Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
getscreen-524501439-x86.exe

Overview

General Information

Sample name:getscreen-524501439-x86.exe
Analysis ID:1584658
MD5:294ad9e8ead4dcf6eafec6bf5463168b
SHA1:40143d13edb136f582f2622565afbda9e035d5d7
SHA256:a66d219a6e5a068edc5b3e06dc1412454ce69bac0419e43d4d8c0620ae3d79e8
Tags:exeuser-cisdemo
Infos:

Detection

Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:47
Range:0 - 100

Signatures

Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • getscreen-524501439-x86.exe (PID: 4828 cmdline: "C:\Users\user\Desktop\getscreen-524501439-x86.exe" MD5: 294AD9E8EAD4DCF6EAFEC6BF5463168B)
    • getscreen-524501439-x86.exe (PID: 2180 cmdline: "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -gpipe \\.\pipe\PCommand97rzbqvsaxpfdgvui -gui MD5: 294AD9E8EAD4DCF6EAFEC6BF5463168B)
    • getscreen-524501439-x86.exe (PID: 2196 cmdline: "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -cpipe \\.\pipe\PCommand96eieqezmjalfqqne -cmem 0000pipe0PCommand96eieqezmjalfqqnelp2z2wodzq3242d -child MD5: 294AD9E8EAD4DCF6EAFEC6BF5463168B)
  • zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe (PID: 5480 cmdline: "C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe" -elevate \\.\pipe\elevateGS512zwvztpbbwxeyisrxsphxsxjmazygqyh MD5: 294AD9E8EAD4DCF6EAFEC6BF5463168B)
  • svchost.exe (PID: 2688 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 3328 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: getscreen-524501439-x86.exe PID: 4828JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

    Sigma Signatures

    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, ProcessId: 2688, ProcessName: svchost.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    Compliance

    barindex
    Uses 32bit PE files
    Source: getscreen-524501439-x86.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    PE / OLE file has a valid certificate
    Source: getscreen-524501439-x86.exeStatic PE information: certificate valid
    Contains modern PE file flags such as dynamic base (ASLR) or NX
    Source: getscreen-524501439-x86.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Binary contains paths to debug symbols
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009741000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009A9D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wbemsvc.pdb\* source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdbba source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.00000000096D6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009F6A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wbemprox.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdb8 source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A026000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B7A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.00000000098C6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A1F4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: e3samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.00000000090B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007A9F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A026000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdb*eC source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009D2D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008528000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsspicli.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009257000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B7A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbP source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdb\*o source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdbationNr~. source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdbNp source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000008DCE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009741000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009119000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079AA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008208000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc.pdb\*torS~~2 source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\exe\getscreen-524501439-x86.pdbp source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009D2D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000084F0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009278000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009246000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009262000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdb0 source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008506000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdbL source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbp source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009CD2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B19000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B96000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008517000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009EA5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009119000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009B05000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009D88000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.00000000098C6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\InputHost.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000084F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FWPolicyIOMgr.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A02C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A251000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdbb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007A9F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008522000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.00000000090B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbcyS source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000979C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.000000000851D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-524501439-x86.pdb:J source: getscreen-524501439-x86.exe, 00000000.00000002.1725192173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000082E7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbiB} source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009929000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009C19000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdbo source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009A9D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B74000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009676000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wuser32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B85000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdb2}n source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdb*} source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009E3C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008522000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009F6A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009251000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000082E7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\CoreMessaging.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008203000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: version.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000008F3B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.00000000096DC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\CoreUIComponents.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009D88000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000081FD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008281000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A1F4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbi source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009E3C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009DE2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009B5F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B19000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\MpOAV.pdbeUserC source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdb! source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.00000000090B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009A41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008208000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-524501439-x86.pdb,J source: getscreen-524501439-x86.exe, 00000000.00000002.1725192173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\msi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008517000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B90000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsspicli.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009257000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009246000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008281000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000979C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008203000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.000000000851D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009801000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.000000000917F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008528000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009DE2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009B05000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009CD2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009676000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.000000000926D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009A41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.000000000848E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A199000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A2B3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000084F0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A2B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000084EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B74000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb\*b source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.000000000848E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.00000000096D6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A199000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdbZ~ source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000081FD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdby source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb4 source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000008DCE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A086000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A02C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A2B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A086000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009273000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000008DCE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009929000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A251000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: version.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000008F3B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009251000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009801000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000084EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.00000000096DC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\Win32\Release\getscreen.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: ws2_32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B96000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A2B3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.000000000926D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008506000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009262000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B90000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079AA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009273000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009278000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009B5F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009C19000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.000000000917F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000082EC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000084F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wuser32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B85000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B9B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009EA5000.00000004.00000020.00020000.00000000.sdmp
    Source: Joe Sandbox ViewIP Address: 78.47.165.25 78.47.165.25
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/3.1.5 (Win, getscreen.me, 228)
    Source: global trafficDNS traffic detected: DNS query: getscreen.me
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: svchost.exe, 00000005.00000002.2935466482.0000015027400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: svchost.exe, 00000005.00000003.1705073004.0000015027308000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
    Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
    Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
    Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
    Source: svchost.exe, 00000005.00000003.1705073004.0000015027308000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
    Source: svchost.exe, 00000005.00000003.1705073004.0000015027308000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
    Source: svchost.exe, 00000005.00000003.1705073004.000001502733D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
    Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://proxy.contoso.com:3128/
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01http://www.webrtc.org/exper
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-timeurn:3gpp:video-orientationhttp://www.we
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
    Source: getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-frame-tracking-id
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.g
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.ge
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsa
    Source: getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsc
    Source: getscreen-524501439-x86.exe, 00000002.00000003.1752780951.0000000007E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscr
    Source: getscreen-524501439-x86.exe, 00000002.00000003.1752780951.0000000007E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscr&
    Source: getscreen-524501439-x86.exe, 00000002.00000003.1776727335.0000000002B59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/privacy-
    Source: getscreen-524501439-x86.exe, 00000004.00000003.1749131411.00000000006FF000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1750926714.00000000006E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/privacy-policy/
    Source: getscreen-524501439-x86.exe, 00000004.00000003.1749131411.00000000006FF000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1750926714.00000000006E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/terms-of-use/
    Source: getscreen-524501439-x86.exe, 00000002.00000003.1752582138.000000000524B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/user-guides/agent/
    Source: svchost.exe, 00000005.00000003.1705073004.00000150273B2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
    Source: svchost.exe, 00000005.00000003.1705073004.00000150273B2000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
    Source: svchost.exe, 00000005.00000003.1705073004.00000150273B2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
    Source: edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
    Source: getscreen-524501439-x86.exe, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1729906254.0000000008671000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_a08a2a32-7
    Source: Yara matchFile source: Process Memory Space: getscreen-524501439-x86.exe PID: 4828, type: MEMORYSTR
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000008C62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSAMLib.DLLj% vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1725134247.0000000002972000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000000.00000000.1670085512.0000000002972000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000002.00000003.1750702468.000000000518D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dl vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000002.00000003.1755478370.000000000518D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dl vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000002.00000003.1757381890.000000000518E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dl vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000002.00000002.1779497604.0000000002972000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000002.00000000.1700230514.0000000002972000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000004.00000002.1753802144.0000000002972000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000004.00000000.1704409922.0000000002972000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exeBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal51.evad.winEXE@9/13@1/2
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeFile created: C:\Users\user\AppData\Local\Getscreen.meJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeMutant created: \Sessions\1\BaseNamedObjects\Global\PCommandMutextTurbo96phqghum
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeFile read: C:\Users\user\Desktop\getscreen-524501439-x86.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\getscreen-524501439-x86.exe "C:\Users\user\Desktop\getscreen-524501439-x86.exe"
    Source: unknownProcess created: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe "C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe" -elevate \\.\pipe\elevateGS512zwvztpbbwxeyisrxsphxsxjmazygqyh
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess created: C:\Users\user\Desktop\getscreen-524501439-x86.exe "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -gpipe \\.\pipe\PCommand97rzbqvsaxpfdgvui -gui
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess created: C:\Users\user\Desktop\getscreen-524501439-x86.exe "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -cpipe \\.\pipe\PCommand96eieqezmjalfqqne -cmem 0000pipe0PCommand96eieqezmjalfqqnelp2z2wodzq3242d -child
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess created: C:\Users\user\Desktop\getscreen-524501439-x86.exe "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -gpipe \\.\pipe\PCommand97rzbqvsaxpfdgvui -guiJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-524501439-x86.exe "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -cpipe \\.\pipe\PCommand96eieqezmjalfqqne -cmem 0000pipe0PCommand96eieqezmjalfqqnelp2z2wodzq3242d -childJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mmdevapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mfwmaaec.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mfperfhelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: audioses.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: symsrv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: mpr.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: msi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: sas.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: secur32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: userenv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: usp10.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: version.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: wininet.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: winmm.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: samcli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: netutils.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: wldp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: d2d1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: directmanipulation.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dxcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mscms.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: coloradapterclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: icm32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: seclogon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32Jump to behavior
    Source: getscreen-524501439-x86.exeStatic PE information: certificate valid
    Source: getscreen-524501439-x86.exeStatic file information: File size 6861600 > 1048576
    Source: getscreen-524501439-x86.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x685400
    Source: getscreen-524501439-x86.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009741000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009A9D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wbemsvc.pdb\* source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdbba source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.00000000096D6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009F6A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wbemprox.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdb8 source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A026000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B7A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.00000000098C6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A1F4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: e3samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.00000000090B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007A9F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A026000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdb*eC source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009D2D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008528000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsspicli.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009257000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B7A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbP source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdb\*o source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdbationNr~. source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdbNp source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000008DCE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009741000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009119000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079AA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008208000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc.pdb\*torS~~2 source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\exe\getscreen-524501439-x86.pdbp source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009D2D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000084F0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009278000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009246000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009262000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdb0 source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008506000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdbL source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbp source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009CD2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B19000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B96000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008517000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009EA5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009119000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009B05000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009D88000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.00000000098C6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\InputHost.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000084F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FWPolicyIOMgr.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A02C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A251000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdbb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007A9F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008522000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.00000000090B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbcyS source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000979C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.000000000851D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-524501439-x86.pdb:J source: getscreen-524501439-x86.exe, 00000000.00000002.1725192173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000082E7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbiB} source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009929000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009C19000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdbo source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009A9D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B74000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009676000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wuser32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B85000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdb2}n source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdb*} source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009E3C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008522000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009F6A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009251000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000082E7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\CoreMessaging.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008203000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: version.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000008F3B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.00000000096DC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\CoreUIComponents.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009D88000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000081FD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008281000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A1F4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbi source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CB7000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009E3C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009DE2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009B5F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B19000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\MpOAV.pdbeUserC source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdb! source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.00000000090B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009A41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008208000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-524501439-x86.pdb,J source: getscreen-524501439-x86.exe, 00000000.00000002.1725192173.0000000002A28000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\msi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008517000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B90000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsspicli.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009257000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009246000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008281000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000979C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008203000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.000000000851D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009801000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.000000000917F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008528000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009DE2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009B05000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009CD2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009676000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.000000000926D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009A41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.000000000848E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A199000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A2B3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: gdiplus.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000084F0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A2B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000084EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B74000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb\*b source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.000000000848E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.00000000096D6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A199000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdbZ~ source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000081FD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdby source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb4 source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000008DCE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A086000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A02C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A2B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A086000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009273000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000008DCE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009929000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A251000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: version.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000008F3B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009251000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009801000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000084EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.00000000096DC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\Win32\Release\getscreen.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: ws2_32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B96000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.000000000A2B3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.000000000926D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.0000000008506000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009262000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B90000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.00000000079AA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009273000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.0000000009278000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009B5F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009C19000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1730280090.000000000917F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000082EC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1728765537.00000000084F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004C6F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wuser32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B85000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.1728022252.0000000007B9B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.1731844658.0000000009EA5000.00000004.00000020.00020000.00000000.sdmp
    Source: zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe.0.drStatic PE information: real checksum: 0x695d88 should be: 0x6913d9
    Source: getscreen-524501439-x86.exeStatic PE information: real checksum: 0x695d88 should be: 0x6913d9
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeFile created: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeFile created: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries memory information (via WMI often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Size FROM Win32_DiskDrive
    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 14
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, VolumeName, FileSystem, Size, FreeSpace FROM Win32_LogicalDisk
    Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
    Query firmware table information (likely to detect VMs)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exe TID: 1620Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exe TID: 7236Thread sleep count: 186 > 30Jump to behavior
    Source: C:\Windows\System32\svchost.exe TID: 4956Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1725192173.0000000002A66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvv]
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Hyper-V console (use port 2179, disable negotiation)
    Source: zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: <WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=
    Source: getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMnet
    Source: getscreen-524501439-x86.exe, 00000002.00000003.1755641619.0000000002BA6000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1779924818.0000000002BC0000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000002.00000003.1757868614.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000002.00000003.1768638360.0000000002BBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWnYZ
    Source: getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1727003171.0000000005EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: RAM slot #0RAM slot #0@VMware Virtual RAMVMW-4096MB00000001
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"token":"","uid":"71434D56-1548-ED3D-AEE6-C75AECD93BF0","turbo":"2203681736138584UtEFjbrdjMX3qgoXgI9f","turbo_old":"","invite":"","brand":"","install":false,"admin":true,"isadmin":true,"onetime":true,"file_download":true,"name":"367706","nonadmin":true,"islock":false,"blackscreen_available":true,"hibernate":true,"power_supply":true,"silent":false,"start_time":1736141518,"os":"win","rdp":false,"os_user":"user","os_username":"","build":228,"version":"3.1.5","hardware":"{\"CPU\":\"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\",\"CPUSpeed\":2000,\"CPUCores\":4,\"CPUCoresLogical\":1,\"CPUFamily\":\"Intel64 Family 6 Model 143 Stepping 8\",\"BIOS\":\"48NUKDZM52\",\"BIOSVersion\":\"20221121\",\"BIOSDate\":\"\",\"RAMPhys\":8191,\"RAMPhysAvail\":2204,\"RAMVirt\":2047,\"RAMVirtAvail\":1865,\"RAMPageFile\":8191,\"RAMBanks\":[{\"Bank\":\"RAM slot #0\",\"Locator\":\"RAM slot #0\",\"DataWidth\":64,\"Manufacturer\":\"VMware Virtual RAM\",\"PartNumber\":\"VMW-4096MB\",\"SerialNumber\":\"00000001\",\"Capacity\":4096}],\"VideoName\":\"LHG8FP6N\",\"VideoRAM\":1024,\"VideoCards\":[{\"Name\":\"LHG8FP6N\",\"RAM\":1024,\"Integrated\":false}],\"Locale\":\"0809\",\"LocaleOemPage\":\"1252\",\"LocaleCountry\":\"Switzerland\",\"LocaleCurrency\":\"CHF\",\"LocaleTimezone\":60,\"LocaleFormatTime\":\"HH:mm:ss\",\"LocaleFormatDate\":\"dd\\\/MM\\\/yyyy\",\"ComputerModel\":\"zALbofPG\",\"ComputerDomain\":\"RWrlV\",\"ComputerWorkgroup\":\"WORKGROUP\",\"ComputerName\":\"user-PC\",\"ComputerIP\":[\"192.168.2.4\",\"fe80::29b9:a951:1791:4eb3\"],\"OSName\":\"Microsoft Windows 10 Pro\",\"OSVersion\":\"10.0.19045\",\"HDD\":[{\"Model\":\"A562E5EE SCSI Disk Device\",\"Size\":393199}],\"LogicalDisks\":[{\"Disk\":\"C:\",\"Name\":\"\",\"FileSystem\":\"NTFS\",\"Size\":213143,\"FreeSpace\":19035}],\"SoundDevices\":[],\"NetAdapters\":[{\"Name\":\"Intel(R) 82574L Gigabit Network Connection\",\"Manufacturer\":\"Intel Corporation\",\"MACAddress\":\"EC:F4:BB:EA:15:88\",\"Speed\":953,\"Addresses\":\"192.168.2.4, fe80::29b9:a951:1791:4eb3\",\"DNS\":\"1.1.1.1\",\"DCHP\":\"\",\"Cable\":true,\"WoL\":false}],\"Monitors\":[]}"}
    Source: getscreen-524501439-x86.exe, 00000002.00000003.1755641619.0000000002BA6000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1779924818.0000000002BC0000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000002.00000003.1757868614.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1779549852.0000000002B24000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000002.00000003.1768638360.0000000002BBB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2935515895.0000015027440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2935562729.0000015027458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2934467618.0000015021E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1727003171.0000000005EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
    Source: zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1684098147.0000000002995000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1727003171.0000000005EFA000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: {"token":"","uid":"71434D56-1548-ED3D-AEE6-C75AECD93BF0","turbo":"2203681736138584UtEFjbrdjMX3qgoXgI9f","turbo_old":"","invite":"","brand":"","install":false,"admin":true,"isadmin":true,"onetime":true,"file_download":true,"name":"367706","nonadmin":true,"islock":false,"blackscreen_available":true,"hibernate":true,"power_supply":true,"silent":false,"start_time":1736141518,"os":"win","rdp":false,"os_user":"user","os_username":"","build":228,"version":"3.1.5","hardware":"{\"CPU\":\"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\",\"CPUSpeed\":2000,\"CPUCores\":4,\"CPUCoresLogical\":1,\"CPUFamily\":\"Intel64 Family 6 Model 143 Stepping 8\",\"BIOS\":\"48NUKDZM52\",\"BIOSVersion\":\"20221121\",\"BIOSDate\":\"\",\"RAMPhys\":8191,\"RAMPhysAvail\":2204,\"RAMVirt\":2047,\"RAMVirtAvail\":1865,\"RAMPageFile\":8191,\"RAMBanks\":[{\"Bank\":\"RAM slot #0\",\"Locator\":\"RAM slot #0\",\"DataWidth\":64,\"Manufacturer\":\"VMware Virtual RAM\",\"PartNumber\":\"VMW-4096MB\",\"SerialNumber\":\"00000001\",\"Capacity\":4096}],\"VideoName
    Source: getscreen-524501439-x86.exe, 00000004.00000003.1748674162.00000000006B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1727003171.0000000005EFA000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: {"CPU":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","CPUSpeed":2000,"CPUCores":4,"CPUCoresLogical":1,"CPUFamily":"Intel64 Family 6 Model 143 Stepping 8","BIOS":"48NUKDZM52","BIOSVersion":"20221121","BIOSDate":"","RAMPhys":8191,"RAMPhysAvail":2204,"RAMVirt":2047,"RAMVirtAvail":1865,"RAMPageFile":8191,"RAMBanks":[{"Bank":"RAM slot #0","Locator":"RAM slot #0","DataWidth":64,"Manufacturer":"VMware Virtual RAM","PartNumber":"VMW-4096MB","SerialNumber":"00000001","Capacity":4096}],"VideoName":"LHG8FP6N","VideoRAM":1024,"VideoCards":[{"Name":"LHG8FP6N","RAM":1024,"Integrated":false}],"Locale":"0809","LocaleOemPage":"1252","LocaleCountry":"Switzerland","LocaleCurrency":"CHF","LocaleTimezone":60,"LocaleFormatTime":"HH:mm:ss","LocaleFormatDate":"dd\/MM\/yyyy","ComputerModel":"zALbofPG","ComputerDomain":"RWrlV","ComputerWorkgroup":"WORKGROUP","ComputerName":"user-PC","ComputerIP":["192.168.2.4","fe80::29b9:a951:1791:4eb3"],"OSName":"Microsoft Windows 10 Pro","OSVersion":"10.0.19045","HDD":[{"Model":"A562E5EE SCSI Disk Devi
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1725788359.0000000004CB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $VMware Virtual RAM"
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-524501439-x86.exe "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -cpipe \\.\pipe\PCommand96eieqezmjalfqqne -cmem 0000pipe0PCommand96eieqezmjalfqqnelp2z2wodzq3242d -childJump to behavior
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1729906254.0000000008671000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
    Source: getscreen-524501439-x86.exe, 00000000.00000002.1729906254.0000000008671000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts631
    Windows Management Instrumentation    		1
    DLL Side-Loading    		12
    Process Injection    		11
    Masquerading    		11
    Input Capture    		741
    Security Software Discovery    		Remote Services11
    Input Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		551
    Virtualization/Sandbox Evasion    		LSASS Memory551
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
    Process Injection    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS142
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Software Packing    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    getscreen-524501439-x86.exe0%ReversingLabs

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://docs.getscr&0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/privacy-0%Avira URL Cloudsafe
    https://docs.getsa0%Avira URL Cloudsafe
    https://docs.ge0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/terms-of-use/0%Avira URL Cloudsafe
    https://docs.g0%Avira URL Cloudsafe
    http://proxy.contoso.com:3128/0%Avira URL Cloudsafe
    https://docs.getscreen.me/user-guides/agent/0%Avira URL Cloudsafe
    https://docs.getsc0%Avira URL Cloudsafe
    https://docs.getscr0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/privacy-policy/0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    getscreen.me
    		78.47.165.25
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://getscreen.me/signal/agentfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://docs.gegetscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://g.live.com/odclientsettings/Prod.C:edb.log.5.drfalse
          		high
          http://proxy.contoso.com:3128/getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docs.getscreen.me/user-guides/agent/getscreen-524501439-x86.exe, 00000002.00000003.1752582138.000000000524B000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://g.live.com/odclientsettings/ProdV2edb.log.5.drfalse
            		high
            https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000005.00000003.1705073004.00000150273B2000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drfalse
              		high
              https://docs.getscr&getscreen-524501439-x86.exe, 00000002.00000003.1752780951.0000000007E10000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.ver)svchost.exe, 00000005.00000002.2935466482.0000015027400000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://www.winimage.com/zLibDllgetscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://g.live.com/odclientsettings/ProdV2.C:edb.log.5.drfalse
                    		high
                    https://docs.ggetscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.getscreen.me/en/rules/terms-of-use/getscreen-524501439-x86.exe, 00000004.00000003.1749131411.00000000006FF000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1750926714.00000000006E8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.getscgetscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.getsagetscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001705000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000001055000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001705000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001705000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.getscreen.me/en/rules/privacy-getscreen-524501439-x86.exe, 00000002.00000003.1776727335.0000000002B59000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01getscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extensiongetscreen-524501439-x86.exe, 00000000.00000002.1723007083.0000000001321000.00000040.00000001.01000000.00000003.sdmp, zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe, 00000001.00000002.1682131127.0000000000C71000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000002.00000002.1777411389.0000000001321000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1751187888.0000000001321000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        https://docs.getscrgetscreen-524501439-x86.exe, 00000002.00000003.1752780951.0000000007E10000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://docs.getscreen.me/en/rules/privacy-policy/getscreen-524501439-x86.exe, 00000004.00000003.1749131411.00000000006FF000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.1750926714.00000000006E8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000005.00000003.1705073004.00000150273B2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          78.47.165.25
                          		getscreen.meGermany
                          		24940HETZNER-ASDEfalse

                          Private

                          IP
                          127.0.0.1

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1584658
                          Start date and time:2025-01-06 06:31:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 40s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:10
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:getscreen-524501439-x86.exe
                          Detection:MAL
                          Classification:mal51.evad.winEXE@9/13@1/2
                          EGA Information:Failed
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 23.56.254.164, 52.149.20.212, 4.245.163.56, 13.107.246.45
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          00:32:01API Interceptor1x Sleep call for process: getscreen-524501439-x86.exe modified
                          00:32:02API Interceptor2x Sleep call for process: svchost.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          78.47.165.25getscreen-524501439.exeGet hashmaliciousUnknownBrowse
                            getscreen-868841125.exeGet hashmaliciousUnknownBrowse
                              getscreen-868841125.exeGet hashmaliciousUnknownBrowse
                                getscreen-120727697-x86.exeGet hashmaliciousUnknownBrowse
                                  getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                                    getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                                      getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                                        getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                                          getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                                            getscreen-156413884-x86.exeGet hashmaliciousUnknownBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              getscreen.megetscreen-524501439.exeGet hashmaliciousUnknownBrowse
                                              • 5.75.168.191
                                              getscreen-524501439.exeGet hashmaliciousUnknownBrowse
                                              • 78.47.165.25
                                              getscreen-868841125.exeGet hashmaliciousUnknownBrowse
                                              • 78.47.165.25
                                              getscreen-868841125.exeGet hashmaliciousUnknownBrowse
                                              • 51.89.95.37
                                              getscreen-227149269.exeGet hashmaliciousUnknownBrowse
                                              • 5.75.168.191
                                              getscreen-227149269.exeGet hashmaliciousUnknownBrowse
                                              • 5.75.168.191
                                              getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                                              • 51.89.95.37
                                              getscreen-120727697-x86.exeGet hashmaliciousUnknownBrowse
                                              • 51.89.95.37
                                              getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                                              • 5.75.168.191
                                              getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                                              • 78.47.165.25

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              HETZNER-ASDEgetscreen-524501439.exeGet hashmaliciousUnknownBrowse
                                              • 5.75.168.191
                                              getscreen-524501439.exeGet hashmaliciousUnknownBrowse
                                              • 78.47.165.25
                                              ny9LDJr6pA.exeGet hashmaliciousQuasarBrowse
                                              • 195.201.57.90
                                              2.elfGet hashmaliciousUnknownBrowse
                                              • 213.133.114.151
                                              ZT0KQ1PC.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                              • 116.203.13.109
                                              cZO.exeGet hashmaliciousUnknownBrowse
                                              • 128.140.43.40
                                              jaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                                              • 195.201.57.90
                                              NpHauDPoR8.exeGet hashmaliciousUnknownBrowse
                                              • 88.198.29.97
                                              armv6l.elfGet hashmaliciousMiraiBrowse
                                              • 85.10.220.49
                                              1.elfGet hashmaliciousUnknownBrowse
                                              • 138.201.212.111

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\Getscreen.me\crashlogs\2d1d180af8b4800fec786aa9dc52a1f20a42b218.log

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                                              File Type:ASCII text
                                              Category:modified
                                              Size (bytes):17176
                                              Entropy (8bit):5.566484791748164
                                              Encrypted:false
                                              SSDEEP:384:vY2xnweKk37+fq2iekLnvE19pwDConpwDCohwDCoHeFpwDConpwDCo/wDCopeaeV:aRPt
                                              MD5:6142CAC77A79F868877301123F96B9B2
                                              SHA1:F3AA44C6A5BD1A6D946DACD51A4A457CAB2B17C5
                                              SHA-256:BFE947EA3B3DF70048863B04D3253614FD426FD9CF814CCAC65722EC0C8A2BF7
                                              SHA-512:D3AE1CBADB8E8A032E36BB0EA447399070335B70E95144E176196763EFD0A96F6236FF393E670878636BE07AA0BA978B15FF62C6B6A12038E0F993B9187BE386
                                              Malicious:false
                                              Reputation:low
                                              Preview:Filename.: getscreen-524501439-x86.exe-2d1d180af8b4800fec786aa9dc52a1f20a42b218.crash.SHA1..: 2d1d180af8b4800fec786aa9dc52a1f20a42b218.Time..: 2025.1.6 5:32.Program..: Getscreen.me.Version..: 3.1.5.OS...: Windows 10 build 19045, x86.BIOS..: .Explorer.: 11.789.19041.0.Processors.: 0 x .Video..: .Computer.: .Memory..: 2 free of 8 Gb.Handles..: 447.Image Base.: 0x400000..Exception.: 0xC0000005 at 0x00E67071 (getscreen-524501439-x86.exe.$0x547071)..Modules...: C:\Users\user\Desktop\getscreen-524501439-x86.exe (3.1.5.0)...: C:\Windows\SYSTEM32\ntdll.dll (10.0.19041.1949)...: C:\Windows\System32\KERNEL32.DLL (10.0.19041.1889)...: C:\Windows\System32\KERNELBASE.dll (10.0.19041.2006)...: C:\Windows\System32\ADVAPI32.dll (10.0.19041.1682)...: C:\Windows\System32\msvcrt.dll (7.0.19041.546)...: C:\Windows\System32\sechost.dll (10.0.19041.1865)...: C:\Windows\System32\RPCRT4.dll (10.0.19041.1806)...: C:\Windows\System32\COMDLG32.dll (10.0.19041.1806)...: C:\Windows\System32\combase.dll (10.0.1904

                                              C:\ProgramData\Getscreen.me\folder\settings.dat

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):5.8125
                                              Encrypted:false
                                              SSDEEP:3:BvlDkmb9sXr8sq6IOM+C8uzP:HaXr8sbRJuj
                                              MD5:27BA78B0F0105A18808CEF9951C52F8B
                                              SHA1:87D9262CB49430CAF55290C84E8F32086BBB9DA4
                                              SHA-256:2A8DA4FDD38E975230EB72968AD2BD91CFD770D72E139B1540343F9553D3669C
                                              SHA-512:5B31A8CC0AED5FD3E6D5ADDDB2EFDD8786B5E906A2AD577C408F04C2EF21B790A31C7F8EE29595274817026424497A10222F0266AF22DC585AE2D44FE68CF676
                                              Malicious:false
                                              Reputation:low
                                              Preview:...J.+.q....:.Oa.A.C!.C5.o.&.."....,.6.<.....2.@\.%.+.#.K.jK..

                                              C:\ProgramData\Getscreen.me\logs\20250106.capture.log

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):851
                                              Entropy (8bit):4.927708808825302
                                              Encrypted:false
                                              SSDEEP:24:Tl8zA7YG8zA7YR8zA7Y3ygATHHTHNMspuQ9fH+:TSzsKzsHzs8Ge
                                              MD5:0BF55392461DD43EF23E06B4186B4300
                                              SHA1:E3753510A20BDC28C7951DD81743F2FE1AFD9842
                                              SHA-256:EC8CA023907CA2B483970C3D8BFC240D2B13B7A174A3205FC7E0E9A937682C4A
                                              SHA-512:86B5D532AB4BDB2AF3F05AA79CCDF41F2E6CE312106CD17130F9643FE6D1DCAAAD119B3417AD7255228BFE8DA2F00F387696930952667E56CFADFA190CE58987
                                              Malicious:false
                                              Reputation:low
                                              Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..06:35:40.541.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1024-0:1280 desktop: 0:1024-0:1280..06:35:40.544.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1024-0:1280 desktop: 0:1024-0:1280..06:35:40.544.INFO.BlackScreen initialized..06:35:40.544.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1024-0:1280 desktop: 0:1024-0:1280..06:35:40.545.INFO.Capture select monitor '\\.\DISPLAY1'..06:35:40.640.INFO.Capture set frame rate to 30..06:35:40.640.INFO.Child frame mark off..06:35:40.640.INFO.FrameMark hide frame..06:35:44.542.INFO.Opus compress stop..06:35:44.542.INFO.Capture capture stopped..06:35:44.547.INFO.Child get stop message..

                                              C:\ProgramData\Getscreen.me\logs\20250106.gui.log

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):2956
                                              Entropy (8bit):4.848140186362935
                                              Encrypted:false
                                              SSDEEP:24:TnS2bQXRtu18Bd1PWZGUAxxr+nyRuhB9LB5756:TnVbus8ZeZj4xr9sHL/16
                                              MD5:2C392BB28CB2FB44447971F21A3DF189
                                              SHA1:328722BF4E6AD88D3E70EA1DF28256671E59390D
                                              SHA-256:368C0E31A80629C6302FF361A7DF5CAB87B065095F0A85A9436BE9CC91A0710E
                                              SHA-512:129D84C4BC6C566180BF9B1526E8640616DE276FFDEE20973BEC1FE79874CB1B9F3747598760A5BDAD2D6AD052FC70CDFA99AB31A4CD75A82B2795810B3DEB06
                                              Malicious:false
                                              Reputation:low
                                              Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..06:35:39.944.INFO.Gui GUI started..06:35:40.082.INFO.Gui load data: 'this://app/main-turbo.htm'..06:35:40.121.INFO.Gui load data: 'this://app/common/zepto.min.js'..06:35:40.126.INFO.Gui load data: 'this://app/common/sciter.js'..06:35:40.130.INFO.Gui load data: 'this://app/ico/favicon.ico'..06:35:40.224.INFO.Gui document ready..06:35:40.252.INFO.Gui load data: 'this://app/lang/en.json'..06:35:40.256.INFO.Gui send event event-application-status: {"value":"connecting"}'..06:35:40.256.INFO.Gui send event event-install-status: {"value":false}'..06:35:40.271.INFO.Gui send event event-domain: {"value":""}'..06:35:40.271.INFO.Gui send event event-fastaccess-url: {"value":""}'..06:35:40.272.INFO.Gui send event event-fastaccess-code: {"value":""}'..06:35:40.272.INFO.Gui send eve

                                              C:\ProgramData\Getscreen.me\logs\20250106.log

                                              Download File
                                              Process:C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):2607
                                              Entropy (8bit):5.1576476784288525
                                              Encrypted:false
                                              SSDEEP:48:T0Gzt9b7JMi41kJIzupJIzOOJIAHDsycz3IzRzVebQGEnvmdBVue7cz3IzRzljCH:oz+qJIAH4yZecGkmtue7TljWR
                                              MD5:25FFDE71D86C666E695C44A80F933F84
                                              SHA1:4029BCD97A6766C463D417FC8EA129782163A530
                                              SHA-256:843F19E355AA43788D1D319AD41FF3FDD5C8384A0E045E4537BA3295DD56199F
                                              SHA-512:FAA06F49F2AEE8160F7727509AA7D2D3FC0E642A31DEFEB8B42E1BDDA5810EAE63A877E6AE03FBE6F184AE3125F59FB24DD3B1C8E16FF52EB5D39339EDB6B305
                                              Malicious:false
                                              Reputation:low
                                              Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..06:35:37.040.INFO.Server start server run....06:35:37.041.INFO.Start Getscreen.me v 3.1.5 build 228 revision 0..06:35:37.390.ERROR.Service service 'GetscreenSV' not found..06:35:37.548.INFO.Service service 'GetscreenSV' installed..06:35:37.871.INFO.Service service 'GetscreenSV' start success..06:35:37.870.INFO.Service get control message 1..06:35:37.882.INFO.Capture capture stopped..06:35:37.888.INFO.FrameMark hide frame..06:35:38.410.INFO.Service service 'GetscreenSV' stop [0] (87)..06:35:38.921.INFO.Service service 'GetscreenSV' removed..06:35:38.944.INFO.Child success get system token..06:35:38.951.INFO.Child start child process simply..06:35:38.954.INFO.Shared remove shared memory 0000pipe0PCommand96eieqezmjalfqqnelp2z2wodzq3242d..06:35:38.957.INFO.Shared create shared memory 0000pipe0PCommand96eieqez

                                              C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96eieqezmjalfqqnelp2z2wodzq3242d

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):16777512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:8CCA8765BA082ECC53E001B1D237A8EE
                                              SHA1:DE616FFC2282B6E4D6D2EC1524DCBE2CD8F270F7
                                              SHA-256:46D9D79B8BE089ABF16344F1E491613D6710B051EC184A69AC183C349BD71746
                                              SHA-512:9D884A535930529684E88DDB3AEA26964A5CA984CC07DE6EFE2BFDA6CA5F5D437C521E61ACED07E9379A8337BB1892F13CA67592D8E1E6673CCDBBD89E17DE40
                                              Malicious:false
                                              Reputation:low
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                              Category:dropped
                                              Size (bytes):6861600
                                              Entropy (8bit):7.933317188904972
                                              Encrypted:false
                                              SSDEEP:98304:0sNRNZcoXvT3UZxDVofOu1jL3ioeg1dWosvu460B18uxYZHCDUuT:tNRN2oXrErVgRioegbWnvun9uxYZg1
                                              MD5:294AD9E8EAD4DCF6EAFEC6BF5463168B
                                              SHA1:40143D13EDB136F582F2622565AFBDA9E035D5D7
                                              SHA-256:A66D219A6E5A068EDC5B3E06DC1412454CE69BAC0419E43D4D8C0620AE3D79E8
                                              SHA-512:B18AE589197EEB2CC000653466B183F133865EC9207A48EC0C6237EBB45A25F78D702390DC32D45E9C6FB84C894C2FD7A515C7CC826DD1818506AC85E51CC881
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............................+......+.........3......d...........+......+..........4.............................#....,......,......,......k.....,.....Rich...................PE..L...*..g...............(.`h..0......`........ ....@..........................P.......]i...@..............................U..8C....... ..8#............h. /...J..(...........................|.......d...............................................UPX0....................................UPX1.....`h......Th.................@....rsrc....0... ...,...Xh.............@......................................................................................................................................................................................................................................................................................................................4.22.UPX!....

                                              C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1310720
                                              Entropy (8bit):1.3073435323819265
                                              Encrypted:false
                                              SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrg:KooCEYhgYEL0In
                                              MD5:D14AF96C1146B543C83BAB33FE8D42A1
                                              SHA1:C4F8A1CA2EF4EE0A9EB10EC2F1124C87440C56AD
                                              SHA-256:F611CEEAEEC340BDC1A6694AB4A353D38B858CF1E5E02C150BD56887212D504D
                                              SHA-512:68A514B776D3F8D3ECA668F22913719D8AA4650D8B1646F0E3FAB92BA22F591E78DA5CA471098986713DEF8583599347FCCAC9234F69BEB99B985447B7798EF9
                                              Malicious:false
                                              Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x427f907f, page size 16384, DirtyShutdown, Windows version 10.0
                                              Category:dropped
                                              Size (bytes):1310720
                                              Entropy (8bit):0.42212599599117906
                                              Encrypted:false
                                              SSDEEP:1536:RSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Raza/vMUM2Uvz7DO
                                              MD5:11A1BBD145236C97429A812CA361F89A
                                              SHA1:A7A7B689A8F98C20073A54B210FC3430C316B81F
                                              SHA-256:36A0EE3F3B4C0F4A489008BFC3779B4B2F7832344327975B5EF10BCCFD219A42
                                              SHA-512:618C6B13E662B60624C377EBA2B63A3F9E283955847646FC2749CABB4537A978C078A85199DA1F9E24AFD6168416E8D9AB18DAEE82DDE37A9F55DF651D2FA8E5
                                              Malicious:false
                                              Preview:B...... .......A.......X\...;...{......................0.!..........{A.. ...}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{....................................~. ...}...................i... ...}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):16384
                                              Entropy (8bit):0.07701644798260271
                                              Encrypted:false
                                              SSDEEP:3:YtGEYeQGOCYvCjn13a/C/gYjZt/ollcVO/lnlZMxZNQl:YtdzDQa53qCbNtAOewk
                                              MD5:E748A10EB1B4DD2DE4C11537F06287F1
                                              SHA1:A37B9642D5BED9DDC007E0D63953643BD3FDE807
                                              SHA-256:155CA415A0CE365C454BB58F873401F6C75BB422C67112CC86969E84243CCF57
                                              SHA-512:350196E2425696AC09EB0242257A775433759D511C930C6AFFC7D2DC62223D894D30AD999A60977F940F6DA4FF599E5769D0CE1B0667F51DDF01818162925160
                                              Malicious:false
                                              Preview:.*h......................................;...{... ...}.......{A..............{A......{A..........{A].................i... ...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Getscreen.me\folder\settings.dat

                                              Download File
                                              Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):5.738204882778696
                                              Encrypted:false
                                              SSDEEP:3:BvlDkmb9sXr8sq6IOMpFl8g:HaXr8sbROFz
                                              MD5:4C59E35F332FDB9107C164CE0696C1F0
                                              SHA1:76962B21CCB24D1D293C40A2D945BB0C458CC0E6
                                              SHA-256:8C8AF59F8243A0E34D79802CA603A4C20D304C4551C211CDD54578F14FAA5E13
                                              SHA-512:056D04C634EFBFEAE118027F0C4306A0992A86356603E3358C9580B8EF3863D3068861F30B5C47EAD5B6186E569EA357064543AA1E796D86E50FA7E2E968E36D
                                              Malicious:false
                                              Preview:...J.+.q....:.Oa.A.C!.C5.o.&.."....,.6.<.....2.8UO..u.C/.A{;

                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):55
                                              Entropy (8bit):4.306461250274409
                                              Encrypted:false
                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                              Malicious:false
                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                              Entropy (8bit):7.933317188904972
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.66%
                                              • UPX compressed Win32 Executable (30571/9) 0.30%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:getscreen-524501439-x86.exe
                                              File size:6'861'600 bytes
                                              MD5:294ad9e8ead4dcf6eafec6bf5463168b
                                              SHA1:40143d13edb136f582f2622565afbda9e035d5d7
                                              SHA256:a66d219a6e5a068edc5b3e06dc1412454ce69bac0419e43d4d8c0620ae3d79e8
                                              SHA512:b18ae589197eeb2cc000653466b183f133865ec9207a48ec0c6237ebb45a25f78d702390dc32d45e9c6fb84c894c2fd7a515c7cc826dd1818506ac85e51cc881
                                              SSDEEP:98304:0sNRNZcoXvT3UZxDVofOu1jL3ioeg1dWosvu460B18uxYZHCDUuT:tNRN2oXrErVgRioegbWnvun9uxYZg1
                                              TLSH:AA66339AFE1F1B0CD197ECBC7F1DBF24A214AE42B4960458E77E8312A4B4F1521A593C
                                              File Content Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$................................+.......+..........3.......d............+.......+..........4...............................#....,.....

                                              File Icon

                                              Icon Hash:418c6963696c9643

                                              Static PE Info

                                              General

                                              Entrypoint:0x2450c60
                                              Entrypoint Section:UPX1
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6717892A [Tue Oct 22 11:14:50 2024 UTC]
                                              TLS Callbacks:0x2450e5b
                                              CLR (.Net) Version:
                                              OS Version Major:6
                                              OS Version Minor:0
                                              File Version Major:6
                                              File Version Minor:0
                                              Subsystem Version Major:6
                                              Subsystem Version Minor:0
                                              Import Hash:3489ede818bf2156dcaa5da003e7e8cb

                                              Authenticode Signature

                                              Signature Valid:true
                                              Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                              Signature Validation Error:The operation completed successfully
                                              Error Number:0
                                              Not Before, Not After
                                              • 28/05/2024 14:50:28 28/06/2026 15:36:10
                                              Subject Chain
                                              • CN=POINT B LTD, O=POINT B LTD, L=Limassol, S=Limassol, C=CY, OID.1.3.6.1.4.1.311.60.2.1.3=CY, SERIALNUMBER=HE 430957, OID.2.5.4.15=Private Organization
                                              Version:3
                                              Thumbprint MD5:9B083870477F4699693EEECABF351BF8
                                              Thumbprint SHA-1:B3C999E29AED18DEA59733F3CAA94E788B1AC3A1
                                              Thumbprint SHA-256:3E73B7C28C18DC6A03B9816F200365F1DF1FF80A7BD0D55DB920F1B24BBD74E7
                                              Serial:7AE0E9C1CFE2DCE0E21C4327

                                              Entrypoint Preview

                                              Instruction
                                              pushad
                                              mov esi, 01DCC000h
                                              lea edi, dword ptr [esi-019CB000h]
                                              push edi
                                              or ebp, FFFFFFFFh
                                              jmp 00007FA1FCCB6982h
                                              nop
                                              nop
                                              nop
                                              nop
                                              nop
                                              nop
                                              mov al, byte ptr [esi]
                                              inc esi
                                              mov byte ptr [edi], al
                                              inc edi
                                              add ebx, ebx
                                              jne 00007FA1FCCB6979h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jc 00007FA1FCCB695Fh
                                              mov eax, 00000001h
                                              add ebx, ebx
                                              jne 00007FA1FCCB6979h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              adc eax, eax
                                              add ebx, ebx
                                              jnc 00007FA1FCCB697Dh
                                              jne 00007FA1FCCB699Ah
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jc 00007FA1FCCB6991h
                                              dec eax
                                              add ebx, ebx
                                              jne 00007FA1FCCB6979h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              adc eax, eax
                                              jmp 00007FA1FCCB6946h
                                              add ebx, ebx
                                              jne 00007FA1FCCB6979h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              adc ecx, ecx
                                              jmp 00007FA1FCCB69C4h
                                              xor ecx, ecx
                                              sub eax, 03h
                                              jc 00007FA1FCCB6983h
                                              shl eax, 08h
                                              mov al, byte ptr [esi]
                                              inc esi
                                              xor eax, FFFFFFFFh
                                              je 00007FA1FCCB69E7h
                                              sar eax, 1
                                              mov ebp, eax
                                              jmp 00007FA1FCCB697Dh
                                              add ebx, ebx
                                              jne 00007FA1FCCB6979h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jc 00007FA1FCCB693Eh
                                              inc ecx
                                              add ebx, ebx
                                              jne 00007FA1FCCB6979h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jc 00007FA1FCCB6930h
                                              add ebx, ebx
                                              jne 00007FA1FCCB6979h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              adc ecx, ecx
                                              add ebx, ebx
                                              jnc 00007FA1FCCB6961h
                                              jne 00007FA1FCCB697Bh
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jnc 00007FA1FCCB6956h
                                              add ecx, 02h
                                              cmp ebp, FFFFFB00h
                                              adc ecx, 02h
                                              lea edx, dword ptr [eax+eax]

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x1001ef00x5500UPX0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x20543380x7ac.rsrc
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x20520000x2338.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x6884000x2f20UPX0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2054ae40x28.rsrc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x2050e7c0x18UPX1
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20511640xc0UPX1
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              UPX00x10000x19cb0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              UPX10x19cc0000x6860000x68540064d91f24b3bf91e1625badc12f4b6efeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x20520000x30000x2c004fad813d5f039aac2f1feaf707703375False0.5697798295454546data6.067564215606164IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              AFX_DIALOG_LAYOUT0x1f2a9e00x2Non-ISO extended-ASCII text, with no line terminatorsRussianRussia5.0
                                              INI0x1f58d180xadataRussianRussia1.8
                                              LANG0x1f2d9200x21ecdataRussianRussia0.9869875633348687
                                              LANG0x1f2fb100x33d9dataRussianRussia0.9900549988698862
                                              LANG0x1f32ef00x2454dataRussianRussia0.9904301075268818
                                              LANG0x1f353480x25b3dataRussianRussia0.9894311470313957
                                              LANG0x1f379000x2454dataRussianRussia0.9876344086021506
                                              LANG0x1f39d580x289bdataRussianRussia0.9887445887445887
                                              LANG0x1f3c5f80x252cdataRussianRussia0.9790878520386717
                                              LANG0x1f3eb280x1f5fdataRussianRussia0.9078570539160752
                                              LANG0x1f40a880x23cedataRussianRussia0.9837442723107135
                                              LANG0x1f42e580x242edataRussianRussia0.9904988123515439
                                              LANG0x1f59d000x2499dataEnglishUnited States0.9866581278685025
                                              OPUS0x1f452880xa5e5dataRussianRussia0.9797970284207305
                                              OPUS0x1f4f8700x94a4dataRussianRussia0.9879901187848208
                                              RT_ICON0x1f2a9e80x139dataRussianRussia1.035143769968051
                                              RT_ICON0x1f2ab280x1efdataRussianRussia1.0222222222222221
                                              RT_ICON0x1f2ad180x225dataRussianRussia1.0200364298724955
                                              RT_ICON0x1f2af400x26bdataRussianRussia1.0177705977382876
                                              RT_ICON0x1f2b1b00x326dataRussianRussia1.0136476426799008
                                              RT_ICON0x1f2b4d80x402dataRussianRussia1.010721247563353
                                              RT_ICON0x20529e00x13bPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedRussianRussia1.034920634920635
                                              RT_ICON0x2052b200x1c5PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedRussianRussia1.0242825607064017
                                              RT_ICON0x2052cec0x1eePNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedRussianRussia1.0222672064777327
                                              RT_ICON0x2052ee00x253PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedRussianRussia1.0184873949579831
                                              RT_ICON0x20531380x2e7PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedRussianRussia1.0148048452220726
                                              RT_ICON0x20534240x3adPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedRussianRussia1.0116896918172158
                                              RT_ICON0x1f2c7880x159dataRussianRussia1.0318840579710145
                                              RT_ICON0x1f2c8e80x1e6dataRussianRussia1.022633744855967
                                              RT_ICON0x1f2cad00x1f6dataRussianRussia1.0219123505976095
                                              RT_ICON0x1f2ccc80x26ddataRussianRussia1.0177133655394526
                                              RT_ICON0x1f2cf380x31bdataRussianRussia0.9106918238993711
                                              RT_ICON0x1f2d2580x3e7dataRussianRussia0.93993993993994
                                              RT_ICON0x1f58d280x163data1.0309859154929577
                                              RT_ICON0x1f58e900x20ddata1.020952380952381
                                              RT_ICON0x1f590a00x21bdata1.0204081632653061
                                              RT_ICON0x1f592c00x282data1.017133956386293
                                              RT_ICON0x1f595480x33cdata1.0132850241545894
                                              RT_ICON0x1f598880x413data1.0105465004793863
                                              RT_STRING0x1f5c1a00x38dataRussianRussia1.1964285714285714
                                              RT_GROUP_ICON0x20537d80x5adataRussianRussia0.8
                                              RT_GROUP_ICON0x1f2b8e00x5aDyalog APL DFS component file 64-bit level 1 journaled checksummed version -44.94RussianRussia1.1222222222222222
                                              RT_GROUP_ICON0x1f59ca00x5adata1.1222222222222222
                                              RT_GROUP_ICON0x1f2d6400x5adataRussianRussia1.1222222222222222
                                              RT_VERSION0x20538380x27cdataRussianRussia0.4748427672955975
                                              RT_MANIFEST0x2053ab80x87fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2115), with CRLF line terminatorsEnglishUnited States0.31264367816091954

                                              Imports

                                              DLLImport
                                              ADVAPI32.dllFreeSid
                                              COMCTL32.dllImageList_DrawEx
                                              COMDLG32.dllPrintDlgW
                                              d3d11.dllD3D11CreateDevice
                                              dbghelp.dllStackWalk
                                              dxgi.dllCreateDXGIFactory1
                                              GDI32.dllLineTo
                                              gdiplus.dllGdipFree
                                              IMM32.dllImmIsIME
                                              IPHLPAPI.DLLGetIfEntry2
                                              KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                              MPR.dllWNetGetConnectionW
                                              msdmo.dllMoInitMediaType
                                              msi.dll
                                              NETAPI32.dllNetUserGetInfo
                                              ntdll.dllRtlGetVersion
                                              NTDSAPI.dllDsMakeSpnW
                                              ole32.dllDoDragDrop
                                              OLEACC.dllLresultFromObject
                                              OLEAUT32.dllSafeArrayDestroy
                                              POWRPROF.dllPowerGetActiveScheme
                                              RPCRT4.dllUuidEqual
                                              SAS.dllSendSAS
                                              Secur32.dllDeleteSecurityContext
                                              SHELL32.dll
                                              SHLWAPI.dllPathIsRelativeA
                                              USER32.dllGetDC
                                              USERENV.dllCreateEnvironmentBlock
                                              USP10.dllScriptShape
                                              VERSION.dllVerQueryValueW
                                              WINHTTP.dllWinHttpOpen
                                              WININET.dllInternetOpenA
                                              WINMM.dllwaveInOpen
                                              WINSPOOL.DRV
                                              WS2_32.dllioctlsocket
                                              WTSAPI32.dllWTSFreeMemory

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              RussianRussia
                                              EnglishUnited States

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 6, 2025 06:32:02.520267010 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 06:32:02.520308018 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 06:32:02.520382881 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 06:32:02.520888090 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 06:32:02.520903111 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 06:32:03.181205034 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 06:32:03.181848049 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 06:32:03.181865931 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 06:32:03.183186054 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 06:32:03.183295012 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 06:32:03.184966087 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 06:32:03.185029984 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 06:32:03.185106993 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 06:32:03.185112000 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 06:32:03.234020948 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 06:32:03.512407064 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 06:32:03.512471914 CET4434973278.47.165.25192.168.2.4
                                              Jan 6, 2025 06:32:03.512556076 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 06:32:03.533814907 CET49732443192.168.2.478.47.165.25
                                              Jan 6, 2025 06:32:03.533833981 CET4434973278.47.165.25192.168.2.4

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 6, 2025 06:32:02.510356903 CET6550853192.168.2.41.1.1.1
                                              Jan 6, 2025 06:32:02.517379999 CET53655081.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jan 6, 2025 06:32:02.510356903 CET192.168.2.41.1.1.10x81eeStandard query (0)getscreen.meA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 6, 2025 06:32:02.517379999 CET1.1.1.1192.168.2.40x81eeNo error (0)getscreen.me78.47.165.25A (IP address)IN (0x0001)false
                                              Jan 6, 2025 06:32:02.517379999 CET1.1.1.1192.168.2.40x81eeNo error (0)getscreen.me51.89.95.37A (IP address)IN (0x0001)false
                                              Jan 6, 2025 06:32:02.517379999 CET1.1.1.1192.168.2.40x81eeNo error (0)getscreen.me5.75.168.191A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • getscreen.me

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.44973278.47.165.254434828C:\Users\user\Desktop\getscreen-524501439-x86.exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-06 05:32:03 UTC361OUTGET /signal/agent HTTP/1.1
                                              Host: getscreen.me
                                              Upgrade: websocket
                                              Connection: Upgrade
                                              Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
                                              Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                                              Origin: https://getscreen.me
                                              Sec-WebSocket-Protocol: chat, superchat
                                              Sec-WebSocket-Version: 13
                                              User-Agent: Getscreen.me/3.1.5 (Win, getscreen.me, 228)
                                              2025-01-06 05:32:03 UTC354INHTTP/1.1 400 Bad Request
                                              access-control-expose-headers: X-Js-Cache
                                              content-type: text/plain; charset=utf-8
                                              sec-websocket-version: 13
                                              x-content-type-options: nosniff
                                              x-js-cache: ff865bcc32999ce12f2e4c6aa33a641b
                                              date: Mon, 06 Jan 2025 05:32:03 GMT
                                              content-length: 12
                                              x-envoy-upstream-service-time: 4
                                              server: lb1.getscreen.me
                                              connection: close
                                              2025-01-06 05:32:03 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                                              Data Ascii: Bad Request


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:00:31:58
                                              Start date:06/01/2025
                                              Path:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\getscreen-524501439-x86.exe"
                                              Imagebase:0x920000
                                              File size:6'861'600 bytes
                                              MD5 hash:294AD9E8EAD4DCF6EAFEC6BF5463168B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:00:31:59
                                              Start date:06/01/2025
                                              Path:C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\ProgramData\Getscreen.me\zwvztpbbwxeyisrxsphxsxjmazygqyh-elevate.exe" -elevate \\.\pipe\elevateGS512zwvztpbbwxeyisrxsphxsxjmazygqyh
                                              Imagebase:0x270000
                                              File size:6'861'600 bytes
                                              MD5 hash:294AD9E8EAD4DCF6EAFEC6BF5463168B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:00:32:01
                                              Start date:06/01/2025
                                              Path:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\getscreen-524501439-x86.exe" -gpipe \\.\pipe\PCommand97rzbqvsaxpfdgvui -gui
                                              Imagebase:0x920000
                                              File size:6'861'600 bytes
                                              MD5 hash:294AD9E8EAD4DCF6EAFEC6BF5463168B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:00:32:01
                                              Start date:06/01/2025
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                                              Imagebase:0x7ff6eef20000
                                              File size:55'320 bytes
                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:4
                                              Start time:00:32:01
                                              Start date:06/01/2025
                                              Path:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\getscreen-524501439-x86.exe" -cpipe \\.\pipe\PCommand96eieqezmjalfqqne -cmem 0000pipe0PCommand96eieqezmjalfqqnelp2z2wodzq3242d -child
                                              Imagebase:0x920000
                                              File size:6'861'600 bytes
                                              MD5 hash:294AD9E8EAD4DCF6EAFEC6BF5463168B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:00:32:02
                                              Start date:06/01/2025
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                              Imagebase:0x7ff6eef20000
                                              File size:55'320 bytes
                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              Disassembly

                                              No disassembly