Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
getscreen-524501439-x86.exe

Overview

General Information

Sample name:getscreen-524501439-x86.exe
Analysis ID:1584658
MD5:294ad9e8ead4dcf6eafec6bf5463168b
SHA1:40143d13edb136f582f2622565afbda9e035d5d7
SHA256:a66d219a6e5a068edc5b3e06dc1412454ce69bac0419e43d4d8c0620ae3d79e8
Infos:

Detection

Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:47
Range:0 - 100

Signatures

Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64native
  • getscreen-524501439-x86.exe (PID: 4656 cmdline: "C:\Users\user\Desktop\getscreen-524501439-x86.exe" MD5: 294AD9E8EAD4DCF6EAFEC6BF5463168B)
    • getscreen-524501439-x86.exe (PID: 5364 cmdline: "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -gpipe \\.\pipe\PCommand97dvigngdgqwehnip -gui MD5: 294AD9E8EAD4DCF6EAFEC6BF5463168B)
    • getscreen-524501439-x86.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -cpipe \\.\pipe\PCommand96cwjlbipmvmcfjcu -cmem 0000pipe0PCommand96cwjlbipmvmcfjcugs6l75ufcak3meh -child MD5: 294AD9E8EAD4DCF6EAFEC6BF5463168B)
  • upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe (PID: 1380 cmdline: "C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe" -elevate \\.\pipe\elevateGS512upbvylsrnawdqypxwwbrupmvdvvwzyz MD5: 294AD9E8EAD4DCF6EAFEC6BF5463168B)
  • svchost.exe (PID: 3436 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: getscreen-524501439-x86.exe PID: 4656JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

    Sigma Signatures

    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 928, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, ProcessId: 3436, ProcessName: svchost.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    Compliance

    barindex
    Uses 32bit PE files
    Source: getscreen-524501439-x86.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    PE / OLE file has a valid certificate
    Source: getscreen-524501439-x86.exeStatic PE information: certificate valid
    Contains modern PE file flags such as dynamic base (ASLR) or NX
    Source: getscreen-524501439-x86.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Binary contains paths to debug symbols
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wmswsock.pdbbyIc source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000763C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007814000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000987E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A1AD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000764D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: e3samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A20A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdbyPorts source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbA source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdbFwAd source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007647000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008E38000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.000000000912F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.000000000918B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbi source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.000000000912F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\mfperfhelper.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009D98000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009575000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\avrt.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.000000000920C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdbed source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbtd source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.000000000918B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000987E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009FE5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fastprox.pdbsFw source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A20A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\TextInputFramework.pdbN source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbk source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbn5 source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.00000000098E1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009BD0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wmswsock.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc.pdbbFw source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A268000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009A54000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000780F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000962D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wuser32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000081D9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000763C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009E4E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdbdbl source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.0000000008176000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A268000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000081E4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000009206000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009693000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A1AD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009E4E000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004B90000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009B16000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\MpOAV.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009EB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MpOAV.pdbb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\Amsi.pdbll source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wbemcomn.pdbX source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.0000000008267000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wimm32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.0000000008272000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.00000000091F0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009C2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdbh source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\MMDevAPI.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009515000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdbug source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008B3A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FWPolicyIOMgr.pdbdll.J source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A273000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6121869920.0000000002B3F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.000000000849B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000780F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008B3A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000081E4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fastprox.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009EB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\WinTypes.pdbbE source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A03F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A273000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009FE5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A03F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.00000000098E1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009C88000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000009206000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.000000000849B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\Win32\Release\getscreen.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: fwpuclnt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A26D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008CB3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc.pdb\* source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbeAK source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009575000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb*; source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\ws2_32.pdbF source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb\* source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009B16000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009BD0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008A74000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wuser32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000081D9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009CE3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\Windows.UI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.00000000096FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdbb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009F21000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000968E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008E38000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\twinapi.appcore.pdbR source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007738000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Kernel.Appcore.pdb~5 source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb\*w source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009D98000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\CoreMessaging.pdb* source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007814000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.00000000096FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wmswsock.pdb\*yp source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007641000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000081EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\CoreUIComponents.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008CB3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdbpv source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fastprox.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009DF3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Windows.Storage.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009CE3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007647000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009D3E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008A74000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000999E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007738000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009756000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fastprox.pdb* source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdb.5 source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\twinapi.appcore.pdb6 source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\TextInputFramework.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\exe\getscreen-524501439-x86.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wbemcomn.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009F21000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009C88000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.00000000091FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.0000000008267000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdbui1 source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009D3E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-524501439-x86.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6121869920.0000000002A98000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009C2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wbemcomn.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.0000000008176000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb$ source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000081EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000082D8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000999E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009756000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FWPolicyIOMgr.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wimm32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.0000000008272000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009DF3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\CoreMessaging.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdbGetR_ source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\samlib.pdb\**' source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdbi+ source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A152000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A26D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdbrfac source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A152000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000968E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000764D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MpOAV.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A20A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdb\* source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbiN source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.00000000091FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009693000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wmswsock.pdbdbS source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009515000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.000000000920C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdbb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbpo source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\winsta.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.00000000091F0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000082D8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdbRd source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Joe Sandbox ViewIP Address: 78.47.165.25 78.47.165.25
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/3.1.5 (Win, getscreen.me, 228)
    Source: global trafficDNS traffic detected: DNS query: getscreen.me
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://proxy.contoso.com:3128/
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01http://www.webrtc.org/exper
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-timeurn:3gpp:video-orientationhttp://www.we
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
    Source: getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-frame-tracking-id
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.g
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.ge
    Source: getscreen-524501439-x86.exe, 00000004.00000002.6148978081.0000000002959000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://docs.gets
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsa
    Source: getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsc
    Source: getscreen-524501439-x86.exe, 00000004.00000003.6144064297.0000000002D6C000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6149514809.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/privacy-
    Source: getscreen-524501439-x86.exe, 00000004.00000003.6143022764.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/privacy-policy/
    Source: getscreen-524501439-x86.exe, 00000004.00000003.6143022764.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/terms-of-use/
    Source: getscreen-524501439-x86.exe, 00000003.00000003.6108953540.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000003.00000003.6158761650.0000000007907000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6170451232.0000000007909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/user-guides/agent/
    Source: getscreen-524501439-x86.exe, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6127477570.0000000008691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_9f6587d8-8
    Source: Yara matchFile source: Process Memory Space: getscreen-524501439-x86.exe PID: 4656, type: MEMORYSTR
    Source: getscreen-524501439-x86.exe, 00000000.00000000.6070286636.00000000025B2000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6121722780.00000000025B2000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000003.00000000.6102286890.00000000025B2000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000003.00000002.6166777118.00000000025B2000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000004.00000000.6103083566.00000000025B2000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exe, 00000004.00000002.6148873445.00000000025B2000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exeBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-524501439-x86.exe
    Source: getscreen-524501439-x86.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal51.evad.winEXE@8/11@1/1
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeFile created: C:\Users\user\AppData\Local\Getscreen.meJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeMutant created: \Sessions\1\BaseNamedObjects\Global\PCommandMutextTurbo96phqghum
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: getscreen-524501439-x86.exeString found in binary or memory: mage=n,Window.this.trayIcon({image:n,text:this.title()}),Window.all.forEach(t=>t.icon=n)})}let E=!1;const j=new Set;var rt={init(){return document.onGlobalEvent("event-install-status",function(t){E=t.data.value,j.forEach(t=>t(E))}.bind(this)),this},get(){retur
    Source: getscreen-524501439-x86.exeString found in binary or memory: function at(){Graphics.Image.load(""+__DIR__+function(){let t="ico/favicon.ico";switch(y.get()){case m.ACTIVE:t="ico/active.ico";break;case m.UNKNOWN:case m.ERROR:case m.CONNECTING:t="ico/stop.ico";break;case m.STOP:t="ico/black.ico";break;default:t="ico/favic
    Source: getscreen-524501439-x86.exeString found in binary or memory: function at(){Graphics.Image.load(""+__DIR__+function(){let t="ico/favicon.ico";switch(y.get()){case m.ACTIVE:t="ico/active.ico";break;case m.UNKNOWN:case m.ERROR:case m.CONNECTING:t="ico/stop.ico";break;case m.STOP:t="ico/black.ico";break;default:t="ico/favic
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeFile read: C:\Users\user\Desktop\getscreen-524501439-x86.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\getscreen-524501439-x86.exe "C:\Users\user\Desktop\getscreen-524501439-x86.exe"
    Source: unknownProcess created: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe "C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe" -elevate \\.\pipe\elevateGS512upbvylsrnawdqypxwwbrupmvdvvwzyz
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess created: C:\Users\user\Desktop\getscreen-524501439-x86.exe "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -gpipe \\.\pipe\PCommand97dvigngdgqwehnip -gui
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess created: C:\Users\user\Desktop\getscreen-524501439-x86.exe "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -cpipe \\.\pipe\PCommand96cwjlbipmvmcfjcu -cmem 0000pipe0PCommand96cwjlbipmvmcfjcugs6l75ufcak3meh -child
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess created: C:\Users\user\Desktop\getscreen-524501439-x86.exe "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -gpipe \\.\pipe\PCommand97dvigngdgqwehnip -guiJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-524501439-x86.exe "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -cpipe \\.\pipe\PCommand96cwjlbipmvmcfjcu -cmem 0000pipe0PCommand96cwjlbipmvmcfjcugs6l75ufcak3meh -childJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mmdevapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mfwmaaec.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mfperfhelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: audioses.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: symsrv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: mpr.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: msi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: sas.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: secur32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: userenv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: usp10.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: version.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: wininet.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: winmm.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: samcli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: netutils.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: wldp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: seclogon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: d2d1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: directmanipulation.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dxcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mscms.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: coloradapterclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: icm32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32Jump to behavior
    Source: getscreen-524501439-x86.exeStatic PE information: certificate valid
    Source: getscreen-524501439-x86.exeStatic file information: File size 6861600 > 1048576
    Source: getscreen-524501439-x86.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x685400
    Source: getscreen-524501439-x86.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wmswsock.pdbbyIc source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000763C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007814000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000987E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A1AD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000764D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: e3samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A20A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdbyPorts source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbA source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdbFwAd source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007647000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008E38000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.000000000912F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.000000000918B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbi source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.000000000912F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\mfperfhelper.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009D98000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009575000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\avrt.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.000000000920C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdbed source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbtd source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.000000000918B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000987E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009FE5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fastprox.pdbsFw source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A20A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\TextInputFramework.pdbN source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbk source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbn5 source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.00000000098E1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009BD0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wmswsock.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc.pdbbFw source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A268000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009A54000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000780F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000962D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wuser32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000081D9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000763C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009E4E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdbdbl source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.0000000008176000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A268000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000081E4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000009206000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009693000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A1AD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009E4E000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004B90000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009B16000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\MpOAV.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009EB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MpOAV.pdbb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\Amsi.pdbll source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wbemcomn.pdbX source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.0000000008267000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wimm32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.0000000008272000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.00000000091F0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009C2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdbh source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\MMDevAPI.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009515000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdbug source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008B3A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FWPolicyIOMgr.pdbdll.J source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A273000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6121869920.0000000002B3F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.000000000849B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000780F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008B3A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000081E4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fastprox.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009EB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\WinTypes.pdbbE source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A03F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A273000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009FE5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A03F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.00000000098E1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009C88000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UMPDC.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000009206000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.000000000849B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\Win32\Release\getscreen.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: fwpuclnt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A26D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008CB3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc.pdb\* source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbeAK source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009575000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb*; source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\ws2_32.pdbF source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb\* source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009B16000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009BD0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008A74000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wuser32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000081D9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009CE3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\Windows.UI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.00000000096FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdbb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009F21000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000968E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008E38000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\twinapi.appcore.pdbR source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007738000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Kernel.Appcore.pdb~5 source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb\*w source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009D98000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\CoreMessaging.pdb* source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007814000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.00000000096FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wmswsock.pdb\*yp source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007641000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000081EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\CoreUIComponents.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008CB3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdbpv source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fastprox.pdbdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009DF3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Windows.Storage.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009CE3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007647000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009D3E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.0000000008A74000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000999E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007738000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009756000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fastprox.pdb* source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdb.5 source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\twinapi.appcore.pdb6 source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\TextInputFramework.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\exe\getscreen-524501439-x86.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wbemcomn.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winsta.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009F21000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009C88000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.00000000091FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.0000000008267000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdbui1 source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009D3E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-524501439-x86.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6121869920.0000000002A98000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009C2F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wbemcomn.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.0000000008176000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb$ source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000081EA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000082D8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000999E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009756000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FWPolicyIOMgr.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wimm32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.0000000008272000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009DF3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\CoreMessaging.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdbGetR_ source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\samlib.pdb\**' source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdbi+ source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A152000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwpuclnt.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A26D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdbrfac source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A152000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000968E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000764D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MpOAV.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.000000000A20A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdb\* source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbiN source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.0000000007620000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dsparse.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.00000000091FB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009693000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wmswsock.pdbdbS source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6130251247.0000000009515000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.000000000920C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32.pdb( source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdbb source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbpo source: getscreen-524501439-x86.exe, 00000000.00000002.6125005102.000000000781C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\winsta.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6127956715.00000000091F0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-524501439-x86.exe, 00000000.00000002.6126158180.00000000082D8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdbRd source: getscreen-524501439-x86.exe, 00000000.00000002.6122763249.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp
    Source: upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe.0.drStatic PE information: real checksum: 0x695d88 should be: 0x6913d9
    Source: getscreen-524501439-x86.exeStatic PE information: real checksum: 0x695d88 should be: 0x6913d9
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeFile created: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeFile created: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries memory information (via WMI often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Size FROM Win32_DiskDrive
    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 8
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 8
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 7
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 7
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, VolumeName, FileSystem, Size, FreeSpace FROM Win32_LogicalDisk
    Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
    Query firmware table information (likely to detect VMs)
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exe TID: 7488Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exe TID: 7072Thread sleep count: 239 > 30Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Hyper-V console (use port 2179, disable negotiation)
    Source: getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMnet
    Source: upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=
    Source: getscreen-524501439-x86.exe, 00000003.00000003.6159995368.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000003.00000003.6144736770.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000003.00000003.6150025006.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000003.00000003.6160104055.0000000002BAA000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000003.00000003.6148266048.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6167456605.0000000002BAD000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000003.00000003.6162271099.0000000002BAD000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6167417577.0000000002BA4000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6166996613.0000000002B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6121869920.0000000002AD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
    Source: upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6090876147.0000000003177000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
    Source: getscreen-524501439-x86.exe, 00000004.00000003.6142704034.0000000002D57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: kWebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-524501439-x86.exe "C:\Users\user\Desktop\getscreen-524501439-x86.exe" -cpipe \\.\pipe\PCommand96cwjlbipmvmcfjcu -cmem 0000pipe0PCommand96cwjlbipmvmcfjcugs6l75ufcak3meh -childJump to behavior
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6127477570.0000000008691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
    Source: getscreen-524501439-x86.exe, 00000000.00000002.6127477570.0000000008691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
    Source: C:\Users\user\Desktop\getscreen-524501439-x86.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts631
    Windows Management Instrumentation    		1
    DLL Side-Loading    		12
    Process Injection    		1
    Masquerading    		11
    Input Capture    		731
    Security Software Discovery    		Remote Services11
    Input Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    Command and Scripting Interpreter    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		541
    Virtualization/Sandbox Evasion    		LSASS Memory541
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
    Process Injection    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS132
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Software Packing    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    getscreen-524501439-x86.exe0%ReversingLabs

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://docs.g0%Avira URL Cloudsafe
    http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/privacy-0%Avira URL Cloudsafe
    https://docs.ge0%Avira URL Cloudsafe
    https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/terms-of-use/0%Avira URL Cloudsafe
    http://proxy.contoso.com:3128/0%Avira URL Cloudsafe
    https://docs.getsa0%Avira URL Cloudsafe
    https://docs.getscreen.me/user-guides/agent/0%Avira URL Cloudsafe
    https://docs.getsc0%Avira URL Cloudsafe
    https://docs.gets0%Avira URL Cloudsafe
    https://docs.getscreen.me/en/rules/privacy-policy/0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    getscreen.me
    		78.47.165.25
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://getscreen.me/signal/agentfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://docs.gegetscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://proxy.contoso.com:3128/getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscreen.me/user-guides/agent/getscreen-524501439-x86.exe, 00000003.00000003.6108953540.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000003.00000003.6158761650.0000000007907000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6170451232.0000000007909000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.winimage.com/zLibDllgetscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.ggetscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscreen.me/en/rules/terms-of-use/getscreen-524501439-x86.exe, 00000004.00000003.6143022764.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscgetscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getsagetscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000001345000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001D45000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000001345000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000001345000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://docs.getscreen.me/en/rules/privacy-getscreen-524501439-x86.exe, 00000004.00000003.6144064297.0000000002D6C000.00000004.00000020.00020000.00000000.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6149514809.0000000002D6C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01getscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpfalse
          		high
          https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extensiongetscreen-524501439-x86.exe, 00000000.00000002.6117736735.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe, 00000001.00000002.6086631653.0000000001961000.00000040.00000001.01000000.00000004.sdmp, getscreen-524501439-x86.exe, 00000003.00000002.6163082020.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, getscreen-524501439-x86.exe, 00000004.00000002.6144758915.0000000000F61000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docs.getscreen.me/en/rules/privacy-policy/getscreen-524501439-x86.exe, 00000004.00000003.6143022764.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://docs.getsgetscreen-524501439-x86.exe, 00000004.00000002.6148978081.0000000002959000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          78.47.165.25
          		getscreen.meGermany
          		24940HETZNER-ASDEfalse

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1584658
          Start date and time:2025-01-06 06:37:22 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 7m 28s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
          Run name:Suspected VM Detection
          Number of analysed new started processes analysed:5
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:getscreen-524501439-x86.exe
          Detection:MAL
          Classification:mal51.evad.winEXE@8/11@1/1
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
          • Execution Graph export aborted for target getscreen-524501439-x86.exe, PID 5364 because there are no executed function
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          00:39:28API Interceptor1x Sleep call for process: getscreen-524501439-x86.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          78.47.165.25getscreen-524501439.exeGet hashmaliciousUnknownBrowse
            getscreen-868841125.exeGet hashmaliciousUnknownBrowse
              getscreen-868841125.exeGet hashmaliciousUnknownBrowse
                getscreen-120727697-x86.exeGet hashmaliciousUnknownBrowse
                  getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                    getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                      getscreen-456311346-x86.exeGet hashmaliciousUnknownBrowse
                        getscreen-941605629.exeGet hashmaliciousUnknownBrowse
                          getscreen-941605629.exeGet hashmaliciousUnknownBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            getscreen.megetscreen-524501439.exeGet hashmaliciousUnknownBrowse
                            • 5.75.168.191
                            getscreen-524501439.exeGet hashmaliciousUnknownBrowse
                            • 78.47.165.25
                            getscreen-868841125.exeGet hashmaliciousUnknownBrowse
                            • 78.47.165.25
                            getscreen-868841125.exeGet hashmaliciousUnknownBrowse
                            • 51.89.95.37
                            getscreen-227149269.exeGet hashmaliciousUnknownBrowse
                            • 5.75.168.191
                            getscreen-227149269.exeGet hashmaliciousUnknownBrowse
                            • 5.75.168.191
                            getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                            • 51.89.95.37
                            getscreen-120727697-x86.exeGet hashmaliciousUnknownBrowse
                            • 51.89.95.37
                            getscreen-669912037.exeGet hashmaliciousUnknownBrowse
                            • 5.75.168.191

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            HETZNER-ASDEgetscreen-524501439.exeGet hashmaliciousUnknownBrowse
                            • 5.75.168.191
                            getscreen-524501439.exeGet hashmaliciousUnknownBrowse
                            • 78.47.165.25
                            ny9LDJr6pA.exeGet hashmaliciousQuasarBrowse
                            • 195.201.57.90
                            2.elfGet hashmaliciousUnknownBrowse
                            • 213.133.114.151
                            ZT0KQ1PC.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                            • 116.203.13.109
                            cZO.exeGet hashmaliciousUnknownBrowse
                            • 128.140.43.40
                            jaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                            • 195.201.57.90
                            NpHauDPoR8.exeGet hashmaliciousUnknownBrowse
                            • 88.198.29.97
                            armv6l.elfGet hashmaliciousMiraiBrowse
                            • 85.10.220.49

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Getscreen.me\crashlogs\285b1cd0b70eae8aa5b8535ecc445d7e0bcabc8d.log

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            File Type:ASCII text
                            Category:modified
                            Size (bytes):17108
                            Entropy (8bit):5.554597902240816
                            Encrypted:false
                            SSDEEP:384:TIC/BNZn80csVaP1uDDr1saSyE8sVaP1vwVaP1s80sVaP1+sVaP1AVaP1n8y8stQ:B9nrdyRgsfgOj
                            MD5:785930B1AE78FAEC235B5FFA87803F94
                            SHA1:7F187B2249823FB1D21A107BE0E020CB820D7ECA
                            SHA-256:B639A9BDE96B24683B1F7FBE075BA4928C1FFB24CE954CC27756E0B14D1691DE
                            SHA-512:B7F1A08F72D4D8B9BD2395EE252935E92D3F9FF7FE1CADEC802399B007DE16D425CDB695182422E643045B3D9DAED6B3333DD5F423ED2345B3021DCAA23FD03F
                            Malicious:false
                            Reputation:low
                            Preview:Filename.: getscreen-524501439-x86.exe-285b1cd0b70eae8aa5b8535ecc445d7e0bcabc8d.crash.SHA1..: 285b1cd0b70eae8aa5b8535ecc445d7e0bcabc8d.Time..: 2025.1.6 5:39.Program..: Getscreen.me.Version..: 3.1.5.OS...: Windows 10 build 19042, x86.BIOS..: .Explorer.: 11.789.19041.0.Processors.: 0 x .Video..: .Computer.: .Memory..: 13 free of 15 Gb.Handles..: 446.Image Base.: 0x400000..Exception.: 0xC0000005 at 0x00AA7071 (getscreen-524501439-x86.exe.$0x547071)..Modules...: C:\Users\user\Desktop\getscreen-524501439-x86.exe (3.1.5.0)...: C:\Windows\SYSTEM32\ntdll.dll (10.0.19041.1110)...: C:\Windows\System32\KERNEL32.DLL (10.0.19041.1151)...: C:\Windows\System32\KERNELBASE.dll (10.0.19041.1151)...: C:\Windows\System32\ADVAPI32.dll (10.0.19041.1052)...: C:\Windows\System32\msvcrt.dll (7.0.19041.546)...: C:\Windows\System32\sechost.dll (10.0.19041.906)...: C:\Windows\System32\RPCRT4.dll (10.0.19041.1081)...: C:\Windows\System32\COMDLG32.dll (10.0.19041.906)...: C:\Windows\System32\combase.dll (10.0.190

                            C:\ProgramData\Getscreen.me\folder\settings.dat

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):5.8125
                            Encrypted:false
                            SSDEEP:3:Bv4SceJIOM+C8uzP:X5RJuj
                            MD5:95F0113DF083EE9551A44A5E9EB9FCE4
                            SHA1:4CA953C3C132172CAE9BB3AE128D96A50EE390CC
                            SHA-256:4C00C50478D07BD78A61EDC1125FB121163362E6AD8DD2DE56BACE1FAEC6E5BB
                            SHA-512:BF2BD0912EDC8E0A238D9CB70B38C72DD43FF4EF412A09F7B8E78A0259751B89FA1803F9C696006F7F83BF6319F697F53B9C21B9145C85A8B3BC66C82107CC31
                            Malicious:false
                            Reputation:low
                            Preview:...J.+.q....:.O>v_.['.....:.OE.....,.6.<.....2.@\.%.+.#.K.jK..

                            C:\ProgramData\Getscreen.me\logs\20250106.capture.log

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):912
                            Entropy (8bit):4.965418622120977
                            Encrypted:false
                            SSDEEP:24:TG+3py8zA71Do8zA71D28zA71DzgAJHJMwjDi62:TG+3pzzszzslzsqND
                            MD5:799C9B76D3F5CCFD053164785CA617A4
                            SHA1:D09C23B359E2C6FAA6D255A2ED8FD7114CE48379
                            SHA-256:EEE77E15D9811DD39A198F1A31D9F86F9B99546BC97B6891BDE3368FBFE041A1
                            SHA-512:6F003D422CFB293A8D1912DD34ED5107B6D0C0315A51A57F24CCDDE2FD4A903473A78E24B22DB1555FC65DA8B1AC10FB6CE20DAD83378DBDE381B7F1F0704AA9
                            Malicious:false
                            Reputation:low
                            Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..05:39:28.497.WARNING.Mouse relative mode disabled..05:39:28.512.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1080-0:1920 desktop: 0:1080-0:1920..05:39:28.513.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1080-0:1920 desktop: 0:1080-0:1920..05:39:28.513.INFO.BlackScreen initialized..05:39:28.513.INFO.Monitor detect monitor '\\.\DISPLAY1' scale:1.000000 size: 0:1080-0:1920 desktop: 0:1080-0:1920..05:39:28.513.INFO.Capture select monitor '\\.\DISPLAY1'..05:39:28.544.INFO.Capture set frame rate to 30..05:39:28.544.INFO.Child frame mark off..05:39:28.544.INFO.FrameMark hide frame..05:39:32.291.INFO.Child get stop message..05:39:32.292.INFO.Opus compress stop..05:39:32.292.INFO.Capture capture stopped..

                            C:\ProgramData\Getscreen.me\logs\20250106.gui.log

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):2956
                            Entropy (8bit):4.858572470254779
                            Encrypted:false
                            SSDEEP:24:TwG4L5Vy7ftxBumq4IMJqRlq89qw5qFxqzq7aqwJq/rOUq55AN/qGqc6rO8BkfbK:TwGE5Vy7f3uatMW4ifb/3S
                            MD5:B07FC7C27AA47CF2BBAFEA6230D4C028
                            SHA1:C5F4F2B278E78B62CA32A11BB5464BC81B5C442E
                            SHA-256:0BEC6DC2E097FF94C1F422052EC8671D413D7654470A5234D6455E3FBC294F57
                            SHA-512:6CBAB3849C2C65CB59A5AFB484A406AE922236A97801AD6204F69B6AE65DEEFCCE89E3D1B94BDC373C12FB1F1F34D13F6DEDEC05C31A725FE60449525D5412BC
                            Malicious:false
                            Reputation:low
                            Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..05:39:28.426.INFO.Gui GUI started..05:39:28.669.INFO.Gui load data: 'this://app/main-turbo.htm'..05:39:28.689.INFO.Gui load data: 'this://app/common/zepto.min.js'..05:39:28.693.INFO.Gui load data: 'this://app/common/sciter.js'..05:39:28.697.INFO.Gui load data: 'this://app/ico/favicon.ico'..05:39:28.717.INFO.Gui document ready..05:39:28.736.INFO.Gui load data: 'this://app/lang/en.json'..05:39:28.743.INFO.Gui send event event-application-status: {"value":"connecting"}'..05:39:28.744.INFO.Gui send event event-install-status: {"value":false}'..05:39:28.775.INFO.Gui send event event-domain: {"value":""}'..05:39:28.775.INFO.Gui send event event-fastaccess-url: {"value":""}'..05:39:28.775.INFO.Gui send event event-fastaccess-code: {"value":""}'..05:39:28.775.INFO.Gui send eve

                            C:\ProgramData\Getscreen.me\logs\20250106.log

                            Download File
                            Process:C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):2609
                            Entropy (8bit):5.165371017525766
                            Encrypted:false
                            SSDEEP:48:Trlyp3vGuv32v0DJInpJIoWBRycBIMVeCBWCh5GEPbVzj7cBIeYgHzycT/SmR:3Kjiw3ywewWCh5G4xzj7HGykqg
                            MD5:FEDE9F46AD21CEDD1B1068C8C40BC0AD
                            SHA1:8812138C1F0F2557E52D75C61BCC46C857DB6619
                            SHA-256:ED5AC6DA94844749F09A8D8C4754094ADBEB0FB92748A1F7C869F83978C7CDC0
                            SHA-512:6214FB36F892A9ED3DCF26EC33DCF25572D8A22A4174B3E914DFCAA8BD9255595C28076001E1CF0316709803F4F12F22E7F55C223BA3C563D1EF91549B6DBEC3
                            Malicious:false
                            Reputation:low
                            Preview:00:00:00.000.INFO.Log Getscreen.me v3.1.5 build 228..05:39:25.447.INFO.Server start server run....05:39:25.448.INFO.Start Getscreen.me v 3.1.5 build 228 revision 0..05:39:26.000.ERROR.Service service 'GetscreenSV' not found..05:39:26.301.INFO.Service service 'GetscreenSV' installed..05:39:26.642.INFO.Service service 'GetscreenSV' start success..05:39:26.645.INFO.Service get control message 1..05:39:26.678.INFO.Capture capture stopped..05:39:26.685.INFO.FrameMark hide frame..05:39:27.207.INFO.Service service 'GetscreenSV' stop [0] (0)..05:39:27.720.INFO.Service service 'GetscreenSV' removed..05:39:27.736.INFO.Child success get system token..05:39:27.737.INFO.Child start child process simply..05:39:27.738.INFO.Shared remove shared memory 0000pipe0PCommand96cwjlbipmvmcfjcugs6l75ufcak3meh..05:39:27.738.INFO.Shared create shared memory 0000pipe0PCommand96cwjlbip

                            C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96cwjlbipmvmcfjcugs6l75ufcak3meh

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):16777512
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:8CCA8765BA082ECC53E001B1D237A8EE
                            SHA1:DE616FFC2282B6E4D6D2EC1524DCBE2CD8F270F7
                            SHA-256:46D9D79B8BE089ABF16344F1E491613D6710B051EC184A69AC183C349BD71746
                            SHA-512:9D884A535930529684E88DDB3AEA26964A5CA984CC07DE6EFE2BFDA6CA5F5D437C521E61ACED07E9379A8337BB1892F13CA67592D8E1E6673CCDBBD89E17DE40
                            Malicious:false
                            Reputation:low
                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                            Category:dropped
                            Size (bytes):6861600
                            Entropy (8bit):7.933317188904972
                            Encrypted:false
                            SSDEEP:98304:0sNRNZcoXvT3UZxDVofOu1jL3ioeg1dWosvu460B18uxYZHCDUuT:tNRN2oXrErVgRioegbWnvun9uxYZg1
                            MD5:294AD9E8EAD4DCF6EAFEC6BF5463168B
                            SHA1:40143D13EDB136F582F2622565AFBDA9E035D5D7
                            SHA-256:A66D219A6E5A068EDC5B3E06DC1412454CE69BAC0419E43D4D8C0620AE3D79E8
                            SHA-512:B18AE589197EEB2CC000653466B183F133865EC9207A48EC0C6237EBB45A25F78D702390DC32D45E9C6FB84C894C2FD7A515C7CC826DD1818506AC85E51CC881
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............................+......+.........3......d...........+......+..........4.............................#....,......,......,......k.....,.....Rich...................PE..L...*..g...............(.`h..0......`........ ....@..........................P.......]i...@..............................U..8C....... ..8#............h. /...J..(...........................|.......d...............................................UPX0....................................UPX1.....`h......Th.................@....rsrc....0... ...,...Xh.............@......................................................................................................................................................................................................................................................................................................................4.22.UPX!....

                            C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview:[ZoneTransfer]....ZoneId=0

                            C:\Users\user\AppData\LocalLow\Intel\ShaderCache\8a9d1888db39038b57f8d2d3841731d1a49a73dc28491601746084d66078e4ce

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):7364
                            Entropy (8bit):7.901835419176569
                            Encrypted:false
                            SSDEEP:192:gkjpb5s+SUI+0qcO37I79Vot0dwXtjgba6hdxP0de1LJp:gk9ts+SUILm7I7toEXuenp
                            MD5:BD764EBB90FA4581EBCE6139E4D21812
                            SHA1:087A598B97DA0F92FF10E36A3102CD1DE65ED998
                            SHA-256:8EEFBE962FA2F54C05271881236BD0116D58449459F8462CA7225E82CF839170
                            SHA-512:635B392531B1C177BE34865B038554D50D9C77A946FE44AC66803100AB1ADB2F30CD84D214161909272604A090051F0BD2867D73A351B7179070D5EA1E516132
                            Malicious:false
                            Preview:INSC.>.....Mar222021150038.....&G~.R.].<.Y|X....u.6..9Y..O..K..................&.1O.".Nx.c`@.....L@.#...`4..s.......,.......a..$..L....... .".H. .......>.......u@o.C/.......2...p..2$0..:.x....b..S.F.._...F...v..P..C.....(_A.U.....eR`.gd`.fT`/........l.....@....L`.j>.|.?.....u....../.....8....L..#.'.?...M..p....A.y*..^B......!....Q...................x..E.m.x..S.J.@..31M.6I....A.GJVA..".."....Dj...,.....|......=..L.`.J...3.2w.<......s..............c...>3.op........ d...o..../o6......+x.@..c{.SM..t.I..k.C/...W.>....n.?..oc.?.....Y.C...=Z.KE.....X.!.h.wKhB..S.w).t.O9q^0...\.z9...\.O`.+O.gO&.>..|H..>......?r.mo....=.e.`.G0...g...1..;....?r..*.....n.........h}...L)~....JZ...-]........k..?JT.<.....H....e.....B.68.5,...R......F.."m....x)...............`...x..K.1.._"M.^{./().v../.Eh......b...?@..{.......vu.......$..7.Y.......^.....Fc2...q.j..3..Uw%3.Q.;.....=......R.ir..g.M.;S...$(..A..-...z..O.....t.$IJ.e(....0.B=....h.+...#........~_..U.bF...)rQI......U

                            C:\Users\user\AppData\LocalLow\Intel\ShaderCache\fd636cbea9d0858571e8124e41fb86f4a145a402f49a468d2d4d73339d95dc34

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.873140679513132
                            Encrypted:false
                            SSDEEP:3:tAvnXVG8d:tgXVVd
                            MD5:2DE2373EF07261CAC4D4BF7D3FE31122
                            SHA1:8A5BD414AFD96AFAED4EB413D033240BC6A71C94
                            SHA-256:F6F219ED2C4029EBC3071C036B64113AA62A7A342D2FD5965FD122D5C90BC9BC
                            SHA-512:AF4CACDD0A501DCB37318FA9E5B7049AFEB8E0EE6EB0770F0B013C70E32123FA45C1508DD12921C909C0C9F88AC8A2F3041A16747E5FF145B4FB15E8509DB105
                            Malicious:false
                            Preview:INSC.>.....Mar222021150038

                            C:\Users\user\AppData\Local\Getscreen.me\folder\settings.dat

                            Download File
                            Process:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):5.831954882778696
                            Encrypted:false
                            SSDEEP:3:Bv4SceJIOMpFl8g:X5ROFz
                            MD5:B962521551AD299C69DB04642A1D4841
                            SHA1:22F587A17ECEF7060A5CD74B719295A98822EF6E
                            SHA-256:D50F228C074BB30078C42BE03454E15CE3DFC41C01E1297F23044F4370F65C8C
                            SHA-512:1B1510E1B8E09F3780B2DE993A9DDBCA3ECAB8FE983D218E77931C95737D387695E4E97455D3A86222E2BAE339CCB6D3945F0C0E6B31275E232FB8420D46C570
                            Malicious:false
                            Preview:...J.+.q....:.O>v_.['.....:.OE.....,.6.<.....2.8UO..u.C/.A{;

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                            Entropy (8bit):7.933317188904972
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.66%
                            • UPX compressed Win32 Executable (30571/9) 0.30%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:getscreen-524501439-x86.exe
                            File size:6'861'600 bytes
                            MD5:294ad9e8ead4dcf6eafec6bf5463168b
                            SHA1:40143d13edb136f582f2622565afbda9e035d5d7
                            SHA256:a66d219a6e5a068edc5b3e06dc1412454ce69bac0419e43d4d8c0620ae3d79e8
                            SHA512:b18ae589197eeb2cc000653466b183f133865ec9207a48ec0c6237ebb45a25f78d702390dc32d45e9c6fb84c894c2fd7a515c7cc826dd1818506ac85e51cc881
                            SSDEEP:98304:0sNRNZcoXvT3UZxDVofOu1jL3ioeg1dWosvu460B18uxYZHCDUuT:tNRN2oXrErVgRioegbWnvun9uxYZg1
                            TLSH:AA66339AFE1F1B0CD197ECBC7F1DBF24A214AE42B4960458E77E8312A4B4F1521A593C
                            File Content Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$................................+.......+..........3.......d............+.......+..........4...............................#....,.....

                            File Icon

                            Icon Hash:418c6963696c9643

                            Static PE Info

                            General

                            Entrypoint:0x2450c60
                            Entrypoint Section:UPX1
                            Digitally signed:true
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6717892A [Tue Oct 22 11:14:50 2024 UTC]
                            TLS Callbacks:0x2450e5b
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:3489ede818bf2156dcaa5da003e7e8cb

                            Authenticode Signature

                            Signature Valid:true
                            Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                            Signature Validation Error:The operation completed successfully
                            Error Number:0
                            Not Before, Not After
                            • 28/05/2024 15:50:28 28/06/2026 16:36:10
                            Subject Chain
                            • CN=POINT B LTD, O=POINT B LTD, L=Limassol, S=Limassol, C=CY, OID.1.3.6.1.4.1.311.60.2.1.3=CY, SERIALNUMBER=HE 430957, OID.2.5.4.15=Private Organization
                            Version:3
                            Thumbprint MD5:9B083870477F4699693EEECABF351BF8
                            Thumbprint SHA-1:B3C999E29AED18DEA59733F3CAA94E788B1AC3A1
                            Thumbprint SHA-256:3E73B7C28C18DC6A03B9816F200365F1DF1FF80A7BD0D55DB920F1B24BBD74E7
                            Serial:7AE0E9C1CFE2DCE0E21C4327

                            Entrypoint Preview

                            Instruction
                            pushad
                            mov esi, 01DCC000h
                            lea edi, dword ptr [esi-019CB000h]
                            push edi
                            or ebp, FFFFFFFFh
                            jmp 00007FE504A38A22h
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            mov al, byte ptr [esi]
                            inc esi
                            mov byte ptr [edi], al
                            inc edi
                            add ebx, ebx
                            jne 00007FE504A38A19h
                            mov ebx, dword ptr [esi]
                            sub esi, FFFFFFFCh
                            adc ebx, ebx
                            jc 00007FE504A389FFh
                            mov eax, 00000001h
                            add ebx, ebx
                            jne 00007FE504A38A19h
                            mov ebx, dword ptr [esi]
                            sub esi, FFFFFFFCh
                            adc ebx, ebx
                            adc eax, eax
                            add ebx, ebx
                            jnc 00007FE504A38A1Dh
                            jne 00007FE504A38A3Ah
                            mov ebx, dword ptr [esi]
                            sub esi, FFFFFFFCh
                            adc ebx, ebx
                            jc 00007FE504A38A31h
                            dec eax
                            add ebx, ebx
                            jne 00007FE504A38A19h
                            mov ebx, dword ptr [esi]
                            sub esi, FFFFFFFCh
                            adc ebx, ebx
                            adc eax, eax
                            jmp 00007FE504A389E6h
                            add ebx, ebx
                            jne 00007FE504A38A19h
                            mov ebx, dword ptr [esi]
                            sub esi, FFFFFFFCh
                            adc ebx, ebx
                            adc ecx, ecx
                            jmp 00007FE504A38A64h
                            xor ecx, ecx
                            sub eax, 03h
                            jc 00007FE504A38A23h
                            shl eax, 08h
                            mov al, byte ptr [esi]
                            inc esi
                            xor eax, FFFFFFFFh
                            je 00007FE504A38A87h
                            sar eax, 1
                            mov ebp, eax
                            jmp 00007FE504A38A1Dh
                            add ebx, ebx
                            jne 00007FE504A38A19h
                            mov ebx, dword ptr [esi]
                            sub esi, FFFFFFFCh
                            adc ebx, ebx
                            jc 00007FE504A389DEh
                            inc ecx
                            add ebx, ebx
                            jne 00007FE504A38A19h
                            mov ebx, dword ptr [esi]
                            sub esi, FFFFFFFCh
                            adc ebx, ebx
                            jc 00007FE504A389D0h
                            add ebx, ebx
                            jne 00007FE504A38A19h
                            mov ebx, dword ptr [esi]
                            sub esi, FFFFFFFCh
                            adc ebx, ebx
                            adc ecx, ecx
                            add ebx, ebx
                            jnc 00007FE504A38A01h
                            jne 00007FE504A38A1Bh
                            mov ebx, dword ptr [esi]
                            sub esi, FFFFFFFCh
                            adc ebx, ebx
                            jnc 00007FE504A389F6h
                            add ecx, 02h
                            cmp ebp, FFFFFB00h
                            adc ecx, 02h
                            lea edx, dword ptr [eax+eax]

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x1001ef00x5500UPX0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x20543380x7ac.rsrc
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x20520000x2338.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x6884000x2f20UPX0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2054ae40x28.rsrc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x2050e7c0x18UPX1
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20511640xc0UPX1
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            UPX00x10000x19cb0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            UPX10x19cc0000x6860000x68540064d91f24b3bf91e1625badc12f4b6efeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x20520000x30000x2c004fad813d5f039aac2f1feaf707703375False0.5697798295454546data6.067564215606164IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            AFX_DIALOG_LAYOUT0x1f2a9e00x2Non-ISO extended-ASCII text, with no line terminatorsRussianRussia5.0
                            INI0x1f58d180xadataRussianRussia1.8
                            LANG0x1f2d9200x21ecdataRussianRussia0.9869875633348687
                            LANG0x1f2fb100x33d9dataRussianRussia0.9900549988698862
                            LANG0x1f32ef00x2454dataRussianRussia0.9904301075268818
                            LANG0x1f353480x25b3dataRussianRussia0.9894311470313957
                            LANG0x1f379000x2454dataRussianRussia0.9876344086021506
                            LANG0x1f39d580x289bdataRussianRussia0.9887445887445887
                            LANG0x1f3c5f80x252cdataRussianRussia0.9790878520386717
                            LANG0x1f3eb280x1f5fdataRussianRussia0.9078570539160752
                            LANG0x1f40a880x23cedataRussianRussia0.9837442723107135
                            LANG0x1f42e580x242edataRussianRussia0.9904988123515439
                            LANG0x1f59d000x2499dataEnglishUnited States0.9866581278685025
                            OPUS0x1f452880xa5e5dataRussianRussia0.9797970284207305
                            OPUS0x1f4f8700x94a4dataRussianRussia0.9879901187848208
                            RT_ICON0x1f2a9e80x139dataRussianRussia1.035143769968051
                            RT_ICON0x1f2ab280x1efdataRussianRussia1.0222222222222221
                            RT_ICON0x1f2ad180x225dataRussianRussia1.0200364298724955
                            RT_ICON0x1f2af400x26bdataRussianRussia1.0177705977382876
                            RT_ICON0x1f2b1b00x326dataRussianRussia1.0136476426799008
                            RT_ICON0x1f2b4d80x402dataRussianRussia1.010721247563353
                            RT_ICON0x20529e00x13bPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedRussianRussia1.034920634920635
                            RT_ICON0x2052b200x1c5PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedRussianRussia1.0242825607064017
                            RT_ICON0x2052cec0x1eePNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedRussianRussia1.0222672064777327
                            RT_ICON0x2052ee00x253PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedRussianRussia1.0184873949579831
                            RT_ICON0x20531380x2e7PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedRussianRussia1.0148048452220726
                            RT_ICON0x20534240x3adPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedRussianRussia1.0116896918172158
                            RT_ICON0x1f2c7880x159dataRussianRussia1.0318840579710145
                            RT_ICON0x1f2c8e80x1e6dataRussianRussia1.022633744855967
                            RT_ICON0x1f2cad00x1f6dataRussianRussia1.0219123505976095
                            RT_ICON0x1f2ccc80x26ddataRussianRussia1.0177133655394526
                            RT_ICON0x1f2cf380x31bdataRussianRussia0.9106918238993711
                            RT_ICON0x1f2d2580x3e7dataRussianRussia0.93993993993994
                            RT_ICON0x1f58d280x163data1.0309859154929577
                            RT_ICON0x1f58e900x20ddata1.020952380952381
                            RT_ICON0x1f590a00x21bdata1.0204081632653061
                            RT_ICON0x1f592c00x282data1.017133956386293
                            RT_ICON0x1f595480x33cdata1.0132850241545894
                            RT_ICON0x1f598880x413data1.0105465004793863
                            RT_STRING0x1f5c1a00x38dataRussianRussia1.1964285714285714
                            RT_GROUP_ICON0x20537d80x5adataRussianRussia0.8
                            RT_GROUP_ICON0x1f2b8e00x5aDyalog APL DFS component file 64-bit level 1 journaled checksummed version -44.94RussianRussia1.1222222222222222
                            RT_GROUP_ICON0x1f59ca00x5adata1.1222222222222222
                            RT_GROUP_ICON0x1f2d6400x5adataRussianRussia1.1222222222222222
                            RT_VERSION0x20538380x27cdataRussianRussia0.4748427672955975
                            RT_MANIFEST0x2053ab80x87fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2115), with CRLF line terminatorsEnglishUnited States0.31264367816091954

                            Imports

                            DLLImport
                            ADVAPI32.dllFreeSid
                            COMCTL32.dllImageList_DrawEx
                            COMDLG32.dllPrintDlgW
                            d3d11.dllD3D11CreateDevice
                            dbghelp.dllStackWalk
                            dxgi.dllCreateDXGIFactory1
                            GDI32.dllLineTo
                            gdiplus.dllGdipFree
                            IMM32.dllImmIsIME
                            IPHLPAPI.DLLGetIfEntry2
                            KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                            MPR.dllWNetGetConnectionW
                            msdmo.dllMoInitMediaType
                            msi.dll
                            NETAPI32.dllNetUserGetInfo
                            ntdll.dllRtlGetVersion
                            NTDSAPI.dllDsMakeSpnW
                            ole32.dllDoDragDrop
                            OLEACC.dllLresultFromObject
                            OLEAUT32.dllSafeArrayDestroy
                            POWRPROF.dllPowerGetActiveScheme
                            RPCRT4.dllUuidEqual
                            SAS.dllSendSAS
                            Secur32.dllDeleteSecurityContext
                            SHELL32.dll
                            SHLWAPI.dllPathIsRelativeA
                            USER32.dllGetDC
                            USERENV.dllCreateEnvironmentBlock
                            USP10.dllScriptShape
                            VERSION.dllVerQueryValueW
                            WINHTTP.dllWinHttpOpen
                            WININET.dllInternetOpenA
                            WINMM.dllwaveInOpen
                            WINSPOOL.DRV
                            WS2_32.dllioctlsocket
                            WTSAPI32.dllWTSFreeMemory

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            RussianRussia
                            EnglishUnited States

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 6, 2025 06:39:29.526555061 CET49741443192.168.11.2078.47.165.25
                            Jan 6, 2025 06:39:29.526576996 CET4434974178.47.165.25192.168.11.20
                            Jan 6, 2025 06:39:29.526741982 CET49741443192.168.11.2078.47.165.25
                            Jan 6, 2025 06:39:29.527024031 CET49741443192.168.11.2078.47.165.25
                            Jan 6, 2025 06:39:29.527034044 CET4434974178.47.165.25192.168.11.20
                            Jan 6, 2025 06:39:29.992697954 CET4434974178.47.165.25192.168.11.20
                            Jan 6, 2025 06:39:29.993151903 CET49741443192.168.11.2078.47.165.25
                            Jan 6, 2025 06:39:29.993164062 CET4434974178.47.165.25192.168.11.20
                            Jan 6, 2025 06:39:29.994512081 CET4434974178.47.165.25192.168.11.20
                            Jan 6, 2025 06:39:29.994714975 CET49741443192.168.11.2078.47.165.25
                            Jan 6, 2025 06:39:29.995939970 CET49741443192.168.11.2078.47.165.25
                            Jan 6, 2025 06:39:29.996041059 CET4434974178.47.165.25192.168.11.20
                            Jan 6, 2025 06:39:29.996225119 CET49741443192.168.11.2078.47.165.25
                            Jan 6, 2025 06:39:29.996232986 CET4434974178.47.165.25192.168.11.20
                            Jan 6, 2025 06:39:30.039469004 CET49741443192.168.11.2078.47.165.25
                            Jan 6, 2025 06:39:30.491149902 CET4434974178.47.165.25192.168.11.20
                            Jan 6, 2025 06:39:30.491197109 CET4434974178.47.165.25192.168.11.20
                            Jan 6, 2025 06:39:30.491321087 CET49741443192.168.11.2078.47.165.25
                            Jan 6, 2025 06:39:30.501269102 CET49741443192.168.11.2078.47.165.25
                            Jan 6, 2025 06:39:30.501283884 CET4434974178.47.165.25192.168.11.20

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 6, 2025 06:39:29.405622959 CET6053653192.168.11.201.1.1.1
                            Jan 6, 2025 06:39:29.525083065 CET53605361.1.1.1192.168.11.20

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jan 6, 2025 06:39:29.405622959 CET192.168.11.201.1.1.10xa8d6Standard query (0)getscreen.meA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jan 6, 2025 06:39:29.525083065 CET1.1.1.1192.168.11.200xa8d6No error (0)getscreen.me78.47.165.25A (IP address)IN (0x0001)false
                            Jan 6, 2025 06:39:29.525083065 CET1.1.1.1192.168.11.200xa8d6No error (0)getscreen.me5.75.168.191A (IP address)IN (0x0001)false
                            Jan 6, 2025 06:39:29.525083065 CET1.1.1.1192.168.11.200xa8d6No error (0)getscreen.me51.89.95.37A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • getscreen.me

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.11.204974178.47.165.254434656C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            TimestampBytes transferredDirectionData
                            2025-01-06 05:39:29 UTC361OUTGET /signal/agent HTTP/1.1
                            Host: getscreen.me
                            Upgrade: websocket
                            Connection: Upgrade
                            Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
                            Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
                            Origin: https://getscreen.me
                            Sec-WebSocket-Protocol: chat, superchat
                            Sec-WebSocket-Version: 13
                            User-Agent: Getscreen.me/3.1.5 (Win, getscreen.me, 228)
                            2025-01-06 05:39:30 UTC354INHTTP/1.1 400 Bad Request
                            access-control-expose-headers: X-Js-Cache
                            content-type: text/plain; charset=utf-8
                            sec-websocket-version: 13
                            x-content-type-options: nosniff
                            x-js-cache: ff865bcc32999ce12f2e4c6aa33a641b
                            date: Mon, 06 Jan 2025 05:39:30 GMT
                            content-length: 12
                            x-envoy-upstream-service-time: 2
                            server: lb1.getscreen.me
                            connection: close
                            2025-01-06 05:39:30 UTC12INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a
                            Data Ascii: Bad Request


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:00:39:24
                            Start date:06/01/2025
                            Path:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\getscreen-524501439-x86.exe"
                            Imagebase:0x560000
                            File size:6'861'600 bytes
                            MD5 hash:294AD9E8EAD4DCF6EAFEC6BF5463168B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:00:39:26
                            Start date:06/01/2025
                            Path:C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\ProgramData\Getscreen.me\upbvylsrnawdqypxwwbrupmvdvvwzyz-elevate.exe" -elevate \\.\pipe\elevateGS512upbvylsrnawdqypxwwbrupmvdvvwzyz
                            Imagebase:0xf60000
                            File size:6'861'600 bytes
                            MD5 hash:294AD9E8EAD4DCF6EAFEC6BF5463168B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:00:39:27
                            Start date:06/01/2025
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                            Imagebase:0x7ff7e6af0000
                            File size:57'360 bytes
                            MD5 hash:F586835082F632DC8D9404D83BC16316
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:false

                            General

                            Target ID:3
                            Start time:00:39:28
                            Start date:06/01/2025
                            Path:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\getscreen-524501439-x86.exe" -gpipe \\.\pipe\PCommand97dvigngdgqwehnip -gui
                            Imagebase:0x560000
                            File size:6'861'600 bytes
                            MD5 hash:294AD9E8EAD4DCF6EAFEC6BF5463168B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:4
                            Start time:00:39:28
                            Start date:06/01/2025
                            Path:C:\Users\user\Desktop\getscreen-524501439-x86.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\getscreen-524501439-x86.exe" -cpipe \\.\pipe\PCommand96cwjlbipmvmcfjcu -cmem 0000pipe0PCommand96cwjlbipmvmcfjcugs6l75ufcak3meh -child
                            Imagebase:0x560000
                            File size:6'861'600 bytes
                            MD5 hash:294AD9E8EAD4DCF6EAFEC6BF5463168B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            Disassembly

                            No disassembly