Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
getscreen-226997704-x86.exe

Overview

General Information

Sample name:getscreen-226997704-x86.exe
Analysis ID:1627312
MD5:42b9b44450da427b105d6af4a31e4d6a
SHA1:8c620e55cf892a0e4f5c3d892c8eb18ed19a4c45
SHA256:68cd32e87599efba54f6efb172f3b56a183bffb8209865847d48d658d3d45779
Infos:

Detection

Score:51
Range:0 - 100
Confidence:100%

Compliance

Score:47
Range:0 - 100

Signatures

Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64native
  • getscreen-226997704-x86.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\getscreen-226997704-x86.exe" MD5: 42B9B44450DA427B105D6AF4A31E4D6A)
    • getscreen-226997704-x86.exe (PID: 8204 cmdline: "C:\Users\user\Desktop\getscreen-226997704-x86.exe" -gpipe \\.\pipe\PCommand97ganyuuasgxkwvpe1 -gui MD5: 42B9B44450DA427B105D6AF4A31E4D6A)
    • getscreen-226997704-x86.exe (PID: 8228 cmdline: "C:\Users\user\Desktop\getscreen-226997704-x86.exe" -cpipe \\.\pipe\PCommand96zvvnazikzfalhbg -cmem 0000pipe0PCommand96zvvnazikzfalhbgosfzk23ai5osclf -child MD5: 42B9B44450DA427B105D6AF4A31E4D6A)
  • tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe (PID: 1264 cmdline: "C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe" -elevate \\.\pipe\elevateGS512tqcebwhlhccnmvlzbgjdymdxhfnpwbt MD5: 42B9B44450DA427B105D6AF4A31E4D6A)
  • svchost.exe (PID: 2224 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: getscreen-226997704-x86.exe PID: 6924JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

    Sigma Signatures

    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 908, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, ProcessId: 2224, ProcessName: svchost.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    Compliance

    barindex
    Uses 32bit PE files
    Source: getscreen-226997704-x86.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    PE / OLE file has a valid certificate
    Source: getscreen-226997704-x86.exeStatic PE information: certificate valid
    Contains modern PE file flags such as dynamic base (ASLR) or NX
    Source: getscreen-226997704-x86.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Binary contains paths to debug symbols
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdbdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075A9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdbb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007786000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdbyK source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.000000000295F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A3C9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075BA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008F36000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\twinapi.appcore.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: e3samlib.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A426000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A1FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb* source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbdllKP source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.000000000295F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsspicli.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000941A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: .pdbll (10 source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \user\Desktop\symbols\dll\InputHost.pdbndow source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009349000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdb! source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbi source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009F5B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\mfperfhelper.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.000000000295F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000097EF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.000000000771E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MpOAV.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A315000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008F98000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009349000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009CD9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb` source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdbdb4 source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A426000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\InputHost.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008FF3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wwin32u.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008387000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.000000000847F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009DED000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009AFD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\bcryptprimitives.pdb5 source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A484000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009C72000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007779000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009849000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075A9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fastprox.pdbbO source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A0D5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdbR source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008F36000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.000000000847F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A484000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \user\Desktop\WindowManagementAPI.pdb\*0.0./ source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.000000000848A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000927D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000098AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.000000000846E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdb. source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A3C9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A0D5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009D33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.000000000777F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.000000000771E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: avrt.pdbe=C:SystemRoot=C:\W source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BCE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\InputHost.pdbb{ source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A06B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008F98000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000940F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.000000000846E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-226997704-x86.pdbL source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.0000000002908000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wimm32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008479000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009409000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009CD9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009E4C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: owManagementAPI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdbYH source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.000000000295F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009730000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009220000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008DBD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FWPolicyIOMgr.pdbYK source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.000000000295F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244238163483.000000000A87A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007779000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008DBD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: top\symbols\dll\InputHost.pdbSER3< source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: avrt.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BCE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.000000000848A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A06B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MpOAV.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A315000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A25B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244238163483.000000000A87A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A25B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009791000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wbemcomn.pdbd source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009AFD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009EA6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\mfperfhelper.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000099D5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb*? source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\Win32\Release\getscreen.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001952000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000002.244243221966.00000000010B2000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008ECE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000097EF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009D33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009DED000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008641000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\samlib.pdb\*U3 source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wbemsvc.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\bcryptprimitives.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdb] source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \user\Desktop\dll\WindowManagementAPI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009F00000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\Windows.UI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000927D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009916000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdbb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009C72000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000098A9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A1FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000076A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009F5B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb< source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\CoreMessaging.pdb* source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009168000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\JSAMSIProvider32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009916000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: DLL\audioses.pdbemory source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000083F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdb: 3.2.D source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wmswsock.pdbB source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000940F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008ECE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009FB6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wbemprox.pdbdbQ source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: i.appcore.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009F00000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: top\dll\TextInputFramework.pdb6. source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A011000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008641000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009BBA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000076A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: PI.pdbv source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000941A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wmswsock.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008FF3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009EA6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdb4) source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdb*K source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A011000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdbl source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009E4C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fastprox.pdbM source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UI.pdb2. source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000083F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008484000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsspicli.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000941A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemprox.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009BBA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009971000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dll\InputHost.pdbows\M source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000099D5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009168000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wimm32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008479000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004B8A000.00000004.00000020.00020000.00000000.sdmp, getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009FB6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdbp source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wwin32u.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008387000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009220000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009849000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: .pdbdbghel source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fastprox.pdbB source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A1A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbdbf source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075BA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000098A9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A36E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdb* source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rk.pdb90 source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-226997704-x86.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.0000000002908000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A426000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000098AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009730000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000967B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\WinTypes.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009791000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009409000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \user\Desktop\TextInputFramework.pdb\*\ntdll source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008484000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.000000000777F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UIComponents.pdbbdo source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A1A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Joe Sandbox ViewIP Address: 51.89.95.37 51.89.95.37
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/3.2.12 (Win, getscreen.me, 327)
    Source: global trafficDNS traffic detected: DNS query: getscreen.me
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001952000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000002.244243221966.00000000010B2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://proxy.contoso.com:3128/
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01http://www.webrtc.org/exper
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-timeurn:3gpp:video-orientationhttp://www.we
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
    Source: getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-frame-tracking-id
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001952000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000002.244243221966.00000000010B2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001952000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000002.244243221966.00000000010B2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.g
    Source: getscreen-226997704-x86.exe, getscreen-226997704-x86.exe, 00000005.00000002.244243221966.00000000010B2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.ge
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001952000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000002.244243221966.00000000010B2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsa
    Source: getscreen-226997704-x86.exe, 00000005.00000002.244243221966.00000000010B2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsc
    Source: getscreen-226997704-x86.exeString found in binary or memory: https://docs.getscree
    Source: getscreen-226997704-x86.exeString found in binary or memory: https://docs.getscreen.me/
    Source: getscreen-226997704-x86.exeString found in binary or memory: https://docs.getscreen.me/e
    Source: getscreen-226997704-x86.exeString found in binary or memory: https://docs.getscreen.me/en
    Source: getscreen-226997704-x86.exeString found in binary or memory: https://docs.getscreen.me/en/rules
    Source: getscreen-226997704-x86.exeString found in binary or memory: https://docs.getscreen.me/en/rules/privacy-poli
    Source: getscreen-226997704-x86.exe, getscreen-226997704-x86.exe, 00000005.00000002.244249242964.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, getscreen-226997704-x86.exe, 00000005.00000003.244241437357.0000000002A60000.00000004.00000020.00020000.00000000.sdmp, getscreen-226997704-x86.exe, 00000005.00000003.244241171383.0000000002A5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/privacy-polic
    Source: getscreen-226997704-x86.exe, 00000005.00000003.244241062309.0000000002A6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/privacy-policy/
    Source: getscreen-226997704-x86.exeString found in binary or memory: https://docs.getscreen.me/en/rules/ter
    Source: getscreen-226997704-x86.exe, 00000005.00000003.244241062309.0000000002A6C000.00000004.00000020.00020000.00000000.sdmp, getscreen-226997704-x86.exe, 00000005.00000002.244249069870.0000000002A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/terms-of-use/
    Source: getscreen-226997704-x86.exe, 00000004.00000003.244250288863.0000000007678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/user-guides/agent/
    Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244229791187.000000000893F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_fd09006f-6
    Source: Yara matchFile source: Process Memory Space: getscreen-226997704-x86.exe PID: 6924, type: MEMORYSTR
    Source: getscreen-226997704-x86.exeStatic PE information: Resource name: RT_ICON type: x86 executable not stripped
    Source: tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe.0.drStatic PE information: Resource name: RT_ICON type: x86 executable not stripped
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244221947699.00000000022BD000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-226997704-x86.exe
    Source: getscreen-226997704-x86.exe, 00000000.00000000.244165272720.00000000022BD000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-226997704-x86.exe
    Source: getscreen-226997704-x86.exe, 00000004.00000002.244275083922.00000000022BD000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-226997704-x86.exe
    Source: getscreen-226997704-x86.exe, 00000004.00000000.244201184835.00000000022BD000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-226997704-x86.exe
    Source: getscreen-226997704-x86.exe, 00000005.00000002.244248144464.00000000022BD000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-226997704-x86.exe
    Source: getscreen-226997704-x86.exe, 00000005.00000000.244201300715.00000000022BD000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-226997704-x86.exe
    Source: getscreen-226997704-x86.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal51.evad.winEXE@8/11@1/1
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeFile created: C:\Users\user\AppData\Local\Getscreen.meJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeMutant created: \Sessions\1\BaseNamedObjects\Global\PCommandMutextTurbo96phqghum
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: getscreen-226997704-x86.exeString found in binary or memory: marker-start
    Source: getscreen-226997704-x86.exeString found in binary or memory: t-application-status: '{"value":"connecting"}' 02:40:18.953INFOGui send event event-install-status: '{"value":false}' 02:40:18.984INFOGui send event event-domain: '{"value":""}' 02:40:18.984INFOGui send event event-
    Source: getscreen-226997704-x86.exeString found in binary or memory: IP-address
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeFile read: C:\Users\user\Desktop\getscreen-226997704-x86.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\getscreen-226997704-x86.exe "C:\Users\user\Desktop\getscreen-226997704-x86.exe"
    Source: unknownProcess created: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe "C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe" -elevate \\.\pipe\elevateGS512tqcebwhlhccnmvlzbgjdymdxhfnpwbt
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess created: C:\Users\user\Desktop\getscreen-226997704-x86.exe "C:\Users\user\Desktop\getscreen-226997704-x86.exe" -gpipe \\.\pipe\PCommand97ganyuuasgxkwvpe1 -gui
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess created: C:\Users\user\Desktop\getscreen-226997704-x86.exe "C:\Users\user\Desktop\getscreen-226997704-x86.exe" -cpipe \\.\pipe\PCommand96zvvnazikzfalhbg -cmem 0000pipe0PCommand96zvvnazikzfalhbgosfzk23ai5osclf -child
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess created: C:\Users\user\Desktop\getscreen-226997704-x86.exe "C:\Users\user\Desktop\getscreen-226997704-x86.exe" -gpipe \\.\pipe\PCommand97ganyuuasgxkwvpe1 -guiJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-226997704-x86.exe "C:\Users\user\Desktop\getscreen-226997704-x86.exe" -cpipe \\.\pipe\PCommand96zvvnazikzfalhbg -cmem 0000pipe0PCommand96zvvnazikzfalhbgosfzk23ai5osclf -childJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: mmdevapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: mfwmaaec.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: mfperfhelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: audioses.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: symsrv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: mpr.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: msi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: sas.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: secur32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: userenv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: usp10.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: version.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: wininet.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: winmm.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: samcli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: netutils.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: wldp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: seclogon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: d2d1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: directmanipulation.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dxcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: mscms.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: coloradapterclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: icm32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: getscreen-226997704-x86.exeStatic PE information: certificate valid
    Source: getscreen-226997704-x86.exeStatic file information: File size 7010088 > 1048576
    Source: getscreen-226997704-x86.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x6a9800
    Source: getscreen-226997704-x86.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdbdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075A9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdbb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007786000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdbyK source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.000000000295F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A3C9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075BA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008F36000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\twinapi.appcore.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: e3samlib.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A426000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A1FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb* source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbdllKP source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.000000000295F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsspicli.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000941A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: .pdbll (10 source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \user\Desktop\symbols\dll\InputHost.pdbndow source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009349000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdb! source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbi source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009F5B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\mfperfhelper.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.000000000295F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000097EF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdbb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.000000000771E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MpOAV.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A315000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008F98000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winspool.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009349000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009CD9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb` source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdbdb4 source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A426000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\InputHost.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008FF3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wwin32u.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008387000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.000000000847F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009DED000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009AFD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\bcryptprimitives.pdb5 source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A484000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009C72000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007779000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009849000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075A9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fastprox.pdbbO source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A0D5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdbR source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008F36000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.000000000847F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A484000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \user\Desktop\WindowManagementAPI.pdb\*0.0./ source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.000000000848A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000927D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000098AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.000000000846E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdb. source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A3C9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A0D5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009D33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.000000000777F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.000000000771E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: avrt.pdbe=C:SystemRoot=C:\W source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BCE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\InputHost.pdbb{ source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A06B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008F98000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000940F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.000000000846E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-226997704-x86.pdbL source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.0000000002908000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wimm32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008479000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009409000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009CD9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009E4C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: owManagementAPI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdbYH source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.000000000295F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009730000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009220000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008DBD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\FWPolicyIOMgr.pdbYK source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.000000000295F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244238163483.000000000A87A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: combase.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007779000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3d11.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008DBD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: top\symbols\dll\InputHost.pdbSER3< source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: avrt.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BCE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.000000000848A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: propsys.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A06B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MpOAV.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A315000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A25B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samlib.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244238163483.000000000A87A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A25B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009791000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wbemcomn.pdbd source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009AFD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009EA6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\mfperfhelper.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000099D5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fwpuclnt.pdb*? source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\Win32\Release\getscreen.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001952000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000002.244243221966.00000000010B2000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008ECE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000097EF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009D33000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009DED000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008641000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\samlib.pdb\*U3 source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wbemsvc.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\bcryptprimitives.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdb] source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \user\Desktop\dll\WindowManagementAPI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009F00000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\Windows.UI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000927D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009916000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdbb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009C72000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000098A9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemcomn.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A1FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000076A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009F5B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb< source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\CoreMessaging.pdb* source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009168000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\JSAMSIProvider32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009916000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: DLL\audioses.pdbemory source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000083F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdb: 3.2.D source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wmswsock.pdbB source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000940F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008ECE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009FB6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wbemprox.pdbdbQ source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: i.appcore.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009F00000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075B5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: top\dll\TextInputFramework.pdb6. source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A011000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008641000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009BBA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000076A4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: PI.pdbv source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000941A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wmswsock.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000008FF3000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009EA6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdb4) source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdb*K source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A011000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdbl source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009E4C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fastprox.pdbM source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UI.pdb2. source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000083F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008484000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsspicli.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.000000000941A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemprox.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009BBA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009971000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dll\InputHost.pdbows\M source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000099D5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: userenv.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009168000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wimm32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008479000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004B8A000.00000004.00000020.00020000.00000000.sdmp, getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009FB6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdbp source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wwin32u.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008387000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009220000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009849000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: .pdbdbghel source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fastprox.pdbB source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A1A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbdbf source: getscreen-226997704-x86.exe, 00000000.00000002.244223787408.0000000004BB7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075BA000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000098A9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A36E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdb* source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rk.pdb90 source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-226997704-x86.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.0000000002908000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemcomn.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A426000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.00000000098AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ws2_32.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008490000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009730000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000967B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\WinTypes.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.0000000007590000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msctf.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.0000000009791000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb( source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.00000000075AF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wtsapi32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244230163609.0000000009409000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \user\Desktop\TextInputFramework.pdb\*\ntdll source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.0000000008484000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244226458375.000000000777F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: UIComponents.pdbbdo source: getscreen-226997704-x86.exe, 00000000.00000002.244228105506.00000000084A2000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb source: getscreen-226997704-x86.exe, 00000000.00000002.244232628650.000000000A1A2000.00000004.00000020.00020000.00000000.sdmp
    Source: tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe.0.drStatic PE information: real checksum: 0x6bdc2f should be: 0x6b69f4
    Source: getscreen-226997704-x86.exeStatic PE information: real checksum: 0x6bdc2f should be: 0x6b69f4
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeCode function: 4_3_027DA789 push eax; ret 4_3_027DA78A
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeCode function: 5_3_02A389C9 push ds; retf 5_3_02A389DA
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeCode function: 5_3_02A2C040 push es; iretd 5_3_02A2C041
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeCode function: 5_3_02A7C6E5 push eax; iretd 5_3_02A7C792
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeCode function: 5_3_02A7CD28 pushad ; iretd 5_3_02A7CD29
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeCode function: 5_3_02A7C70E push eax; iretd 5_3_02A7C792
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeFile created: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeFile created: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries memory information (via WMI often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Size FROM Win32_DiskDrive
    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 8
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 8
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 7
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 7
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, VolumeName, FileSystem, Size, FreeSpace FROM Win32_LogicalDisk
    Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
    Query firmware table information (likely to detect VMs)
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\ProgramData\Getscreen.me\tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exe TID: 8216Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exe TID: 8364Thread sleep count: 230 > 30Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: getscreen-226997704-x86.exe, 00000005.00000003.244239767676.0000000002A26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
    Source: getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ?WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244216272390.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001952000.00000040.00000001.01000000.00000004.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244271035507.00000000010B2000.00000040.00000001.01000000.00000003.sdmp, getscreen-226997704-x86.exe, 00000005.00000002.244243221966.00000000010B2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Hyper-V console (use port 2179, disable negotiation)
    Source: getscreen-226997704-x86.exe, 00000005.00000001.244201588893.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMnet
    Source: tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244184170196.0000000001541000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=
    Source: getscreen-226997704-x86.exeBinary or memory string: Hyper-V RAW
    Source: getscreen-226997704-x86.exe, 00000004.00000003.244256741195.0000000002829000.00000004.00000020.00020000.00000000.sdmp, getscreen-226997704-x86.exe, 00000004.00000003.244266654873.000000000282D000.00000004.00000020.00020000.00000000.sdmp, getscreen-226997704-x86.exe, 00000004.00000002.244276239100.0000000002831000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW'
    Source: tqcebwhlhccnmvlzbgjdymdxhfnpwbt-elevate.exe, 00000002.00000002.244183682713.00000000009B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244222430201.0000000002946000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-226997704-x86.exe "C:\Users\user\Desktop\getscreen-226997704-x86.exe" -cpipe \\.\pipe\PCommand96zvvnazikzfalhbg -cmem 0000pipe0PCommand96zvvnazikzfalhbgosfzk23ai5osclf -childJump to behavior
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244229791187.000000000893F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
    Source: getscreen-226997704-x86.exe, 00000000.00000002.244229791187.000000000893F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
    Source: C:\Users\user\Desktop\getscreen-226997704-x86.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts631
    Windows Management Instrumentation    		1
    DLL Side-Loading    		12
    Process Injection    		1
    Masquerading    		11
    Input Capture    		731
    Security Software Discovery    		Remote Services11
    Input Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    Command and Scripting Interpreter    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		541
    Virtualization/Sandbox Evasion    		LSASS Memory541
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
    Process Injection    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Obfuscated Files or Information    		NTDS132
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Software Packing    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.