Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
getscreen-524501439.exe

Overview

General Information

Sample name:getscreen-524501439.exe
Analysis ID:1584647
MD5:00d07884f13526fa6becbe099a3e0aa0
SHA1:227caf73541a654e5ba35b25922bccd63ee507d6
SHA256:fe6b1c9250d666713e5b1ceabcb9c1c5030556ea061bfcb3c8b1d91af45ba0dd
Infos:

Detection

Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:62
Range:0 - 100

Signatures

Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to disable installed Antivirus / HIPS / PFW
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64native
  • getscreen-524501439.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\getscreen-524501439.exe" MD5: 00D07884F13526FA6BECBE099A3E0AA0)
    • getscreen-524501439.exe (PID: 2088 cmdline: "C:\Users\user\Desktop\getscreen-524501439.exe" -gpipe \\.\pipe\PCommand97bhvmlweiwnrsytn -gui MD5: 00D07884F13526FA6BECBE099A3E0AA0)
    • getscreen-524501439.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\getscreen-524501439.exe" -cpipe \\.\pipe\PCommand96anjinciszinsnvw -cmem 0000pipe0PCommand96anjinciszinsnvw42gz31pcscaz1c1 -child MD5: 00D07884F13526FA6BECBE099A3E0AA0)
  • chskldxthycfjguemdybwvvxbuswlsw-elevate.exe (PID: 5788 cmdline: "C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exe" -elevate \\.\pipe\elevateGS512chskldxthycfjguemdybwvvxbuswlsw MD5: 00D07884F13526FA6BECBE099A3E0AA0)
  • svchost.exe (PID: 4728 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: getscreen-524501439.exe PID: 7428JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

    Sigma Signatures

    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 916, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, ProcessId: 4728, ProcessName: svchost.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    Compliance

    barindex
    PE / OLE file has a valid certificate
    Source: getscreen-524501439.exeStatic PE information: certificate valid
    Contains modern PE file flags such as dynamic base (ASLR) or NX
    Source: getscreen-524501439.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Binary contains paths to debug symbols
    Source: Binary string: fwbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5ECB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exeL.pdbpa source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exep.pdbetDeviC source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B59000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6781000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C508C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B47000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: $.0x1405FE40FipleObjectsExprox.pdbe-; source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exelib.pdbm source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider64.pdbdb source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2F80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msi.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5080000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ObjectsEAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50C1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\comdlg32.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TpReleaseCleanupGroupMembersib.pdbO- source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C54C6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C57EB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\TextInputFramework.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: i.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6137000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5B96000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\InputHost.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NtDelayExecutiontableClassesi.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C3176000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B7C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B3B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C610D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C57EB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5ECB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5E70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50CD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C509E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6886000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48A8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5098000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exet.pdb\*2Xk source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6AF6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C611F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: :samlib.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FF7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C60A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5BF0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C317C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5A7C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C508C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48A8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B5F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdbe.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C665B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6AF6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B3B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C59C3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50C7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C665B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50C7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdbpdba source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb}6 source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50CD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb 61 source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C610D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C3176000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5098000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C4896000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5964000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C58AD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5850000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B53000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6131000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C488A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6113000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exep.pdb*n source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6BB8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5964000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6787000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C317C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5080000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48B4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50BB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: avrt.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6119000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B4D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: prox.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\audioses.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdbpdb\* source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdbb9 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C678D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6BB8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6787000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5B38000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C59C3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6125000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\kernel32.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C678D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B65000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6B50000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5E06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5086000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C611F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5B96000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\cfgmgr32.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6886000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\exe\getscreen-524501439.pdb] source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C612B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48BA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\oleaut32.pdby source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\JSAMSIProvider64.pdbge.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 32.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: getscreen-524501439.exell32.pdb5- source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C66C4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50C1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C60A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6781000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5CD7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5F8F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B59000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6137000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exet.pdbegistr7 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48B4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\CoreUIComponents.pdbb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider64.pdb source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6113000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.dllwsock.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5F8F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5086000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: getscreen-524501439.exelc.pdb[- source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdbbg;A source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2F80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdbb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C4890000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\CoreUIComponents.pdbprofapi.dll source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C30CC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fastprox.pdbbe]A source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FF7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C58AD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C489C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SleepExen-524501439.exeObjectsEAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5FEC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C612B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6A99000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6A99000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6600000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C489C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider64.pdbdb26 source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48C5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5DA0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdbge.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdbQ source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\bcryptprimitives.pdb3c} source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2F80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdb.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbdb<F source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2F80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: _samlib.pdbll\samlib.pdbb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C3171000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\kernel32.pdb1 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdbpdb source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C488A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbbg\* source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: c.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TpReleaseCleanupGroupMembersib.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C54C6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5CDD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5E70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C4896000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5909000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C66C4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemprox.pdbQ source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5A7C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6125000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C30CC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C4890000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6131000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B53000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\kernelbase.pdbY source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\comdlg32.pdbi source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5BF0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsock.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: BaseThreadInitThunkexeWLDP.pdbx-> source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B5F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2F80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5FEC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemprox.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdb.pdbmm source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdbdbgb56 source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5DA0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6727000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48BA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5E06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdbb]a source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6600000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B4D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C509E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B65000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6892000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50BB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: avrt.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6119000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C4884000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\WindowManagementAPI.pdbpdb9 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5CD7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6892000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MMDevAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B47000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbbpdbQ6 source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbbg source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2F80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb64.dbg source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5B38000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5909000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5CDD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\TextInputFramework.pdb\* source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exelib.pdb! source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wtsapi32.pdbXq source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: <1top\dll\fwpuclnt.pdbi.pdb source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WinTypes.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FF7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5850000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\winsta.pdb source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B76000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exet.pdb\*Q source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6727000.00000004.00000020.00020000.00000000.sdmp
    Source: Joe Sandbox ViewIP Address: 5.75.168.191 5.75.168.191
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/3.1.5 (Win64, getscreen.me, 228)
    Source: global trafficDNS traffic detected: DNS query: getscreen.me
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
    Source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://proxy.contoso.com:3128/
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01http://www.webrtc.org/exper
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-timeurn:3gpp:video-orientationhttp://www.we
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
    Source: getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-frame-tracking-id
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.g
    Source: getscreen-524501439.exe, 00000005.00000003.61206664794.000001D5F5B03000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.ge
    Source: getscreen-524501439.exe, 00000004.00000002.61229233693.000002E656FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.ge#
    Source: getscreen-524501439.exe, 00000004.00000002.61229233693.000002E656FF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.ge##
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsa
    Source: getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsc
    Source: getscreen-524501439.exe, 00000004.00000002.61229233693.000002E656FA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscre
    Source: getscreen-524501439.exe, 00000005.00000003.61206912604.000001D5F5B5A000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000005.00000002.61209086167.000001D5F5B3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/privacy-policy/
    Source: getscreen-524501439.exe, 00000005.00000003.61208014371.000001D5F5B1A000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000005.00000003.61207912837.000001D5F5B12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/t
    Source: getscreen-524501439.exe, 00000005.00000003.61206912604.000001D5F5B5A000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000005.00000002.61209086167.000001D5F5B3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/terms-of-use/
    Source: getscreen-524501439.exe, 00000004.00000002.61232382846.000002E65D549000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/user-guides/agent/
    Source: getscreen-524501439.exe, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
    Source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C4A68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NtUserGetRawInputDatamemstr_bebe3a80-9
    Source: Yara matchFile source: Process Memory Space: getscreen-524501439.exe PID: 7428, type: MEMORYSTR
    Source: getscreen-524501439.exeStatic PE information: Resource name: LANG type: DOS executable (COM)
    Source: getscreen-524501439.exeStatic PE information: Resource name: RT_ICON type: COM executable for DOS
    Source: chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drStatic PE information: Resource name: LANG type: DOS executable (COM)
    Source: chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drStatic PE information: Resource name: RT_ICON type: COM executable for DOS
    Source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6A99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSAMLib.DLLj% vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000000.00000002.61201438323.00007FF718939000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000000.00000000.61140871323.00007FF718939000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C317C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsi.dllX vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000004.00000000.61172017154.00007FF718939000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000004.00000002.61238739760.00007FF718939000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000005.00000002.61214556758.00007FF718939000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: getscreen-524501439.exe, 00000005.00000000.61172900717.00007FF718939000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: getscreen-524501439.exeBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439.exe
    Source: classification engineClassification label: mal51.evad.winEXE@8/10@1/1
    Source: C:\Users\user\Desktop\getscreen-524501439.exeFile created: C:\Users\user\AppData\Local\Getscreen.meJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeMutant created: \Sessions\1\BaseNamedObjects\Global\PCommandMutextTurbo96phqghum
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-524501439.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeFile read: C:\Users\user\Desktop\getscreen-524501439.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\getscreen-524501439.exe "C:\Users\user\Desktop\getscreen-524501439.exe"
    Source: unknownProcess created: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exe "C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exe" -elevate \\.\pipe\elevateGS512chskldxthycfjguemdybwvvxbuswlsw
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess created: C:\Users\user\Desktop\getscreen-524501439.exe "C:\Users\user\Desktop\getscreen-524501439.exe" -gpipe \\.\pipe\PCommand97bhvmlweiwnrsytn -gui
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess created: C:\Users\user\Desktop\getscreen-524501439.exe "C:\Users\user\Desktop\getscreen-524501439.exe" -cpipe \\.\pipe\PCommand96anjinciszinsnvw -cmem 0000pipe0PCommand96anjinciszinsnvw42gz31pcscaz1c1 -child
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess created: C:\Users\user\Desktop\getscreen-524501439.exe "C:\Users\user\Desktop\getscreen-524501439.exe" -gpipe \\.\pipe\PCommand97bhvmlweiwnrsytn -guiJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-524501439.exe "C:\Users\user\Desktop\getscreen-524501439.exe" -cpipe \\.\pipe\PCommand96anjinciszinsnvw -cmem 0000pipe0PCommand96anjinciszinsnvw42gz31pcscaz1c1 -childJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mmdevapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mfwmaaec.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: audioses.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: symsrv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: mpr.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: msi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: sas.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: secur32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: userenv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: usp10.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: version.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: wininet.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: winmm.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: samcli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: netutils.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: wldp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: seclogon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: d2d1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: directmanipulation.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mscms.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coloradapterclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: icm32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32Jump to behavior
    Source: getscreen-524501439.exeStatic PE information: certificate valid
    Source: getscreen-524501439.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: getscreen-524501439.exeStatic file information: File size 7627552 > 1048576
    Source: getscreen-524501439.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x740200
    Source: getscreen-524501439.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: fwbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5ECB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exeL.pdbpa source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exep.pdbetDeviC source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B59000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6781000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C508C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B47000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: $.0x1405FE40FipleObjectsExprox.pdbe-; source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exelib.pdbm source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider64.pdbdb source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2F80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msi.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5080000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ObjectsEAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50C1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\comdlg32.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TpReleaseCleanupGroupMembersib.pdbO- source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C54C6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C57EB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\TextInputFramework.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: i.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6137000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5B96000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\InputHost.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NtDelayExecutiontableClassesi.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C3176000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B7C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B3B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C610D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C57EB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5ECB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5E70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50CD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C509E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6886000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48A8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5098000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exet.pdb\*2Xk source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6AF6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C611F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: :samlib.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FF7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C60A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5BF0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C317C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5A7C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C508C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48A8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B5F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdbe.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C665B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6AF6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernelbase.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B3B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C59C3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50C7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C665B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50C7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdbpdba source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb}6 source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50CD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb 61 source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C610D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C3176000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5098000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C4896000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5964000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C58AD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5850000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B53000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6131000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C488A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6113000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exep.pdb*n source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6BB8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sspicli.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5964000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6787000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C317C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5080000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48B4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50BB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: avrt.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6119000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B4D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msdmo.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5092000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: prox.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\audioses.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdbpdb\* source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdbb9 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C678D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6BB8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6787000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5B38000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C59C3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6125000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\kernel32.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C678D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B65000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6B50000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5E06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5086000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C611F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5B96000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\cfgmgr32.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Amsi.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6886000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\exe\getscreen-524501439.pdb] source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C612B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48BA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\oleaut32.pdby source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\JSAMSIProvider64.pdbge.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: 32.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: getscreen-524501439.exell32.pdb5- source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C66C4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50C1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C60A3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6781000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5CD7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5F8F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B59000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6137000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exet.pdbegistr7 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48B4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\CoreUIComponents.pdbb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider64.pdb source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6113000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.dllwsock.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5F8F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C5086000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: getscreen-524501439.exelc.pdb[- source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdbbg;A source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2F80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdbb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C4890000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\CoreUIComponents.pdbprofapi.dll source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C30CC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fastprox.pdbbe]A source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FF7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C58AD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C489C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: SleepExen-524501439.exeObjectsEAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5FEC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C612B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6A99000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mswsock.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6A99000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6600000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: imm32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C489C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider64.pdbdb26 source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48C5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5DA0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdbge.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdbQ source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\bcryptprimitives.pdb3c} source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2F80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdb.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbdb<F source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2F80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: _samlib.pdbll\samlib.pdbb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C3171000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\kernel32.pdb1 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\x64\Release\getscreen.pdb source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdbpdb source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C488A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbbg\* source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: c.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TpReleaseCleanupGroupMembersib.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C54C6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5CDD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: nsi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5E70000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C4896000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5909000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C66C4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemprox.pdbQ source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5A7C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6125000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: kernel32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C30CC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C4890000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6131000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rpcrt4.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B53000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\kernelbase.pdbY source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\comdlg32.pdbi source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5BF0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsock.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: BaseThreadInitThunkexeWLDP.pdbx-> source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B5F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2F80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5FEC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemprox.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdb.pdbmm source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdbdbgb56 source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5DA0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6727000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dxgi.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48BA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5E06000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdbb]a source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6600000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B4D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C509E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: user32.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B65000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6892000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C50BB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: avrt.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C6119000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdi32full.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C4884000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\WindowManagementAPI.pdbpdb9 source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5CD7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6892000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MMDevAPI.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WLDP.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B47000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbbpdbQ6 source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider64.pdbbg source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2F80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb64.dbg source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5B38000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb0 source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5909000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5CDD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\TextInputFramework.pdb\* source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exelib.pdb! source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wtsapi32.pdbXq source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: <1top\dll\fwpuclnt.pdbi.pdb source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5A1F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WinTypes.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FA7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdb source: getscreen-524501439.exe, 00000000.00000002.61187362196.00000281C2FF7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5850000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\winsta.pdb source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-524501439.exe, 00000000.00000002.61186440792.00000281C2B76000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \Device\HarddiskVolume4\Users\user\Desktop\getscreen-524501439.exet.pdb\*Q source: getscreen-524501439.exe, 00000000.00000002.61190973701.00000281C5520000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-524501439.exe, 00000000.00000002.61188246785.00000281C48A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb source: getscreen-524501439.exe, 00000000.00000002.61194551991.00000281C6727000.00000004.00000020.00020000.00000000.sdmp
    Source: chskldxthycfjguemdybwvvxbuswlsw-elevate.exe.0.drStatic PE information: real checksum: 0x7518c8 should be: 0x74cf19
    Source: getscreen-524501439.exeStatic PE information: real checksum: 0x7518c8 should be: 0x74cf19
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: C:\Users\user\Desktop\getscreen-524501439.exeFile created: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-524501439.exeFile created: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries memory information (via WMI often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Size FROM Win32_DiskDrive
    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 8
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 8
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 7
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 7
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, VolumeName, FileSystem, Size, FreeSpace FROM Win32_LogicalDisk
    Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
    Query firmware table information (likely to detect VMs)
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exe TID: 6172Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exe TID: 8268Thread sleep count: 205 > 30Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-524501439.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Hyper-V console (use port 2179, disable negotiation)
    Source: getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMnet
    Source: getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=
    Source: chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61156899812.000001D284383000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
    Source: getscreen-524501439.exe, 00000004.00000002.61230810733.000002E658BE0000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000004.00000003.61226158431.000002E658BE0000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000004.00000002.61229233693.000002E656FF3000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000004.00000003.61209507578.000002E658BE0000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000004.00000003.61225406451.000002E658BE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: getscreen-524501439.exe, 00000000.00000002.61185675526.00000281C0ED3000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000005.00000003.61206664794.000001D5F5B03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-524501439.exe "C:\Users\user\Desktop\getscreen-524501439.exe" -cpipe \\.\pipe\PCommand96anjinciszinsnvw -cmem 0000pipe0PCommand96anjinciszinsnvw42gz31pcscaz1c1 -childJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439.exeFile opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dllJump to behavior
    Source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C49D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
    Source: getscreen-524501439.exe, 00000000.00000002.61189299603.00000281C49D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
    Source: C:\Users\user\Desktop\getscreen-524501439.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts631
    Windows Management Instrumentation    		1
    DLL Side-Loading    		12
    Process Injection    		1
    Masquerading    		11
    Input Capture    		731
    Security Software Discovery    		Remote Services11
    Input Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Disable or Modify Tools    		LSASS Memory541
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)541
    Virtualization/Sandbox Evasion    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
    Process Injection    		NTDS132
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Software Packing    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    getscreen-524501439.exe0%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://docs.getscreen.me/en/rules/t0%Avira URL Cloudsafe
    https://docs.g0%Avira URL Cloudsafe
    http://proxy.contoso.com:3128/0%Avira URL Cloudsafe
    https://docs.getscre0%Avira URL Cloudsafe
    https://docs.ge#0%Avira URL Cloudsafe
    https://docs.getsc0%Avira URL Cloudsafe
    https://docs.getscreen.me/user-guides/agent/0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/terms-of-use/0%Avira URL Cloudsafe
    https://docs.ge0%Avira URL Cloudsafe
    http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
    https://docs.getsa0%Avira URL Cloudsafe
    https://docs.ge##0%Avira URL Cloudsafe
    https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/privacy-policy/0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    getscreen.me
    		5.75.168.191
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://getscreen.me/signal/agentfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://docs.gegetscreen-524501439.exe, 00000005.00000003.61206664794.000001D5F5B03000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://proxy.contoso.com:3128/getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscreen.me/user-guides/agent/getscreen-524501439.exe, 00000004.00000002.61232382846.000002E65D549000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscregetscreen-524501439.exe, 00000004.00000002.61229233693.000002E656FA0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscreen.me/en/rules/tgetscreen-524501439.exe, 00000005.00000003.61208014371.000001D5F5B1A000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000005.00000003.61207912837.000001D5F5B12000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.ge#getscreen-524501439.exe, 00000004.00000002.61229233693.000002E656FF3000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.winimage.com/zLibDllgetscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.ggetscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscreen.me/en/rules/terms-of-use/getscreen-524501439.exe, 00000005.00000003.61206912604.000001D5F5B5A000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000005.00000002.61209086167.000001D5F5B3F000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscgetscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getsagetscreen-524501439.exe, 00000000.00000002.61196890401.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A4D7C000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF71764C000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF71764C000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01getscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpfalse
          		high
          https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extensiongetscreen-524501439.exe, 00000000.00000002.61196890401.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, chskldxthycfjguemdybwvvxbuswlsw-elevate.exe, 00000002.00000002.61157232270.00007FF7A48E1000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439.exe, 00000004.00000002.61234730167.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439.exe, 00000005.00000002.61209788099.00007FF7171B1000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docs.getscreen.me/en/rules/privacy-policy/getscreen-524501439.exe, 00000005.00000003.61206912604.000001D5F5B5A000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439.exe, 00000005.00000002.61209086167.000001D5F5B3F000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docs.ge##getscreen-524501439.exe, 00000004.00000002.61229233693.000002E656FF3000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          5.75.168.191
          		getscreen.meGermany
          		24940HETZNER-ASDEfalse

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1584647
          Start date and time:2025-01-06 05:50:30 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 7m 39s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
          Run name:Suspected VM Detection
          Number of analysed new started processes analysed:6
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:getscreen-524501439.exe
          Detection:MAL
          Classification:mal51.evad.winEXE@8/10@1/1
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe
          • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          23:52:41API Interceptor1x Sleep call for process: getscreen-524501439.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          5.75.168.191getscreen-227149269.exeGet hashmaliciousUnknownBrowse
            getscreen-227149269.exeGet hashmaliciousUnknownBrowse
              getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                  getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                    getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                      getscreen-941605629-x86.exeGet hashmaliciousUnknownBrowse
                        getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                          getscreen-469829524.exeGet hashmaliciousUnknownBrowse
                            getscreen-469829524.exeGet hashmaliciousUnknownBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              getscreen.megetscreen-868841125.exeGet hashmaliciousUnknownBrowse
                              • 78.47.165.25
                              getscreen-868841125.exeGet hashmaliciousUnknownBrowse
                              • 51.89.95.37
                              getscreen-227149269.exeGet hashmaliciousUnknownBrowse
                              • 5.75.168.191
                              getscreen-227149269.exeGet hashmaliciousUnknownBrowse
                              • 5.75.168.191
                              getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                              • 51.89.95.37
                              getscreen-120727697-x86.exeGet hashmaliciousUnknownBrowse
                              • 51.89.95.37
                              getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                              • 5.75.168.191
                              getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                              • 78.47.165.25
                              getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                              • 5.75.168.191

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              HETZNER-ASDEny9LDJr6pA.exeGet hashmaliciousQuasarBrowse
                              • 195.201.57.90
                              2.elfGet hashmaliciousUnknownBrowse
                              • 213.133.114.151
                              ZT0KQ1PC.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                              • 116.203.13.109
                              cZO.exeGet hashmaliciousUnknownBrowse
                              • 128.140.43.40
                              jaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                              • 195.201.57.90
                              NpHauDPoR8.exeGet hashmaliciousUnknownBrowse
                              • 88.198.29.97
                              armv6l.elfGet hashmaliciousMiraiBrowse
                              • 85.10.220.49
                              1.elfGet hashmaliciousUnknownBrowse
                              • 138.201.212.111
                              RisingStrip.exeGet hashmaliciousVidarBrowse
                              • 116.203.13.109

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exe

                              Download File
                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):7627552
                              Entropy (8bit):7.94390849717838
                              Encrypted:false
                              SSDEEP:98304:qT0vaR0C912Is4uDTlWDxqi/S/YMUXhoXueFkEu1WefOo6CMCFiATJsqI:c0sN4P3nixx/kYMUxaue+EuwcwCRM
                              MD5:00D07884F13526FA6BECBE099A3E0AA0
                              SHA1:227CAF73541A654E5BA35B25922BCCD63EE507D6
                              SHA-256:FE6B1C9250D666713E5B1CEABCB9C1C5030556EA061BFCB3C8B1D91AF45BA0DD
                              SHA-512:0DDC6D1A458C5E762D9A1A58D7B6BDBE6A9B7C1AFAF390F0B7535A1B65B04F8433684D3E993D9959717C4FDC1D057D7A03C2EDA5CD47BA8E3CA8809FD06E5900
                              Malicious:true
                              Reputation:low
                              Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......n.\g*t24*t24*t24a.15.t24...4"t24..65>t24>.65.t24*t24.s24a.55+t24..15$t24..75St24a.75.t24a.65~t24a.45(t24a.35gt24*t34.w249.;5.v249.25+t249..4+t24*t.4+t249.05+t24Rich*t24........................PE..d...r..g.........."....(..t..0...p...y.........@......................................u...`.........................................p....T..8...........8#.......#...4t. /......,...........................@|..(...0...@...........................................UPX0.....p..............................UPX1......t.......t.................@....rsrc....0............t.............@..............................................................................................................................................................................................................................................................................................4.22.UPX!.$..

                              C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exe:Zone.Identifier

                              Download File
                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview:[ZoneTransfer]....ZoneId=0

                              C:\ProgramData\Getscreen.me\crashlogs\f38de47d17d463f249eb446b803da1cf4d604835.log

                              Download File
                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                              File Type:ASCII text
                              Category:modified
                              Size (bytes):17513
                              Entropy (8bit):5.452027522123491
                              Encrypted:false
                              SSDEEP:384:fumhBNoS+ZMywXE3yKt5R3yKtayKtXHZ3yKt03yKtwyKt1HNHwMywXLMywX9Mywl:HBG0RxKvB0nL
                              MD5:40CFFFD0ECA5B7CC3260E842FFB2915F
                              SHA1:361053BF87B433887004AA0A2198CEDF757A0EA1
                              SHA-256:0ED61D5948006128807A5D8AE278A66CF16C17404B3C7ED14A35816FDEEDD3D4
                              SHA-512:E69D216C4B510BE80F3EA2F53FBA59DC6CF8A4D0C798B20D2D455011FCC5006661FCA1F45FF25DD0C015298BDE8CBBD06A869349CF46412D829D5F4580DCBC3A
                              Malicious:false
                              Preview:Filename.: getscreen-524501439.exe-f38de47d17d463f249eb446b803da1cf4d604835.crash.SHA1..: f38de47d17d463f249eb446b803da1cf4d604835.Time..: 2025.1.6 4:53.Program..: Getscreen.me.Version..: 3.1.5.OS...: Windows 10 build 19042, x64.BIOS..: .Explorer.: 11.789.19041.0.Processors.: 0 x .Video..: .Computer.: .Memory..: 13 free of 15 Gb.Handles..: 430.Image Base.: 0x140000000..Exception.: 0xC0000005 at 0x00007FF716DA47BC (getscreen-524501439.exe.$0x5F47BC)..Modules...: C:\Users\user\Desktop\getscreen-524501439.exe (3.1.5.0)...: C:\Windows\SYSTEM32\ntdll.dll (10.0.19041.1110)...: C:\Windows\System32\KERNEL32.DLL (10.0.19041.1151)...: C:\Windows\System32\KERNELBASE.dll (10.0.19041.1151)...: C:\Windows\System32\ADVAPI32.dll (10.0.19041.1052)...: C:\Windows\System32\msvcrt.dll (7.0.19041.546)...: C:\Windows\System32\sechost.dll (10.0.19041.906)...: C:\Windows\System32\RPCRT4.dll (10.0.19041.1081)...: C:\Windows\System32\COMDLG32.dll (10.0.19041.906)...: C:\Windows\System32\combase.dll (10.0.1904

                              C:\ProgramData\Getscreen.me\folder\settings.dat

                              Download File
                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):5.875
                              Encrypted:false
                              SSDEEP:3:BvefC4L6IOM+C8uzP:AqjRJuj
                              MD5:E3CE4E5565A96E7DAF343BC7F5A05880
                              SHA1:7D839EAA209DAED28D28E735172ACB12822039DF
                              SHA-256:50F47D6602920E7CF05BE4BE726373EF2D72914FB8F072651BA63E6F10E41325
                              SHA-512:F45CBE9BEF412C22890BAF6011E504F5F2A04E3D87A6E1F8C25908642377B2F310A8D7D4FA642863B2362DBF5C433F246738FF730BBAE65BBE85FA9EB3FE0C4D
                              Malicious:false
                              Preview:...J.+.q....:.O..-.).BN.g]..h.....,.6.<.....2.@\.%.+.#.K.jK..

                              C:\ProgramData\Getscreen.me\logs\20250106.capture.log

                              Download File
                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):912
                              Entropy (8bit):4.961772359954399
                              Encrypted:false
                              SSDEEP:12:HFNuxaFpHX8zA7S1CXfjwX8zA7S1CXfjw7pX8zA7S1CXfjwm1KAkN1Fs31NDBNFe:TXp38zA7188zA71O8zA71PgAsHsD0be+
                              MD5:65E4E02743AC6BCC66372BA54EB54D2D
                              SHA1:60E4C0F8C13C97FB3CB4CDC5BAEEFE900314ACB2
                              SHA-256:4DCA0949E47262A2A913940BFD000BF2FCADFA99D5C3A5A90DA129B23DE81D64
                              SHA-512:91ED42F696B7642E2FFD2D25488A8ED09CB5992846F12B90E2A078346D90C713D7E2987B9B284CB61AF9E923B1906453A1B4D9AE74BA9198AFE6038C93D65466
                              Malicious:false
                              Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..04:52:41.474.WARNING.Mouse relative mode disabled..04:52:41.497.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1080-0:1920 desktop: 0:1080-0:1920..04:52:41.497.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1080-0:1920 desktop: 0:1080-0:1920..04:52:41.497.INFO.BlackScreen initialized..04:52:41.497.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1080-0:1920 desktop: 0:1080-0:1920..04:52:41.497.INFO.Capture select monitor '\\.\DISPLAY1'..04:52:41.551.INFO.Capture set frame rate to 30..04:52:41.551.INFO.Child frame mark off..04:52:41.551.INFO.FrameMark hide frame..04:52:44.732.INFO.Opus compress stop..04:52:44.732.INFO.Capture capture stopped..04:52:44.738.INFO.Child get stop message..

                              C:\ProgramData\Getscreen.me\logs\20250106.gui.log

                              Download File
                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2956
                              Entropy (8bit):4.8314896510747305
                              Encrypted:false
                              SSDEEP:24:TQ/CUq0natkBv/TrCNaoW6VKOB83CwBSCvOC5r3m:TQ/CzSay1eNa+b+3VYkOe3m
                              MD5:6D2B66805F1D9902A387F4914CBE16E7
                              SHA1:AAB1C6497860B36D5C8618C24EAF1DB9F1C995A6
                              SHA-256:38DFBBE357C04136BCE67C718F83C23E809F0B324802096BB0B45E60698E4B77
                              SHA-512:386ED2EDD6ADB10E19B323FD8B18C9B6A586787C18CB605DC0048B2BBA071D168EDF483F8DD17F5D7192C9ABF5E114701CD42C132AC6EF145CEAD71BCB4F25C4
                              Malicious:false
                              Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..04:52:41.417.INFO.Gui GUI started..04:52:41.483.INFO.Gui load data: 'this://app/main-turbo.htm'..04:52:41.499.INFO.Gui load data: 'this://app/common/zepto.min.js'..04:52:41.503.INFO.Gui load data: 'this://app/common/sciter.js'..04:52:41.507.INFO.Gui load data: 'this://app/ico/favicon.ico'..04:52:41.533.INFO.Gui document ready..04:52:41.552.INFO.Gui load data: 'this://app/lang/en.json'..04:52:41.561.INFO.Gui send event event-application-status: {"value":"connecting"}'..04:52:41.564.INFO.Gui send event event-install-status: {"value":false}'..04:52:41.592.INFO.Gui send event event-domain: {"value":""}'..04:52:41.592.INFO.Gui send event event-fastaccess-url: {"value":""}'..04:52:41.592.INFO.Gui send event event-fastaccess-code: {"value":""}'..04:52:41.592.INFO.Gui send eve

                              C:\ProgramData\Getscreen.me\logs\20250106.log

                              Download File
                              Process:C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):2597
                              Entropy (8bit):5.116865135821532
                              Encrypted:false
                              SSDEEP:48:TZsHOrnZF0W9vT/sJIdpJIj2mMONacNIP8VeYAZPYcGEd6VRcNIP+llf:VZ/h0MTkeYAZPYcGnRullf
                              MD5:B8F4CBC712EA9C0BC9CCC8C5CC6AB1D0
                              SHA1:720E5DF5194E5722AE36B682F16DB878D446A857
                              SHA-256:DD8D6FFB4CC29CF4D5B66F4A5B85E78CDB79AF0FD7DA20E8C3E61F3022D34EE5
                              SHA-512:4382263ADF0941B943E50EBC42A9AD8C1D6718527F50700F79FDF5A72923F000A5D6497B20AB7063399649FCDA5C97D61029E03415B9BC809C9196D99DDDA0D4
                              Malicious:false
                              Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..04:52:38.492.INFO.Server start server run....04:52:38.492.INFO.Start Getscreen.me v 3.1.5 build 228 revision 0..04:52:39.124.ERROR.Service service 'GetscreenSV' not found..04:52:39.380.INFO.Service service 'GetscreenSV' installed..04:52:39.733.INFO.Service service 'GetscreenSV' start success..04:52:39.738.INFO.Service get control message 1..04:52:39.746.INFO.Capture capture stopped..04:52:39.750.INFO.FrameMark hide frame..04:52:40.257.INFO.Service service 'GetscreenSV' stop [0] (0)..04:52:40.760.INFO.Service service 'GetscreenSV' removed..04:52:40.776.INFO.Child success get system token..04:52:40.777.INFO.Child start child process simply..04:52:40.778.INFO.Shared remove shared memory 0000pipe0PCommand96anjinciszinsnvw42gz31pcscaz1c1..04:52:40.778.INFO.Shared create shared memory 0000pipe0PCommand96anjinci

                              C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96anjinciszinsnvw42gz31pcscaz1c1

                              Download File
                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):16777520
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3::
                              MD5:76E060E929A27A8F50A5EA6EDFC52356
                              SHA1:91B7BC99D759D84720B376F69BC934D75D9EC549
                              SHA-256:95F95F6678AD42DE249FE02F78472B553837B1E2AECD2F43B5715FAE9187FEAE
                              SHA-512:F1A361F28A87B18B8B5707BD3332E751EE30DFC5C9A32A4BBC39B7E8D5AC34385E96B49546003741A797C1A8E53537A91D5345DFCB1707BC65A483D458FD38FE
                              Malicious:false
                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\LocalLow\Intel\ShaderCache\9845761237b5d7834b471dd8a27dbf637e319efe17881ac40e55dd6dfa877cbe

                              Download File
                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7560
                              Entropy (8bit):7.859787603525871
                              Encrypted:false
                              SSDEEP:192:Qv1k1pQmu8RT80lZLGXs3kY2EH+pBWbsZDHHemlA+:QvOV1p8TYB+6bsZDHHeMd
                              MD5:20C55A679111FCBC440C4A2B91FB5E7E
                              SHA1:016A691E4EE49FE2A568DF3399C2ABCD05A6217C
                              SHA-256:FF68FE3500B3D86F478B6E99CE6D3C3B174A48BBFDFFD759A384315120E183A4
                              SHA-512:0B1D243EE9615469E36D329ADDC6ED79FB9AE2E1556724F3ED1C4898313777875D3AC312469BA801D15FC9F3ADB247EE5089ECECAD5C63C2A7E4C138A6BB3397
                              Malicious:false
                              Preview:INSC.>.....Mar222021151921"......!..;T.0.g..`5..S...m....+....+7.....................l...Qx.hx.c`@......010...#...`4..c.\..s........K@....Q....L...01...RD.....b.~...=..........\...0......?z!......!C............81Eod0....`...a..u.=....o....Q...|..Y&..zF.FnF..r..]..`..&.................C.Z..]'.Q_...........j....A|).R0U..Nf.......[u>......w...i..hs....(cI.....................GC..` .x..SAJ.@..IL.Z.XA\..#% tc..w.U..B..5K7B{...#...G.Fp%...ef..BK.B....._...n..-}m6.....&..|0Q1..D..&...`....&..-0....8..............%.-C.D....s.P.8....lI...<s.9.\...&G..7e.........m......[.|(..q"...1%m..X:.d.+7...n..v.'.Y\..U..&.3U<.......>.gh.Y..J......z.Eo.!..n2..=.zT.z\...<H........?.......coR...^..&......Xe..h.H..g...,.,.t...m..p...c......M..Q..K ..[b....gV./^>..[.......r.A?4m........D................?.......x.c`@..I3..010...#...........|gA.....q.P^.a.....)...h.......F..A...0..*i.>..f.fP`/e........B..Ah.f.........B...E..+00\.......#C.....z..z..;F.d0`..x...h.+.q..$o.@..+{.

                              C:\Users\user\AppData\Local\Getscreen.me\folder\settings.dat

                              Download File
                              Process:C:\Users\user\Desktop\getscreen-524501439.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):5.90625
                              Encrypted:false
                              SSDEEP:3:BvefC4L6IOMpFl8g:AqjROFz
                              MD5:312705157A389515916219FE975E83D6
                              SHA1:03D1A8BD2FFB313F8D840B023E2259CB476D5B17
                              SHA-256:D538CD3FD1B848D3506BCAD79560ED995AE5D71E7C11ED6966C92D8533F9E064
                              SHA-512:F9A4BFD0345ED9020C59470E8B41E78E2329AFB83B415D1E7AF2CD6933844B5B2BA0D2933920ED37C7200BF73B5C5FB6D6F667A246C9D91B22853A690E94BD6D
                              Malicious:false
                              Preview:...J.+.q....:.O..-.).BN.g]..h.....,.6.<.....2.8UO..u.C/.A{;

                              Static File Info

                              General

                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                              Entropy (8bit):7.94390849717838
                              TrID:
                              • Win64 Executable GUI (202006/5) 81.26%
                              • UPX compressed Win32 Executable (30571/9) 12.30%
                              • Win64 Executable (generic) (12005/4) 4.83%
                              • Generic Win/DOS Executable (2004/3) 0.81%
                              • DOS Executable Generic (2002/1) 0.81%
                              File name:getscreen-524501439.exe
                              File size:7'627'552 bytes
                              MD5:00d07884f13526fa6becbe099a3e0aa0
                              SHA1:227caf73541a654e5ba35b25922bccd63ee507d6
                              SHA256:fe6b1c9250d666713e5b1ceabcb9c1c5030556ea061bfcb3c8b1d91af45ba0dd
                              SHA512:0ddc6d1a458c5e762d9a1a58d7b6bdbe6a9b7c1afaf390f0b7535a1b65b04f8433684d3e993d9959717c4fdc1d057d7a03c2eda5cd47ba8e3ca8809fd06e5900
                              SSDEEP:98304:qT0vaR0C912Is4uDTlWDxqi/S/YMUXhoXueFkEu1WefOo6CMCFiATJsqI:c0sN4P3nixx/kYMUxaue+EuwcwCRM
                              TLSH:4A76337A944E146DC6738276AE541E932E0B930DA4435AE8D68C9B9F1374EF00FE7387
                              File Content Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......n.\g*t24*t24*t24a.15.t24...4"t24..65>t24>.65.t24*t24.s24a.55+t24..15$t24..75St24a.75.t24a.65~t24a.45(t24a.35gt24*t34.w249.;5.v2

                              File Icon

                              Icon Hash:418c6963696c9643

                              Static PE Info

                              General

                              Entrypoint:0x1421879d0
                              Entrypoint Section:UPX1
                              Digitally signed:true
                              Imagebase:0x140000000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x67178872 [Tue Oct 22 11:11:46 2024 UTC]
                              TLS Callbacks:0x42187c18, 0x1
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:7c27dce4bef0d003a570ce3109e1f949

                              Authenticode Signature

                              Signature Valid:true
                              Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                              Signature Validation Error:The operation completed successfully
                              Error Number:0
                              Not Before, Not After
                              • 28/05/2024 15:50:28 28/06/2026 16:36:10
                              Subject Chain
                              • CN=POINT B LTD, O=POINT B LTD, L=Limassol, S=Limassol, C=CY, OID.1.3.6.1.4.1.311.60.2.1.3=CY, SERIALNUMBER=HE 430957, OID.2.5.4.15=Private Organization
                              Version:3
                              Thumbprint MD5:9B083870477F4699693EEECABF351BF8
                              Thumbprint SHA-1:B3C999E29AED18DEA59733F3CAA94E788B1AC3A1
                              Thumbprint SHA-256:3E73B7C28C18DC6A03B9816F200365F1DF1FF80A7BD0D55DB920F1B24BBD74E7
                              Serial:7AE0E9C1CFE2DCE0E21C4327

                              Entrypoint Preview

                              Instruction
                              push ebx
                              push esi
                              push edi
                              push ebp
                              dec eax
                              lea esi, dword ptr [FF8C0625h]
                              dec eax
                              lea edi, dword ptr [esi-01A47000h]
                              push edi
                              xor ebx, ebx
                              xor ecx, ecx
                              dec eax
                              or ebp, FFFFFFFFh
                              call 00007F81350A7BC5h
                              add ebx, ebx
                              je 00007F81350A7B74h
                              rep ret
                              mov ebx, dword ptr [esi]
                              dec eax
                              sub esi, FFFFFFFCh
                              adc ebx, ebx
                              mov dl, byte ptr [esi]
                              rep ret
                              dec eax
                              lea eax, dword ptr [edi+ebp]
                              cmp ecx, 05h
                              mov dl, byte ptr [eax]
                              jbe 00007F81350A7B93h
                              dec eax
                              cmp ebp, FFFFFFFCh
                              jnbe 00007F81350A7B8Dh
                              sub ecx, 04h
                              mov edx, dword ptr [eax]
                              dec eax
                              add eax, 04h
                              sub ecx, 04h
                              mov dword ptr [edi], edx
                              dec eax
                              lea edi, dword ptr [edi+04h]
                              jnc 00007F81350A7B61h
                              add ecx, 04h
                              mov dl, byte ptr [eax]
                              je 00007F81350A7B82h
                              dec eax
                              inc eax
                              mov byte ptr [edi], dl
                              sub ecx, 01h
                              mov dl, byte ptr [eax]
                              dec eax
                              lea edi, dword ptr [edi+01h]
                              jne 00007F81350A7B62h
                              rep ret
                              cld
                              inc ecx
                              pop ebx
                              jmp 00007F81350A7B7Ah
                              dec eax
                              inc esi
                              mov byte ptr [edi], dl
                              dec eax
                              inc edi
                              mov dl, byte ptr [esi]
                              add ebx, ebx
                              jne 00007F81350A7B7Ch
                              mov ebx, dword ptr [esi]
                              dec eax
                              sub esi, FFFFFFFCh
                              adc ebx, ebx
                              mov dl, byte ptr [esi]
                              jc 00007F81350A7B58h
                              lea eax, dword ptr [ecx+01h]
                              jmp 00007F81350A7B79h
                              dec eax
                              inc ecx
                              call ebx
                              adc eax, eax
                              inc ecx
                              call ebx
                              adc eax, eax
                              add ebx, ebx
                              jne 00007F81350A7B7Ch
                              mov ebx, dword ptr [esi]
                              dec eax
                              sub esi, FFFFFFFCh
                              adc ebx, ebx
                              mov dl, byte ptr [esi]
                              jnc 00007F81350A7B56h
                              sub eax, 03h
                              jc 00007F81350A7B8Bh
                              shl eax, 08h
                              movzx edx, dl
                              or eax, edx
                              dec eax
                              inc esi
                              xor eax, FFFFFFFFh
                              je 00007F81350A7BCAh
                              sar eax, 1

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x111cc700x548cUPX0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x218b3380x8d8.rsrc
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x21890000x2338.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x20a80000x723c0UPX1
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x7434000x2f20UPX0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x218bc100x2c.rsrc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x2187c400x28UPX1
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x21880300x140UPX1
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              UPX00x10000x1a470000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              UPX10x1a480000x7410000x7402004c967097f131aff1e1780575ff9d7f14unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x21890000x30000x2e000577af4204cd6272d7113f80c4460d0dFalse0.5467900815217391data5.88972477976154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              AFX_DIALOG_LAYOUT0x211b9e00x2ASCII text, with no line terminatorsRussianRussia5.0
                              INI0x2149d180xadataRussianRussia1.8
                              LANG0x211e9200x21ecdataRussianRussia0.9705204974666053
                              LANG0x2120b100x33d9dataRussianRussia0.970617042115573
                              LANG0x2123ef00x2454dataRussianRussia0.34720430107526884
                              LANG0x21263480x25b3dataRussianRussia0.9348254066936069
                              LANG0x21289000x2454dataRussianRussia0.9278494623655914
                              LANG0x212ad580x289bdataRussianRussia0.9302549302549302
                              LANG0x212d5f80x252cdataRussianRussia0.9330601092896175
                              LANG0x212fb280x1f5fdataRussianRussia0.9346283152782966
                              LANG0x2131a880x23cedataRussianRussia0.9368317695832424
                              LANG0x2133e580x242eDOS executable (COM)RussianRussia0.9326279421291298
                              LANG0x214ad000x2499dataEnglishUnited States0.9260326609029779
                              OPUS0x21362880xa5e5dataRussianRussia0.9198003249428995
                              OPUS0x21408700x94a4dataRussianRussia0.9161673499421844
                              RT_ICON0x211b9e80x139dataRussianRussia1.035143769968051
                              RT_ICON0x211bb280x1efdataRussianRussia1.0222222222222221
                              RT_ICON0x211bd180x225dataRussianRussia1.0200364298724955
                              RT_ICON0x211bf400x26bdataRussianRussia1.0177705977382876
                              RT_ICON0x211c1b00x326dataRussianRussia1.0024813895781637
                              RT_ICON0x211c4d80x402dataRussianRussia1.010721247563353
                              RT_ICON0x21899e00x13bPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedRussianRussia1.034920634920635
                              RT_ICON0x2189b200x1c5PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedRussianRussia1.0242825607064017
                              RT_ICON0x2189cec0x1eePNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedRussianRussia1.0222672064777327
                              RT_ICON0x2189ee00x253PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedRussianRussia1.0184873949579831
                              RT_ICON0x218a1380x2e7PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedRussianRussia1.0148048452220726
                              RT_ICON0x218a4240x3adPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedRussianRussia1.0116896918172158
                              RT_ICON0x211d7880x159dataRussianRussia1.0318840579710145
                              RT_ICON0x211d8e80x1e6dataRussianRussia1.022633744855967
                              RT_ICON0x211dad00x1f6dataRussianRussia0.99800796812749
                              RT_ICON0x211dcc80x26ddataRussianRussia1.0177133655394526
                              RT_ICON0x211df380x31bdataRussianRussia1.0138364779874214
                              RT_ICON0x211e2580x3e7COM executable for DOSRussianRussia0.977977977977978
                              RT_ICON0x2149d280x163data1.0309859154929577
                              RT_ICON0x2149e900x20ddata1.020952380952381
                              RT_ICON0x214a0a00x21bdata1.0204081632653061
                              RT_ICON0x214a2c00x282data1.017133956386293
                              RT_ICON0x214a5480x33cdata0.9963768115942029
                              RT_ICON0x214a8880x413data0.9798657718120806
                              RT_STRING0x214d1a00x38dataRussianRussia1.1964285714285714
                              RT_GROUP_ICON0x218a7d80x5adataRussianRussia0.8
                              RT_GROUP_ICON0x211c8e00x5adataRussianRussia1.1222222222222222
                              RT_GROUP_ICON0x214aca00x5adata1.1222222222222222
                              RT_GROUP_ICON0x211e6400x5adataRussianRussia1.1222222222222222
                              RT_VERSION0x218a8380x27cdataRussianRussia0.4748427672955975
                              RT_MANIFEST0x218aab80x87fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2115), with CRLF line terminatorsEnglishUnited States0.31264367816091954

                              Imports

                              DLLImport
                              ADVAPI32.dllFreeSid
                              COMCTL32.dllImageList_DrawEx
                              COMDLG32.dllPrintDlgW
                              d3d11.dllD3D11CreateDevice
                              dbghelp.dllSymFromAddr
                              dxgi.dllCreateDXGIFactory1
                              GDI32.dllLineTo
                              gdiplus.dllGdipFree
                              IMM32.dllImmIsIME
                              IPHLPAPI.DLLGetIfEntry2
                              KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                              MPR.dllWNetGetConnectionW
                              msdmo.dllMoInitMediaType
                              msi.dll
                              NETAPI32.dllNetUserGetInfo
                              ntdll.dllRtlGetVersion
                              NTDSAPI.dllDsMakeSpnW
                              ole32.dllDoDragDrop
                              OLEACC.dllLresultFromObject
                              OLEAUT32.dllSafeArrayGetElement
                              POWRPROF.dllPowerGetActiveScheme
                              RPCRT4.dllUuidEqual
                              SAS.dllSendSAS
                              Secur32.dllDeleteSecurityContext
                              SHELL32.dll
                              SHLWAPI.dllPathIsRelativeA
                              USER32.dllGetDC
                              USERENV.dllCreateEnvironmentBlock
                              USP10.dllScriptPlace
                              VERSION.dllVerQueryValueW
                              WINHTTP.dllWinHttpOpen
                              WININET.dllInternetOpenA
                              WINMM.dllwaveInOpen
                              WINSPOOL.DRV
                              WS2_32.dllaccept
                              WTSAPI32.dllWTSFreeMemory

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              RussianRussia
                              EnglishUnited States

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 6, 2025 05:52:42.528292894 CET49755443192.168.11.205.75.168.191
                              Jan 6, 2025 05:52:42.528315067 CET443497555.75.168.191192.168.11.20
                              Jan 6, 2025 05:52:42.528585911 CET49755443192.168.11.205.75.168.191
                              Jan 6, 2025 05:52:42.528759003 CET49755443192.168.11.205.75.168.191
                              Jan 6, 2025 05:52:42.528773069 CET443497555.75.168.191192.168.11.20
                              Jan 6, 2025 05:52:42.984918118 CET443497555.75.168.191192.168.11.20
                              Jan 6, 2025 05:52:42.985224009 CET49755443192.168.11.205.75.168.191
                              Jan 6, 2025 05:52:42.985233068 CET443497555.75.168.191192.168.11.20
                              Jan 6, 2025 05:52:42.986331940 CET443497555.75.168.191192.168.11.20
                              Jan 6, 2025 05:52:42.986524105 CET49755443192.168.11.205.75.168.191
                              Jan 6, 2025 05:52:42.988147020 CET49755443192.168.11.205.75.168.191
                              Jan 6, 2025 05:52:42.988209963 CET443497555.75.168.191192.168.11.20
                              Jan 6, 2025 05:52:42.989223957 CET49755443192.168.11.205.75.168.191
                              Jan 6, 2025 05:52:42.989233017 CET443497555.75.168.191192.168.11.20
                              Jan 6, 2025 05:52:43.038219929 CET49755443192.168.11.205.75.168.191
                              Jan 6, 2025 05:52:43.472002029 CET443497555.75.168.191192.168.11.20
                              Jan 6, 2025 05:52:43.472039938 CET443497555.75.168.191192.168.11.20
                              Jan 6, 2025 05:52:43.472198963 CET49755443192.168.11.205.75.168.191
                              Jan 6, 2025 05:52:43.474570990 CET49755443192.168.11.205.75.168.191
                              Jan 6, 2025 05:52:43.474581003 CET443497555.75.168.191192.168.11.20

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 6, 2025 05:52:42.405221939 CET5719153192.168.11.201.1.1.1
                              Jan 6, 2025 05:52:42.526226997 CET53571911.1.1.1192.168.11.20

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jan 6, 2025 05:52:42.405221939 CET192.168.11.201.1.1.10x935Standard query (0)getscreen.meA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jan 6, 2025 05:52:42.526226997 CET1.1.1.1192.168.11.200x935No error (0)getscreen.me5.75.168.191A (IP address)IN (0x0001)false
                              Jan 6, 2025 05:52:42.526226997 CET1.1.1.1192.168.11.200x935No error (0)getscreen.me78.47.165.25A (IP address)IN (0x0001)false
                              Jan 6, 2025 05:52:42.526226997 CET1.1.1.1192.168.11.200x935No error (0)getscreen.me51.89.95.37A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • getscreen.me

                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.11.20497555.75.168.1914437428C:\Users\user\Desktop\getscreen-524501439.exe
                              TimestampBytes transferredDirectionData
                              2025-01-06 04:52:42 UTC363OUTGET /signal/agent HTTP/1.1
                              Host: getscreen.me
                              Upgrade: websocket
                              Connection: Upgrade
                              Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
                              Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                              Origin: https://getscreen.me
                              Sec-WebSocket-Protocol: chat, superchat
                              Sec-WebSocket-Version: 13
                              User-Agent: Getscreen.me/3.1.5 (Win64, getscreen.me, 228)
                              2025-01-06 04:52:43 UTC354INHTTP/1.1 400 Bad Request
                              access-control-expose-headers: X-Js-Cache
                              content-type: text/plain; charset=utf-8
                              sec-websocket-version: 13
                              x-content-type-options: nosniff
                              x-js-cache: ff865bcc32999ce12f2e4c6aa33a641b
                              date: Mon, 06 Jan 2025 04:52:43 GMT
                              content-length: 12
                              x-envoy-upstream-service-time: 4
                              server: lb2.getscreen.me
                              connection: close
                              2025-01-06 04:52:43 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                              Data Ascii: Bad Request


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:23:52:37
                              Start date:05/01/2025
                              Path:C:\Users\user\Desktop\getscreen-524501439.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\getscreen-524501439.exe"
                              Imagebase:0x7ff7167b0000
                              File size:7'627'552 bytes
                              MD5 hash:00D07884F13526FA6BECBE099A3E0AA0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:2
                              Start time:23:52:39
                              Start date:05/01/2025
                              Path:C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\ProgramData\Getscreen.me\chskldxthycfjguemdybwvvxbuswlsw-elevate.exe" -elevate \\.\pipe\elevateGS512chskldxthycfjguemdybwvvxbuswlsw
                              Imagebase:0x7ff7a3ee0000
                              File size:7'627'552 bytes
                              MD5 hash:00D07884F13526FA6BECBE099A3E0AA0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:3
                              Start time:23:52:40
                              Start date:05/01/2025
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                              Imagebase:0x7ff7344f0000
                              File size:57'360 bytes
                              MD5 hash:F586835082F632DC8D9404D83BC16316
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:false

                              General

                              Target ID:4
                              Start time:23:52:41
                              Start date:05/01/2025
                              Path:C:\Users\user\Desktop\getscreen-524501439.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\getscreen-524501439.exe" -gpipe \\.\pipe\PCommand97bhvmlweiwnrsytn -gui
                              Imagebase:0x7ff7167b0000
                              File size:7'627'552 bytes
                              MD5 hash:00D07884F13526FA6BECBE099A3E0AA0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:5
                              Start time:23:52:41
                              Start date:05/01/2025
                              Path:C:\Users\user\Desktop\getscreen-524501439.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\getscreen-524501439.exe" -cpipe \\.\pipe\PCommand96anjinciszinsnvw -cmem 0000pipe0PCommand96anjinciszinsnvw42gz31pcscaz1c1 -child
                              Imagebase:0x7ff7167b0000
                              File size:7'627'552 bytes
                              MD5 hash:00D07884F13526FA6BECBE099A3E0AA0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              Disassembly

                              No disassembly