F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF031000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF2EF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB69E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE7C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb source: getscreen-524501439.exe, 00000000.00000002.1713093595.000001E0FCFE4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\TextInputFramework.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NtDelayExecution439.exellnt.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FF031000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE456000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume3\Users\user\Desktop\getscreen-524501439.exelib.pdbbX source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE3FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB8A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD828000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: version.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD7FF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Windows.Storage.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\msvcp_win.pdb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9962000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: getscreen-524501439.exemswsock.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-524501439.exe, 00000000.00000002.1714912988.000001E0FE45C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: orye.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD83A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: $.0x1405FE40F2.dllputHost.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB717000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6C8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD816000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB6C2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB698000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdbb source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9904000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb source: getscreen-524501439.exe, 00000000.00000002.1717779464.000001E0FEEC6000.00000004.00000020.00020000.00000000.sdmp
    Source: getscreen-524501439.exeStatic PE information: real checksum: 0x7518c8 should be: 0x74cf19
    Source: mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe.0.drStatic PE information: real checksum: 0x7518c8 should be: 0x74cf19
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: C:\Users\user\Desktop\getscreen-524501439.exeFile created: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-524501439.exeFile created: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries memory information (via WMI often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Size FROM Win32_DiskDrive
    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 14
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 14
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, VolumeName, FileSystem, Size, FreeSpace FROM Win32_LogicalDisk
    Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
    Query firmware table information (likely to detect VMs)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exe TID: 7756Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exe TID: 7920Thread sleep count: 199 > 30Jump to behavior
    Source: C:\Windows\System32\svchost.exe TID: 8000Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-524501439.exeLast function: Thread delayed
    Source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $VMware Virtual RAM
    Source: getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Hyper-V console (use port 2179, disable negotiation)
    Source: getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMnet
    Source: getscreen-524501439.exe, 00000000.00000002.1711329169.000001E0FB608000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_PhysicalMemoryRAM slot #0RAM slot #0VMware Virtual RAMVMW-4096MB00000001
    Source: getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=
    Source: getscreen-524501439.exe, 00000000.00000002.1707959869.00000014831F0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: RAM slot #0RAM slot #0@VMware Virtual RAMVMW-4096MB00000001
    Source: getscreen-524501439.exe, 00000000.00000002.1707959869.00000014831F0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: {"token":"","uid":"71434D56-1548-ED3D-AEE6-C75AECD93BF0","turbo":"2203681736138584UtEFjbrdjMX3qgoXgI9f","turbo_old":"","invite":"","brand":"","install":false,"admin":true,"isadmin":true,"onetime":true,"file_download":true,"name":"226533","nonadmin":true,"islock":false,"blackscreen_available":true,"hibernate":true,"power_supply":true,"silent":false,"start_time":1736138697,"os":"win","rdp":false,"os_user":"user","os_username":"","build":228,"version":"3.1.5","hardware":"{\"CPU\":\"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\",\"CPUSpeed\":2000,\"CPUCores\":4,\"CPUCoresLogical\":1,\"CPUFamily\":\"Intel64 Family 6 Model 143 Stepping 8\",\"BIOS\":\"MW67HU34P8\",\"BIOSVersion\":\"20221121\",\"BIOSDate\":\"\",\"RAMPhys\":8191,\"RAMPhysAvail\":2242,\"RAMVirt\":134217727,\"RAMVirtAvail\":134213408,\"RAMPageFile\":8191,\"RAMBanks\":[{\"Bank\":\"RAM slot #0\",\"Locator\":\"RAM slot #0\",\"DataWidth\":64,\"Manufacturer\":\"VMware Virtual RAM\",\"PartNumber\":\"VMW-4096MB\",\"SerialNumber\":\"00000001\",\"Capacity\":4096}],\"
    Source: getscreen-524501439.exe, 00000003.00000002.1772273057.00000224D69DB000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000003.00000003.1769504902.00000224D69DA000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000003.00000002.1771883306.00000224D6964000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2924623659.0000018C79058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2923453260.0000018C73A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: getscreen-524501439.exe, 00000000.00000002.1712166440.000001E0FB6E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"token":"","uid":"71434D56-1548-ED3D-AEE6-C75AECD93BF0","turbo":"2203681736138584UtEFjbrdjMX3qgoXgI9f","turbo_old":"","invite":"","brand":"","install":false,"admin":true,"isadmin":true,"onetime":true,"file_download":true,"name":"226533","nonadmin":true,"islock":false,"blackscreen_available":true,"hibernate":true,"power_supply":true,"silent":false,"start_time":1736138697,"os":"win","rdp":false,"os_user":"user","os_username":"","build":228,"version":"3.1.5","hardware":"{\"CPU\":\"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\",\"CPUSpeed\":2000,\"CPUCores\":4,\"CPUCoresLogical\":1,\"CPUFamily\":\"Intel64 Family 6 Model 143 Stepping 8\",\"BIOS\":\"MW67HU34P8\",\"BIOSVersion\":\"20221121\",\"BIOSDate\":\"\",\"RAMPhys\":8191,\"RAMPhysAvail\":2242,\"RAMVirt\":134217727,\"RAMVirtAvail\":134213408,\"RAMPageFile\":8191,\"RAMBanks\":[{\"Bank\":\"RAM slot #0\",\"Locator\":\"RAM slot #0\",\"DataWidth\":64,\"Manufacturer\":\"VMware Virtual RAM\",\"PartNumber\":\"VMW-4096MB\",\"SerialNumber\":\"00000001\",\"Capacity\":4096}],\"VideoName\":\"K8U1W1\",\"VideoRAM\":1024,\"VideoCards\":[{\"Name\":\"K8U1W1\",\"RAM\":1024,\"Integrated\":false}],\"Locale\":\"0809\",\"LocaleOemPage\":\"1252\",\"LocaleCountry\":\"Switzerland\",\"LocaleCurrency\":\"CHF\",\"LocaleTimezone\":60,\"LocaleFormatTime\":\"HH:mm:ss\",\"LocaleFormatDate\":\"dd\\\/MM\\\/yyyy\",\"ComputerModel\":\"uyyWpgYW\",\"ComputerDomain\":\"9aSbS\",\"ComputerWorkgroup\":\"WORKGROUP\",\"ComputerName\":\"user-PC\",\"ComputerIP\":[\"192.168.2.4\",\"fe80::29b9:a951:1791:4eb3\"],\"OSName\":\"Microsoft Windows 10 Pro\",\"OSVersion\":\"10.0.19045\",\"HDD\":[{\"Model\":\"17RGZVOD SCSI Disk Device\",\"Size\":393199}],\"LogicalDisks\":[{\"Disk\":\"C:\",\"Name\":\"\",\"FileSystem\":\"NTFS\",\"Size\":213143,\"FreeSpace\":19035}],\"SoundDevices\":[],\"NetAdapters\":[{\"Name\":\"Intel(R) 82574L Gigabit Network Connection\",\"Manufacturer\":\"Intel Corporation\",\"MACAddress\":\"EC:F4:BB:EA:15:88\",\"Speed\":953,\"Addresses\":\"192.168.2.4, fe80::29b9:a951:1791:4eb3\",\"DNS\":\"1.1.1.1\",\"DCHP\":\"\",\"Cable\":true,\"WoL\":false}],\"Monitors\":[]}"}
    Source: getscreen-524501439.exe, 00000000.00000002.1707959869.00000014831F0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: {"CPU":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","CPUSpeed":2000,"CPUCores":4,"CPUCoresLogical":1,"CPUFamily":"Intel64 Family 6 Model 143 Stepping 8","BIOS":"MW67HU34P8","BIOSVersion":"20221121","BIOSDate":"","RAMPhys":8191,"RAMPhysAvail":2242,"RAMVirt":134217727,"RAMVirtAvail":134213408,"RAMPageFile":8191,"RAMBanks":[{"Bank":"RAM slot #0","Locator":"RAM slot #0","DataWidth":64,"Manufacturer":"VMware Virtual RAM","PartNumber":"VMW-4096MB","SerialNumber":"00000001","Capacity":4096}],"VideoName":"K8U1W1","VideoRAM":1024,"VideoCards":[{"Name":"K8U1W1","RAM":1024,"Integrated":false}],"Locale":"0809","LocaleOemPage":"1252","LocaleCountry":"Switzerland","LocaleCurrency":"CHF","LocaleTimezone":60,"LocaleFormatTime":"HH:mm:ss","LocaleFormatDate":"dd\/MM\/yyyy","ComputerModel":"uyyWpgYW","ComputerDomain":"9aSbS","ComputerWorkgroup":"WORKGROUP","ComputerName":"user-PC","ComputerIP":["192.168.2.4","fe80::29b9:a951:1791:4eb3"],"OSName":"Microsoft Windows 10 Pro","OSVersion":"10.0.19045","HDD":[{"Model":"17RGZVOD SCSI Dis
    Source: getscreen-524501439.exe, 00000000.00000002.1707959869.00000014831F0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
    Source: getscreen-524501439.exe, 00000000.00000002.1710523356.000001E0F9904000.00000004.00000020.00020000.00000000.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671253971.0000012A2F191000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000004.00000003.1728547126.000001EA725E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-524501439.exe "C:\Users\user\Desktop\getscreen-524501439.exe" -cpipe \\.\pipe\PCommand96gkkfxvsnstbbdol -cmem 0000pipe0PCommand96gkkfxvsnstbbdol2chiodsfu2cltpv -childJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD156000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
    Source: getscreen-524501439.exe, 00000000.00000002.1713806657.000001E0FD156000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
    Source: C:\Users\user\Desktop\getscreen-524501439.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts631
    Windows Management Instrumentation    		1
    DLL Side-Loading    		12
    Process Injection    		11
    Masquerading    		11
    Input Capture    		741
    Security Software Discovery    		Remote Services11
    Input Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Disable or Modify Tools    		LSASS Memory551
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)551
    Virtualization/Sandbox Evasion    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
    Process Injection    		NTDS142
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Software Packing    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://docs.ge0%Avira URL Cloudsafe
    https://docs.g0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/terms-of-use/0%Avira URL Cloudsafe
    https://docs.getsc0%Avira URL Cloudsafe
    https://docs.getsa0%Avira URL Cloudsafe
    https://docs.getscre0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/te0%Avira URL Cloudsafe
    http://proxy.contoso.com:3128/0%Avira URL Cloudsafe
    https://docs.getscreen.me/user-guides/agent/0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/privacy-policy/0%Avira URL Cloudsafe
    https://docs.getscreen.me/user-guides/agent/div0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    getscreen.me
    		78.47.165.25
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://getscreen.me/signal/agentfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://docs.gegetscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://g.live.com/odclientsettings/Prod.C:edb.log.5.drfalse
          		high
          http://proxy.contoso.com:3128/getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docs.getscreen.me/user-guides/agent/getscreen-524501439.exe, 00000003.00000003.1741425324.00000224DAE73000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://g.live.com/odclientsettings/ProdV2edb.log.5.drfalse
            		high
            https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000005.00000003.1696828733.0000018C792C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drfalse
              		high
              https://docs.getscreen.me/en/rules/tegetscreen-524501439.exe, 00000004.00000002.1730505971.000000D3562F5000.00000004.00000010.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://docs.getscregetscreen-524501439.exe, 00000004.00000002.1731022451.000001EA72590000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.ver)svchost.exe, 00000005.00000002.2924527429.0000018C79000000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://www.winimage.com/zLibDllgetscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://g.live.com/odclientsettings/ProdV2.C:edb.log.5.drfalse
                    		high
                    https://docs.ggetscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.getscreen.me/en/rules/terms-of-use/getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F2188000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000003.1730276155.000001EA725EB000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000004.00000002.1731296103.000001EA725FF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.getscgetscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.getsagetscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF6522DC000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0F7C000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01getscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extensiongetscreen-524501439.exe, 00000000.00000002.1719569531.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe, 00000001.00000002.1671493539.00007FF651E41000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000003.00000002.1775411935.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F0AE1000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        https://docs.getscreen.me/en/rules/privacy-policy/getscreen-524501439.exe, 00000004.00000002.1731677236.00007FF7F2188000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000004.00000003.1730276155.000001EA725EB000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000004.00000002.1731296103.000001EA725FF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000005.00000003.1696828733.0000018C792C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drfalse
                          		high
                          https://docs.getscreen.me/user-guides/agent/divgetscreen-524501439.exe, 00000003.00000003.1743659448.00000224DADF8000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000003.00000003.1768740692.00000224DAE2D000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000003.00000003.1744174474.00000224DAE23000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          78.47.165.25
                          		getscreen.meGermany
                          		24940HETZNER-ASDEfalse

                          Private

                          IP
                          127.0.0.1

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1584647
                          Start date and time:2025-01-06 05:44:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 47s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:10
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:getscreen-524501439.exe
                          Detection:MAL
                          Classification:mal51.evad.winEXE@9/13@1/2
                          EGA Information:Failed
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 23.56.254.164, 172.202.163.200, 13.107.246.45
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          23:45:00API Interceptor1x Sleep call for process: getscreen-524501439.exe modified
                          23:45:00API Interceptor2x Sleep call for process: svchost.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          78.47.165.25getscreen-868841125.exeGet hashmaliciousUnknownBrowse
                            getscreen-868841125.exeGet hashmaliciousUnknownBrowse
                              getscreen-120727697-x86.exeGet hashmaliciousUnknownBrowse
                                getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                                  getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                                    getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                                      getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                                        getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                                          getscreen-156413884-x86.exeGet hashmaliciousUnknownBrowse
                                            getscreen-156413884-x86.exeGet hashmaliciousUnknownBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              getscreen.megetscreen-868841125.exeGet hashmaliciousUnknownBrowse
                                              • 78.47.165.25
                                              getscreen-868841125.exeGet hashmaliciousUnknownBrowse
                                              • 51.89.95.37
                                              getscreen-227149269.exeGet hashmaliciousUnknownBrowse
                                              • 5.75.168.191
                                              getscreen-227149269.exeGet hashmaliciousUnknownBrowse
                                              • 5.75.168.191
                                              getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                                              • 51.89.95.37
                                              getscreen-120727697-x86.exeGet hashmaliciousUnknownBrowse
                                              • 51.89.95.37
                                              getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                                              • 5.75.168.191
                                              getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                                              • 78.47.165.25
                                              getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                                              • 5.75.168.191
                                              getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                                              • 78.47.165.25

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              HETZNER-ASDEny9LDJr6pA.exeGet hashmaliciousQuasarBrowse
                                              • 195.201.57.90
                                              2.elfGet hashmaliciousUnknownBrowse
                                              • 213.133.114.151
                                              ZT0KQ1PC.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                              • 116.203.13.109
                                              cZO.exeGet hashmaliciousUnknownBrowse
                                              • 128.140.43.40
                                              jaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                                              • 195.201.57.90
                                              NpHauDPoR8.exeGet hashmaliciousUnknownBrowse
                                              • 88.198.29.97
                                              armv6l.elfGet hashmaliciousMiraiBrowse
                                              • 85.10.220.49
                                              1.elfGet hashmaliciousUnknownBrowse
                                              • 138.201.212.111
                                              RisingStrip.exeGet hashmaliciousVidarBrowse
                                              • 116.203.13.109
                                              ebjtOH70jl.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                              • 135.181.65.216

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\Getscreen.me\crashlogs\92551aec3e0fe22c000318da335bfafd3eb8d54a.log

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                                              File Type:ASCII text
                                              Category:modified
                                              Size (bytes):17066
                                              Entropy (8bit):5.4233179396348845
                                              Encrypted:false
                                              SSDEEP:384:noxZw4xtANjfh0ylr8WTHAmWTHA5THAC0wbotKgiJOUqYWTHAlWTHANTHAeqDqba:rcx
                                              MD5:D15823D1CC75A600C2AC753B343E7C43
                                              SHA1:9FF006E491717B43C543DD0EB25D45CD7605466B
                                              SHA-256:7D0B8948638DA5415550518AB5311CACC3210B1CCF54DB9015AF617A15FB7C8D
                                              SHA-512:2124CABB51870AD408BCCBDCA6F639D73CC70B305F9251117A2363B096905B7AA7E13D5214AC8C9DB39766C033657B70418A9A07CE14E5B774227E7B5FF97293
                                              Malicious:false
                                              Reputation:low
                                              Preview:Filename.: getscreen-524501439.exe-92551aec3e0fe22c000318da335bfafd3eb8d54a.crash.SHA1..: 92551aec3e0fe22c000318da335bfafd3eb8d54a.Time..: 2025.1.6 4:45.Program..: Getscreen.me.Version..: 3.1.5.OS...: Windows 10 build 19045, x64.BIOS..: .Explorer.: 11.789.19041.0.Processors.: 0 x .Video..: .Computer.: .Memory..: 2 free of 8 Gb.Handles..: 429.Image Base.: 0x140000000..Exception.: 0xC0000005 at 0x00007FF7F06D47BC (getscreen-524501439.exe.$0x5F47BC)..Modules...: C:\Users\user\Desktop\getscreen-524501439.exe (3.1.5.0)...: C:\Windows\SYSTEM32\ntdll.dll (10.0.19041.1949)...: C:\Windows\System32\KERNEL32.DLL (10.0.19041.1889)...: C:\Windows\System32\KERNELBASE.dll (10.0.19041.1949)...: C:\Windows\System32\ADVAPI32.dll (10.0.19041.1682)...: C:\Windows\System32\msvcrt.dll (7.0.19041.546)...: C:\Windows\System32\sechost.dll (10.0.19041.1865)...: C:\Windows\System32\RPCRT4.dll (10.0.19041.1806)...: C:\Windows\System32\COMDLG32.dll (10.0.19041.1806)...: C:\Windows\System32\combase.dll (10.0.19041

                                              C:\ProgramData\Getscreen.me\folder\settings.dat

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):5.8125
                                              Encrypted:false
                                              SSDEEP:3:Bv2bzR0i8V6IOM+C8uzP:W7RJuj
                                              MD5:B09E34810BC66FDCFFA851AD3FB8FC82
                                              SHA1:E248D8B4B250692836567C8B949E9CAA2F498CF8
                                              SHA-256:2A12A3324C62B3B72FFBC592B15910EB3B24EE7AD65602C5C7DE93FF911E2C4F
                                              SHA-512:19DCAE5AA492CCD9F86D4D10D60AB900C93F24A924EB9CAD16B9558B7F98C70C9A8D0A7415B564B59BD795D577563E16F07FADE63805E2185E7B43A9A2C37456
                                              Malicious:false
                                              Reputation:low
                                              Preview:...J.+.q....:.O..>....`.?..s..z....,.6.<.....2.@\.%.+.#.K.jK..

                                              C:\ProgramData\Getscreen.me\logs\20250106.capture.log

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):851
                                              Entropy (8bit):4.936970627035825
                                              Encrypted:false
                                              SSDEEP:12:HFNhL8zA7S1JrfF8zA7S1JrfVj8zA7S1Jrfg1KAkG1F/3oNDHeyqNFqzm1l0z:T18zA7YF8zA7YV8zA7YggA/H/6awK2
                                              MD5:F3736D997715243CA9D06A3480807C7F
                                              SHA1:5F6EA6B15373CA437A247CE340B904551461FA99
                                              SHA-256:C7BB3C1B79021A26CFE045D176D26627C1F304985D339B01674E46B2FA376D91
                                              SHA-512:3927291272B16FCF41900B15180D2862FD3CC8F1EF5F6A8B70B2512113E5831F81363888C89D8985090D397DEB1C576980589B9B6886A8A8ADA8084280931DA5
                                              Malicious:false
                                              Reputation:low
                                              Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..06:27:37.298.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1024-0:1280 desktop: 0:1024-0:1280..06:27:37.300.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1024-0:1280 desktop: 0:1024-0:1280..06:27:37.300.INFO.BlackScreen initialized..06:27:37.300.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1024-0:1280 desktop: 0:1024-0:1280..06:27:37.300.INFO.Capture select monitor '\\.\DISPLAY1'..06:27:37.340.INFO.Capture set frame rate to 30..06:27:37.340.INFO.Child frame mark off..06:27:37.340.INFO.FrameMark hide frame..06:27:40.902.INFO.Child get stop message..06:27:40.904.INFO.Opus compress stop..06:27:40.904.INFO.Capture capture stopped..

                                              C:\ProgramData\Getscreen.me\logs\20250106.gui.log

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3028
                                              Entropy (8bit):4.863339281434885
                                              Encrypted:false
                                              SSDEEP:24:Tg6yRBtN8BBny9NBQ5Rh85wlFdquoeCFiNBx1BTJ2gL:TgxRBj8f76oQuC4T1NHL
                                              MD5:3153B3B0AF4698847333D50D4E02A948
                                              SHA1:9F3EA99288D3389BBBE2E81A4542B0806FF33BB9
                                              SHA-256:48987B1A9EE714029140188D0AEF65D699A10A7FC046778A6FC11DE7A3EE0EC5
                                              SHA-512:39B1A0C1C72CA0565F2D781F99BC4FF141D19285BA686D67196C02CC53D7395106869B66175772576A371E17DD8803771816177D630B5020EF6805F6F15765EA
                                              Malicious:false
                                              Reputation:low
                                              Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..06:27:37.470.INFO.Gui GUI started..06:27:37.638.INFO.Gui load data: 'this://app/main-turbo.htm'..06:27:37.661.INFO.Gui load data: 'this://app/common/zepto.min.js'..06:27:37.666.INFO.Gui load data: 'this://app/common/sciter.js'..06:27:37.670.INFO.Gui load data: 'this://app/ico/favicon.ico'..06:27:37.708.INFO.Gui document ready..06:27:37.733.INFO.Gui load data: 'this://app/lang/en.json'..06:27:37.786.INFO.Gui send event event-application-status: {"value":"connecting"}'..06:27:37.787.INFO.Gui send event event-install-status: {"value":false}'..06:27:37.820.INFO.Gui load data: 'this://app/ico/stop.ico'..06:27:37.851.INFO.Gui send event event-domain: {"value":""}'..06:27:37.851.INFO.Gui send event event-fastaccess-url: {"value":""}'..06:27:37.851.INFO.Gui send event event-fa

                                              C:\ProgramData\Getscreen.me\logs\20250106.log

                                              Download File
                                              Process:C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):2594
                                              Entropy (8bit):5.140311165071483
                                              Encrypted:false
                                              SSDEEP:48:TkxH4oAUdWcMEfAhJIipJIS2QScXIoVe9jGlODeVDcXI3HGElCM/1dR:+4BROKe9jGlOuDZGvm1v
                                              MD5:23ED16D5CC9904817FB1D5872E678C71
                                              SHA1:AAE1316C96365673DC359D5DD1E677AEF2D6C76B
                                              SHA-256:EAAD706CB670C6B9541F7E52616673AEB7A9599A80904A9370730F69643A5A3E
                                              SHA-512:CCE5B95D0F88EC2536363A14B650401461AF7E89D18F4168236807B0DFD00C53F759996EB7E4DA68A9838C568B21AC9827E242B18ECC15040C2D611AE6B329FB
                                              Malicious:false
                                              Reputation:low
                                              Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..06:27:34.060.INFO.Server start server run....06:27:34.061.INFO.Start Getscreen.me v 3.1.5 build 228 revision 0..06:27:34.605.ERROR.Service service 'GetscreenSV' not found..06:27:34.770.INFO.Service service 'GetscreenSV' installed..06:27:35.190.INFO.Service service 'GetscreenSV' start success..06:27:35.190.INFO.Service get control message 1..06:27:35.198.INFO.Capture capture stopped..06:27:35.203.INFO.FrameMark hide frame..06:27:35.716.INFO.Service service 'GetscreenSV' stop [0] (0)..06:27:36.235.INFO.Service service 'GetscreenSV' removed..06:27:36.249.INFO.Child success get system token..06:27:36.252.INFO.Child start child process simply..06:27:36.253.INFO.Shared remove shared memory 0000pipe0PCommand96gkkfxvsnstbbdol2chiodsfu2cltpv..06:27:36.253.INFO.Shared create shared memory 0000pipe0PCommand96gkkfxvs

                                              C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96gkkfxvsnstbbdol2chiodsfu2cltpv

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):16777520
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:76E060E929A27A8F50A5EA6EDFC52356
                                              SHA1:91B7BC99D759D84720B376F69BC934D75D9EC549
                                              SHA-256:95F95F6678AD42DE249FE02F78472B553837B1E2AECD2F43B5715FAE9187FEAE
                                              SHA-512:F1A361F28A87B18B8B5707BD3332E751EE30DFC5C9A32A4BBC39B7E8D5AC34385E96B49546003741A797C1A8E53537A91D5345DFCB1707BC65A483D458FD38FE
                                              Malicious:false
                                              Reputation:low
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):7627552
                                              Entropy (8bit):7.94390849717838
                                              Encrypted:false
                                              SSDEEP:98304:qT0vaR0C912Is4uDTlWDxqi/S/YMUXhoXueFkEu1WefOo6CMCFiATJsqI:c0sN4P3nixx/kYMUxaue+EuwcwCRM
                                              MD5:00D07884F13526FA6BECBE099A3E0AA0
                                              SHA1:227CAF73541A654E5BA35B25922BCCD63EE507D6
                                              SHA-256:FE6B1C9250D666713E5B1CEABCB9C1C5030556EA061BFCB3C8B1D91AF45BA0DD
                                              SHA-512:0DDC6D1A458C5E762D9A1A58D7B6BDBE6A9B7C1AFAF390F0B7535A1B65B04F8433684D3E993D9959717C4FDC1D057D7A03C2EDA5CD47BA8E3CA8809FD06E5900
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......n.\g*t24*t24*t24a.15.t24...4"t24..65>t24>.65.t24*t24.s24a.55+t24..15$t24..75St24a.75.t24a.65~t24a.45(t24a.35gt24*t34.w249.;5.v249.25+t249..4+t24*t.4+t249.05+t24Rich*t24........................PE..d...r..g.........."....(..t..0...p...y.........@......................................u...`.........................................p....T..8...........8#.......#...4t. /......,...........................@|..(...0...@...........................................UPX0.....p..............................UPX1......t.......t.................@....rsrc....0............t.............@..............................................................................................................................................................................................................................................................................................4.22.UPX!.$..

                                              C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1310720
                                              Entropy (8bit):1.3073225382660285
                                              Encrypted:false
                                              SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvr5:KooCEYhgYEL0In
                                              MD5:5FE4343FA4CA94DAEA6A87BF6A223C80
                                              SHA1:A7A1CABC8D0222CEA41D26A710ED4F7CD22F5638
                                              SHA-256:CCE7777E2CAFBA92D15822B0F809CBD57AA55FA788D9B4A257068F29CDAC6B9D
                                              SHA-512:663B0AFEEEE4223D3FD09C3F01144A006E10F7BFDE91B7D7CC734E79B5E7AECCA4FC463595A174EBE987522959C762C073622B543125A34D4B2AA175D2A8F167
                                              Malicious:false
                                              Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0xda8f730e, page size 16384, DirtyShutdown, Windows version 10.0
                                              Category:dropped
                                              Size (bytes):1310720
                                              Entropy (8bit):0.42210354819740986
                                              Encrypted:false
                                              SSDEEP:1536:pSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:paza/vMUM2Uvz7DO
                                              MD5:10AE5A213156B7B7EC94276E20ADB693
                                              SHA1:99900F84425BE0440173EC3535296787DC9F3ED1
                                              SHA-256:BBAF70C8EB11EC34A31BD9EC714F764C3CA08452387FCA0E51AB70074E6FE450
                                              SHA-512:F9CA08D203916CE0EB4B5EBDC35098BF96807D295FB13590920C8C0AA971ADE438841592CBBB0A33FCCB418F5CCA78BA78CA613FAA099632ADCC6278998B862B
                                              Malicious:false
                                              Preview:.s.... .......A.......X\...;...{......................0.!..........{A..-...}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................Q..C.-...}....................P.-...}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):16384
                                              Entropy (8bit):0.07640354246624734
                                              Encrypted:false
                                              SSDEEP:3:JillyYeTSLCCjn13a/LtYYGqllcVO/lnlZMxZNQl:JGlyzTM53qx1GeOewk
                                              MD5:83C0D29C556CED9D7B79283CDA0AFA01
                                              SHA1:F516B10AB67DE6F9C5D75F2AA7F1B4EA22C027EE
                                              SHA-256:A975C88E08B70BC29395796C17B1C7FE9E0AF99CCDC930508F24E912D5E9146F
                                              SHA-512:8AF9671A16C772281BDF7F358AA6BF0CB15D1408A29D6EB8A74904E32F2C32500484BFF84D82CD89C7A73ECAFB90643B9599CCC92603FA4F7543649A22597742
                                              Malicious:false
                                              Preview:..(R.....................................;...{...-...}.......{A..............{A......{A..........{A]..................P.-...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Getscreen.me\folder\settings.dat

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):5.769454882778696
                                              Encrypted:false
                                              SSDEEP:3:Bv2bzR0i8V6IOMpFl8g:W7ROFz
                                              MD5:A716908C1620216050A4F82ED004078A
                                              SHA1:65A6FD35C305BCD0BEC2140943EAED3DC95483E0
                                              SHA-256:9CE377A4DD67B02898621704530D73589B2EDF0F1EFB3ED4D7F14F46D96AA209
                                              SHA-512:54DABF6F139661D7339CF8E43188512CF53FCBD846E6B4F33088CDE0602483347FDC299C9F297B5C5A71F39BE81675593992044DD4BDA84AB689B19959F841E5
                                              Malicious:false
                                              Preview:...J.+.q....:.O..>....`.?..s..z....,.6.<.....2.8UO..u.C/.A{;

                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):55
                                              Entropy (8bit):4.306461250274409
                                              Encrypted:false
                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                              Malicious:false
                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                              Static File Info

                                              General

                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Entropy (8bit):7.94390849717838
                                              TrID:
                                              • Win64 Executable GUI (202006/5) 81.26%
                                              • UPX compressed Win32 Executable (30571/9) 12.30%
                                              • Win64 Executable (generic) (12005/4) 4.83%
                                              • Generic Win/DOS Executable (2004/3) 0.81%
                                              • DOS Executable Generic (2002/1) 0.81%
                                              File name:getscreen-524501439.exe
                                              File size:7'627'552 bytes
                                              MD5:00d07884f13526fa6becbe099a3e0aa0
                                              SHA1:227caf73541a654e5ba35b25922bccd63ee507d6
                                              SHA256:fe6b1c9250d666713e5b1ceabcb9c1c5030556ea061bfcb3c8b1d91af45ba0dd
                                              SHA512:0ddc6d1a458c5e762d9a1a58d7b6bdbe6a9b7c1afaf390f0b7535a1b65b04f8433684d3e993d9959717c4fdc1d057d7a03c2eda5cd47ba8e3ca8809fd06e5900
                                              SSDEEP:98304:qT0vaR0C912Is4uDTlWDxqi/S/YMUXhoXueFkEu1WefOo6CMCFiATJsqI:c0sN4P3nixx/kYMUxaue+EuwcwCRM
                                              TLSH:4A76337A944E146DC6738276AE541E932E0B930DA4435AE8D68C9B9F1374EF00FE7387
                                              File Content Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......n.\g*t24*t24*t24a.15.t24...4"t24..65>t24>.65.t24*t24.s24a.55+t24..15$t24..75St24a.75.t24a.65~t24a.45(t24a.35gt24*t34.w249.;5.v2

                                              File Icon

                                              Icon Hash:418c6963696c9643

                                              Static PE Info

                                              General

                                              Entrypoint:0x1421879d0
                                              Entrypoint Section:UPX1
                                              Digitally signed:true
                                              Imagebase:0x140000000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x67178872 [Tue Oct 22 11:11:46 2024 UTC]
                                              TLS Callbacks:0x42187c18, 0x1
                                              CLR (.Net) Version:
                                              OS Version Major:6
                                              OS Version Minor:0
                                              File Version Major:6
                                              File Version Minor:0
                                              Subsystem Version Major:6
                                              Subsystem Version Minor:0
                                              Import Hash:7c27dce4bef0d003a570ce3109e1f949

                                              Authenticode Signature

                                              Signature Valid:true
                                              Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                              Signature Validation Error:The operation completed successfully
                                              Error Number:0
                                              Not Before, Not After
                                              • 28/05/2024 14:50:28 28/06/2026 15:36:10
                                              Subject Chain
                                              • CN=POINT B LTD, O=POINT B LTD, L=Limassol, S=Limassol, C=CY, OID.1.3.6.1.4.1.311.60.2.1.3=CY, SERIALNUMBER=HE 430957, OID.2.5.4.15=Private Organization
                                              Version:3
                                              Thumbprint MD5:9B083870477F4699693EEECABF351BF8
                                              Thumbprint SHA-1:B3C999E29AED18DEA59733F3CAA94E788B1AC3A1
                                              Thumbprint SHA-256:3E73B7C28C18DC6A03B9816F200365F1DF1FF80A7BD0D55DB920F1B24BBD74E7
                                              Serial:7AE0E9C1CFE2DCE0E21C4327

                                              Entrypoint Preview

                                              Instruction
                                              push ebx
                                              push esi
                                              push edi
                                              push ebp
                                              dec eax
                                              lea esi, dword ptr [FF8C0625h]
                                              dec eax
                                              lea edi, dword ptr [esi-01A47000h]
                                              push edi
                                              xor ebx, ebx
                                              xor ecx, ecx
                                              dec eax
                                              or ebp, FFFFFFFFh
                                              call 00007FC12CC85AA5h
                                              add ebx, ebx
                                              je 00007FC12CC85A54h
                                              rep ret
                                              mov ebx, dword ptr [esi]
                                              dec eax
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              mov dl, byte ptr [esi]
                                              rep ret
                                              dec eax
                                              lea eax, dword ptr [edi+ebp]
                                              cmp ecx, 05h
                                              mov dl, byte ptr [eax]
                                              jbe 00007FC12CC85A73h
                                              dec eax
                                              cmp ebp, FFFFFFFCh
                                              jnbe 00007FC12CC85A6Dh
                                              sub ecx, 04h
                                              mov edx, dword ptr [eax]
                                              dec eax
                                              add eax, 04h
                                              sub ecx, 04h
                                              mov dword ptr [edi], edx
                                              dec eax
                                              lea edi, dword ptr [edi+04h]
                                              jnc 00007FC12CC85A41h
                                              add ecx, 04h
                                              mov dl, byte ptr [eax]
                                              je 00007FC12CC85A62h
                                              dec eax
                                              inc eax
                                              mov byte ptr [edi], dl
                                              sub ecx, 01h
                                              mov dl, byte ptr [eax]
                                              dec eax
                                              lea edi, dword ptr [edi+01h]
                                              jne 00007FC12CC85A42h
                                              rep ret
                                              cld
                                              inc ecx
                                              pop ebx
                                              jmp 00007FC12CC85A5Ah
                                              dec eax
                                              inc esi
                                              mov byte ptr [edi], dl
                                              dec eax
                                              inc edi
                                              mov dl, byte ptr [esi]
                                              add ebx, ebx
                                              jne 00007FC12CC85A5Ch
                                              mov ebx, dword ptr [esi]
                                              dec eax
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              mov dl, byte ptr [esi]
                                              jc 00007FC12CC85A38h
                                              lea eax, dword ptr [ecx+01h]
                                              jmp 00007FC12CC85A59h
                                              dec eax
                                              inc ecx
                                              call ebx
                                              adc eax, eax
                                              inc ecx
                                              call ebx
                                              adc eax, eax
                                              add ebx, ebx
                                              jne 00007FC12CC85A5Ch
                                              mov ebx, dword ptr [esi]
                                              dec eax
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              mov dl, byte ptr [esi]
                                              jnc 00007FC12CC85A36h
                                              sub eax, 03h
                                              jc 00007FC12CC85A6Bh
                                              shl eax, 08h
                                              movzx edx, dl
                                              or eax, edx
                                              dec eax
                                              inc esi
                                              xor eax, FFFFFFFFh
                                              je 00007FC12CC85AAAh
                                              sar eax, 1

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x111cc700x548cUPX0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x218b3380x8d8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x21890000x2338.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x20a80000x723c0UPX1
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x7434000x2f20UPX0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x218bc100x2c.rsrc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x2187c400x28UPX1
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x21880300x140UPX1
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              UPX00x10000x1a470000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              UPX10x1a480000x7410000x7402004c967097f131aff1e1780575ff9d7f14unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x21890000x30000x2e000577af4204cd6272d7113f80c4460d0dFalse0.5467900815217391data5.88972477976154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              AFX_DIALOG_LAYOUT0x211b9e00x2ASCII text, with no line terminatorsRussianRussia5.0
                                              INI0x2149d180xadataRussianRussia1.8
                                              LANG0x211e9200x21ecdataRussianRussia0.9705204974666053
                                              LANG0x2120b100x33d9dataRussianRussia0.970617042115573
                                              LANG0x2123ef00x2454dataRussianRussia0.34720430107526884
                                              LANG0x21263480x25b3dataRussianRussia0.9348254066936069
                                              LANG0x21289000x2454dataRussianRussia0.9278494623655914
                                              LANG0x212ad580x289bdataRussianRussia0.9302549302549302
                                              LANG0x212d5f80x252cdataRussianRussia0.9330601092896175
                                              LANG0x212fb280x1f5fdataRussianRussia0.9346283152782966
                                              LANG0x2131a880x23cedataRussianRussia0.9368317695832424
                                              LANG0x2133e580x242eDOS executable (COM)RussianRussia0.9326279421291298
                                              LANG0x214ad000x2499dataEnglishUnited States0.9260326609029779
                                              OPUS0x21362880xa5e5dataRussianRussia0.9198003249428995
                                              OPUS0x21408700x94a4dataRussianRussia0.9161673499421844
                                              RT_ICON0x211b9e80x139dataRussianRussia1.035143769968051
                                              RT_ICON0x211bb280x1efdataRussianRussia1.0222222222222221
                                              RT_ICON0x211bd180x225dataRussianRussia1.0200364298724955
                                              RT_ICON0x211bf400x26bdataRussianRussia1.0177705977382876
                                              RT_ICON0x211c1b00x326dataRussianRussia1.0024813895781637
                                              RT_ICON0x211c4d80x402dataRussianRussia1.010721247563353
                                              RT_ICON0x21899e00x13bPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedRussianRussia1.034920634920635
                                              RT_ICON0x2189b200x1c5PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedRussianRussia1.0242825607064017
                                              RT_ICON0x2189cec0x1eePNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedRussianRussia1.0222672064777327
                                              RT_ICON0x2189ee00x253PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedRussianRussia1.0184873949579831
                                              RT_ICON0x218a1380x2e7PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedRussianRussia1.0148048452220726
                                              RT_ICON0x218a4240x3adPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedRussianRussia1.0116896918172158
                                              RT_ICON0x211d7880x159dataRussianRussia1.0318840579710145
                                              RT_ICON0x211d8e80x1e6dataRussianRussia1.022633744855967
                                              RT_ICON0x211dad00x1f6dataRussianRussia0.99800796812749
                                              RT_ICON0x211dcc80x26ddataRussianRussia1.0177133655394526
                                              RT_ICON0x211df380x31bdataRussianRussia1.0138364779874214
                                              RT_ICON0x211e2580x3e7COM executable for DOSRussianRussia0.977977977977978
                                              RT_ICON0x2149d280x163data1.0309859154929577
                                              RT_ICON0x2149e900x20ddata1.020952380952381
                                              RT_ICON0x214a0a00x21bdata1.0204081632653061
                                              RT_ICON0x214a2c00x282data1.017133956386293
                                              RT_ICON0x214a5480x33cdata0.9963768115942029
                                              RT_ICON0x214a8880x413data0.9798657718120806
                                              RT_STRING0x214d1a00x38dataRussianRussia1.1964285714285714
                                              RT_GROUP_ICON0x218a7d80x5adataRussianRussia0.8
                                              RT_GROUP_ICON0x211c8e00x5adataRussianRussia1.1222222222222222
                                              RT_GROUP_ICON0x214aca00x5adata1.1222222222222222
                                              RT_GROUP_ICON0x211e6400x5adataRussianRussia1.1222222222222222
                                              RT_VERSION0x218a8380x27cdataRussianRussia0.4748427672955975
                                              RT_MANIFEST0x218aab80x87fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2115), with CRLF line terminatorsEnglishUnited States0.31264367816091954

                                              Imports

                                              DLLImport
                                              ADVAPI32.dllFreeSid
                                              COMCTL32.dllImageList_DrawEx
                                              COMDLG32.dllPrintDlgW
                                              d3d11.dllD3D11CreateDevice
                                              dbghelp.dllSymFromAddr
                                              dxgi.dllCreateDXGIFactory1
                                              GDI32.dllLineTo
                                              gdiplus.dllGdipFree
                                              IMM32.dllImmIsIME
                                              IPHLPAPI.DLLGetIfEntry2
                                              KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                              MPR.dllWNetGetConnectionW
                                              msdmo.dllMoInitMediaType
                                              msi.dll
                                              NETAPI32.dllNetUserGetInfo
                                              ntdll.dllRtlGetVersion
                                              NTDSAPI.dllDsMakeSpnW
                                              ole32.dllDoDragDrop
                                              OLEACC.dllLresultFromObject
                                              OLEAUT32.dllSafeArrayGetElement
                                              POWRPROF.dllPowerGetActiveScheme
                                              RPCRT4.dllUuidEqual
                                              SAS.dllSendSAS
                                              Secur32.dllDeleteSecurityContext
                                              SHELL32.dll
                                              SHLWAPI.dllPathIsRelativeA
                                              USER32.dllGetDC
                                              USERENV.dllCreateEnvironmentBlock
                                              USP10.dllScriptPlace
                                              VERSION.dllVerQueryValueW
                                              WINHTTP.dllWinHttpOpen
                                              WININET.dllInternetOpenA
                                              WINMM.dllwaveInOpen
                                              WINSPOOL.DRV
                                              WS2_32.dllaccept
                                              WTSAPI32.dllWTSFreeMemory

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              RussianRussia
                                              EnglishUnited States

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 6, 2025 05:45:00.933238983 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 05:45:00.933275938 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 05:45:00.933497906 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 05:45:00.933752060 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 05:45:00.933764935 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 05:45:01.593878031 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 05:45:01.596669912 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 05:45:01.596693039 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 05:45:01.598100901 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 05:45:01.598160982 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 05:45:01.611031055 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 05:45:01.611138105 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 05:45:01.612819910 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 05:45:01.612835884 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 05:45:01.653475046 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 05:45:01.928251982 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 05:45:01.928318977 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 05:45:01.928411007 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 05:45:01.940406084 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 05:45:01.940423965 CET4434973278.47.165.25192.168.2.4

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 6, 2025 05:45:00.898256063 CET5029353192.168.2.41.1.1.1
                                              Jan 6, 2025 05:45:00.906146049 CET53502931.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jan 6, 2025 05:45:00.898256063 CET192.168.2.41.1.1.10x9875Standard query (0)getscreen.meA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 6, 2025 05:45:00.906146049 CET1.1.1.1192.168.2.40x9875No error (0)getscreen.me78.47.165.25A (IP address)IN (0x0001)false
                                              Jan 6, 2025 05:45:00.906146049 CET1.1.1.1192.168.2.40x9875No error (0)getscreen.me5.75.168.191A (IP address)IN (0x0001)false
                                              Jan 6, 2025 05:45:00.906146049 CET1.1.1.1192.168.2.40x9875No error (0)getscreen.me51.89.95.37A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • getscreen.me

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.44973278.47.165.254437640C:\Users\user\Desktop\getscreen-524501439.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-06 04:45:01 UTC363OUTGET /signal/agent HTTP/1.1
                                              Host: getscreen.me
                                              Upgrade: websocket
                                              Connection: Upgrade
                                              Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
                                              Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                                              Origin: https://getscreen.me
                                              Sec-WebSocket-Protocol: chat, superchat
                                              Sec-WebSocket-Version: 13
                                              User-Agent: Getscreen.me/3.1.5 (Win64, getscreen.me, 228)
                                              2025-01-06 04:45:01 UTC354INHTTP/1.1 400 Bad Request
                                              access-control-expose-headers: X-Js-Cache
                                              content-type: text/plain; charset=utf-8
                                              sec-websocket-version: 13
                                              x-content-type-options: nosniff
                                              x-js-cache: ff865bcc32999ce12f2e4c6aa33a641b
                                              date: Mon, 06 Jan 2025 04:45:01 GMT
                                              content-length: 12
                                              x-envoy-upstream-service-time: 6
                                              server: lb1.getscreen.me
                                              connection: close
                                              2025-01-06 04:45:01 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                                              Data Ascii: Bad Request


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:23:44:56
                                              Start date:05/01/2025
                                              Path:C:\Users\user\Desktop\getscreen-524501439.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\getscreen-524501439.exe"
                                              Imagebase:0x7ff7f00e0000
                                              File size:7'627'552 bytes
                                              MD5 hash:00D07884F13526FA6BECBE099A3E0AA0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:23:44:58
                                              Start date:05/01/2025
                                              Path:C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\ProgramData\Getscreen.me\mjzdpzvkpojpjfpkrhiihaxlnhqtrbo-elevate.exe" -elevate \\.\pipe\elevateGS512mjzdpzvkpojpjfpkrhiihaxlnhqtrbo
                                              Imagebase:0x7ff651440000
                                              File size:7'627'552 bytes
                                              MD5 hash:00D07884F13526FA6BECBE099A3E0AA0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:23:44:59
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                                              Imagebase:0x7ff6eef20000
                                              File size:55'320 bytes
                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:3
                                              Start time:23:44:59
                                              Start date:05/01/2025
                                              Path:C:\Users\user\Desktop\getscreen-524501439.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\getscreen-524501439.exe" -gpipe \\.\pipe\PCommand97zgzpntwbganyddi -gui
                                              Imagebase:0x7ff7f00e0000
                                              File size:7'627'552 bytes
                                              MD5 hash:00D07884F13526FA6BECBE099A3E0AA0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:23:45:00
                                              Start date:05/01/2025
                                              Path:C:\Users\user\Desktop\getscreen-524501439.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\getscreen-524501439.exe" -cpipe \\.\pipe\PCommand96gkkfxvsnstbbdol -cmem 0000pipe0PCommand96gkkfxvsnstbbdol2chiodsfu2cltpv -child
                                              Imagebase:0x7ff7f00e0000
                                              File size:7'627'552 bytes
                                              MD5 hash:00D07884F13526FA6BECBE099A3E0AA0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:23:45:00
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                              Imagebase:0x7ff6eef20000
                                              File size:55'320 bytes
                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              Disassembly

                                              No disassembly