Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
getscreen-799952897-x86.exe

Overview

General Information

Sample name:getscreen-799952897-x86.exe
Analysis ID:1627696
MD5:ee04a90b6a67eb24998dddbb3e4c586d
SHA1:83e136fda97591e66770ab25e627b4e352f627d9
SHA256:030932b22c1057e7bf88de5b55672d4bbc02df28f9777988e8c30446c9603fbe
Tags:exeuser-cisdemo
Infos:

Detection

Score:51
Range:0 - 100
Confidence:100%

Compliance

Score:47
Range:0 - 100

Signatures

Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Keylogger Generic

Classification

  • System is w10x64
  • getscreen-799952897-x86.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\getscreen-799952897-x86.exe" MD5: EE04A90B6A67EB24998DDDBB3E4C586D)
    • getscreen-799952897-x86.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\getscreen-799952897-x86.exe" -gpipe \\.\pipe\PCommand97cnuyhwhieohhlxw1 -gui MD5: EE04A90B6A67EB24998DDDBB3E4C586D)
    • getscreen-799952897-x86.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\getscreen-799952897-x86.exe" -cpipe \\.\pipe\PCommand96svmlgziainmihfp -cmem 0000pipe0PCommand96svmlgziainmihfp9tpqq2l9fuzsra9 -child MD5: EE04A90B6A67EB24998DDDBB3E4C586D)
  • ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe (PID: 7368 cmdline: "C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe" -elevate \\.\pipe\elevateGS512ivtkpwzprvppfnmizjgmaphqjacyyxy MD5: EE04A90B6A67EB24998DDDBB3E4C586D)
  • svchost.exe (PID: 7524 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7640 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: getscreen-799952897-x86.exe PID: 7348JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, ProcessId: 7524, ProcessName: svchost.exe
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    Compliance

    barindex
    Source: getscreen-799952897-x86.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: getscreen-799952897-x86.exeStatic PE information: certificate valid
    Source: getscreen-799952897-x86.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000524F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000527C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdbeWinStationGetUserCerti9NXZc^ source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A798000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005260000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.0000000008AD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: e3samlib.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009D9E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\FWPolicyIOMgr.pdbdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbdbq source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdbationC source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000525A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsspicli.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009839000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009415000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000952E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000952E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A327000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wbemprox.pdbZ source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.000000000881C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009844000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005271000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009300000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A0A5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A7F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009472000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009650000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000935B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wwin32u.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005282000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdbWinSt source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009EC5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A1B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdbnGetAl( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A852000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdb< source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A03B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009C10000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wuser32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085DE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000524F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc.pdb\*s source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000984A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.0000000008AD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A852000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.00000000095E7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009C77000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000528D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A798000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: asamlib.pdbll\samlib.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A445000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A0FF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.000000000860D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005271000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\profapi.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009650000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009FDF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009300000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000982E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085E4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A0A5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A2CD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009AF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000958A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.000000000861E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000528D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005266000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A15F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A626000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\winsta.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A626000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\bcryptprimitives.pdbh source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009EC5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A218000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdb\* source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009D9E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdbationN source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.000000000861E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\Win32\Release\getscreen.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.00000000013F2000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.0000000008AD0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A0FF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A1B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdbbp source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.0000000008629000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\InputHost.pdbiu source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdbbt source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wuser32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085DE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A445000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.00000000095E7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009CDC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A03B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009C71000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009F28000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009415000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000526B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A327000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbH source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000527C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdbR source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A15F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009F28000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009CDC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbX source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005255000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085EB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdb0 source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000982E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbPoli source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.0000000008AD0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\winsta.pdbb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A272000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A445000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MpOAV.pdbdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\MpOAV.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A382000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.0000000008629000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\InputHost.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.000000000881C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009F84000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000526B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wbemsvc.pdb\**m3r source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.000000000881C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009D37000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdb| source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\exe\getscreen-799952897-x86.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009472000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A218000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-799952897-x86.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003088000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000984A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085E4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A382000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A2CD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085EB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.0000000008602000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsspicli.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009839000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009F84000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\propsys.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Amsi.pdbA source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009D37000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdbp source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000935B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009D9E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A272000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wwin32u.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005282000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-799952897-x86.pdbU source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003088000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000958A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009C10000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005266000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009FDF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A73D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\InputHost.pdbb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A56D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005260000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A73D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009C71000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MpOAV.pdbb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fastprox.pdb\*I.dl~ source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.000000000881C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \user\Desktop\dll\wbemsvc.pdbs\ source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.000000000881C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005248000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A7F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Windows.Storage.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbbx source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fastprox.pdbT source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbcens4 source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009C77000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009AF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009844000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005255000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemsvc.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.0000000008602000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\InputHost.pdb* source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wmswsock.pdb\* source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.000000000860D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A56D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbP* source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: global trafficTCP traffic: 192.168.2.4:50033 -> 162.159.36.2:53
    Source: Joe Sandbox ViewIP Address: 51.89.95.37 51.89.95.37
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/3.2.12 (Win, getscreen.me, 327)
    Source: global trafficHTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/3.2.12 (Win, getscreen.me, 327)
    Source: global trafficDNS traffic detected: DNS query: getscreen.me
    Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: svchost.exe, 00000005.00000002.2960186878.00000255B7E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
    Source: svchost.exe, 00000005.00000003.1773652655.00000255B8018000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
    Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
    Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
    Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
    Source: svchost.exe, 00000005.00000003.1773652655.00000255B8018000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
    Source: svchost.exe, 00000005.00000003.1773652655.00000255B8018000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
    Source: svchost.exe, 00000005.00000003.1773652655.00000255B804D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
    Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.00000000013F2000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.0000000001BD2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://proxy.contoso.com:3128/
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01http://www.webrtc.org/exper
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-timeurn:3gpp:video-orientationhttp://www.we
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
    Source: getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-frame-tracking-id
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.00000000013F2000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.0000000001BD2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.00000000017C1000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.00000000013F2000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.0000000001BD2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.g
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.00000000013F2000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.0000000001BD2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.ge
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.00000000013F2000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.0000000001BD2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsa
    Source: getscreen-799952897-x86.exe, 00000004.00000002.1928499402.0000000001BD2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.getsc
    Source: getscreen-799952897-x86.exe, 00000002.00000003.1969721205.000000000888E000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1987985566.0000000008893000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000002.00000003.1959320258.000000000888B000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000002.00000003.1966623879.000000000888C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscr
    Source: getscreen-799952897-x86.exe, 00000002.00000003.1978137925.0000000003462000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000002.00000003.1976524046.0000000003461000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000002.00000003.1976404197.0000000003457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me
    Source: getscreen-799952897-x86.exe, 00000004.00000002.1928331163.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/privacy-policy/
    Source: getscreen-799952897-x86.exe, 00000004.00000002.1928331163.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/en/rules/terms-of-use/
    Source: getscreen-799952897-x86.exe, 00000002.00000003.1940058537.0000000007FB8000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000002.00000003.1950392828.0000000007EE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/user-guides/agent/
    Source: getscreen-799952897-x86.exe, 00000002.00000003.1770965031.0000000007FB8000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000002.00000003.1940058537.0000000007FB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.getscreen.me/user-guides/agent/div
    Source: svchost.exe, 00000005.00000003.1773652655.00000255B80C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
    Source: svchost.exe, 00000005.00000003.1773652655.00000255B80C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
    Source: svchost.exe, 00000005.00000003.1773652655.00000255B80C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
    Source: edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1924586669.0000000008CD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NtUserGetRawInputDatamemstr_c3b7a867-6
    Source: Yara matchFile source: Process Memory Space: getscreen-799952897-x86.exe PID: 7348, type: MEMORYSTR
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
    Source: getscreen-799952897-x86.exeStatic PE information: Resource name: RT_ICON type: x86 executable not stripped
    Source: ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe.0.drStatic PE information: Resource name: RT_ICON type: x86 executable not stripped
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A626000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameamsi.dllj% vs getscreen-799952897-x86.exe
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.0000000008629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCFGMGR32.DLLj% vs getscreen-799952897-x86.exe
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.0000000008629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreUIComponents.dllj% vs getscreen-799952897-x86.exe
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009415000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerasadhlp.dllj% vs getscreen-799952897-x86.exe
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009123000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSAMLib.DLLj% vs getscreen-799952897-x86.exe
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000528D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefwpuclnt.dll.muij% vs getscreen-799952897-x86.exe
    Source: getscreen-799952897-x86.exe, 00000000.00000000.1711047310.0000000002DDD000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-799952897-x86.exe
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1910002400.0000000002DDD000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-799952897-x86.exe
    Source: getscreen-799952897-x86.exe, 00000002.00000002.1982942934.0000000002DDD000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-799952897-x86.exe
    Source: getscreen-799952897-x86.exe, 00000002.00000000.1756213608.0000000002DDD000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-799952897-x86.exe
    Source: getscreen-799952897-x86.exe, 00000004.00000002.1930900009.0000000002DDD000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-799952897-x86.exe
    Source: getscreen-799952897-x86.exe, 00000004.00000000.1769230648.0000000002DDD000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-799952897-x86.exe
    Source: getscreen-799952897-x86.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal51.evad.winEXE@9/13@2/2
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeFile created: C:\Users\user\AppData\Local\Getscreen.meJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeMutant created: \Sessions\1\BaseNamedObjects\Global\PCommandMutextTurbo96phqghum
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeFile read: C:\Users\user\Desktop\getscreen-799952897-x86.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\getscreen-799952897-x86.exe "C:\Users\user\Desktop\getscreen-799952897-x86.exe"
    Source: unknownProcess created: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe "C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe" -elevate \\.\pipe\elevateGS512ivtkpwzprvppfnmizjgmaphqjacyyxy
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess created: C:\Users\user\Desktop\getscreen-799952897-x86.exe "C:\Users\user\Desktop\getscreen-799952897-x86.exe" -gpipe \\.\pipe\PCommand97cnuyhwhieohhlxw1 -gui
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess created: C:\Users\user\Desktop\getscreen-799952897-x86.exe "C:\Users\user\Desktop\getscreen-799952897-x86.exe" -cpipe \\.\pipe\PCommand96svmlgziainmihfp -cmem 0000pipe0PCommand96svmlgziainmihfp9tpqq2l9fuzsra9 -child
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess created: C:\Users\user\Desktop\getscreen-799952897-x86.exe "C:\Users\user\Desktop\getscreen-799952897-x86.exe" -gpipe \\.\pipe\PCommand97cnuyhwhieohhlxw1 -guiJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-799952897-x86.exe "C:\Users\user\Desktop\getscreen-799952897-x86.exe" -cpipe \\.\pipe\PCommand96svmlgziainmihfp -cmem 0000pipe0PCommand96svmlgziainmihfp9tpqq2l9fuzsra9 -childJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: mmdevapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: mfwmaaec.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: mfperfhelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: audioses.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: symsrv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: mpr.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: msi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: sas.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: secur32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: userenv.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: usp10.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: version.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: wininet.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: winmm.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: samcli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: netutils.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: wldp.dllJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: d2d1.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: directmanipulation.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dxcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: mscms.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: coloradapterclient.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: icm32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: seclogon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: sas.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: dsparse.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32Jump to behavior
    Source: getscreen-799952897-x86.exeStatic PE information: certificate valid
    Source: getscreen-799952897-x86.exeStatic file information: File size 7010088 > 1048576
    Source: getscreen-799952897-x86.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x6a9800
    Source: getscreen-799952897-x86.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\TextInputFramework.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000524F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreUIComponents.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000527C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdbeWinStationGetUserCerti9NXZc^ source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A798000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005260000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.0000000008AD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: e3samlib.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009D9E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fwpuclnt.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\FWPolicyIOMgr.pdbdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc6.pdbdbq source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdbationC source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: advapi32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000525A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsspicli.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009839000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009415000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000952E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: usp10.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000952E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A327000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wbemprox.pdbZ source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.000000000881C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009844000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005271000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009300000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A0A5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fwbase.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009E62000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A7F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009472000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009650000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000935B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wwin32u.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005282000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdbWinSt source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009EC5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A1B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdbnGetAl( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A852000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\wmswsock.pdb< source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A03B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009C10000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wuser32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085DE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernel32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000524F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc.pdb\*s source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000984A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdsapi.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.0000000008AD6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ole32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085FC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: rasadhlp.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A852000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.00000000095E7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009C77000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000528D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A798000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: asamlib.pdbll\samlib.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A445000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: twinapi.appcore.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A3DC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A0FF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.000000000860D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comdlg32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005271000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\profapi.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winmm.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009650000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009FDF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleacc.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009300000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shell32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085F1000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000982E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085E4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MFWMAAEC.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A0A5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A2CD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009AF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000958A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.000000000861E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\twinapi.appcore.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wgdi32full.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000528D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005266000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A15F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A626000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\winsta.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemsvc.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: fastprox.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A626000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\bcryptprimitives.pdbh source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FWPolicyIOMgr.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009EC5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A218000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdb\* source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009D9E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dhcpcsvc6.pdbationN source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dbghelp.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.000000000861E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Github-runner\_work\agent-windows\agent-windows\console\Win32\Release\getscreen.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.00000000013F2000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp
    Source: Binary string: netapi32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.0000000008AD0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcryptprimitives.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009BB6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mfperfhelper.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A0FF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.UI.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A1B9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdbbp source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.0000000008629000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\InputHost.pdbiu source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\samlib.pdbbt source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wuser32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085DE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A445000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wininet.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.00000000095E7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009CDC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cfgmgr32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A03B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009C71000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009F28000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: bcrypt.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009415000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000526B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreMessaging.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A327000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbH source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000527C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdbR source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: audioses.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A15F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntmarta.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009F28000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CLBCatQ.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009CDC000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdbX source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005255000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085EB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdb0 source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: samcli.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000982E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbPoli source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netapi32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.0000000008AD0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\winsta.pdbb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A272000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: InputHost.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A445000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MpOAV.pdbdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\MpOAV.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A382000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: iphlpapi.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.0000000008629000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\InputHost.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.000000000881C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009F84000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\twinapi.appcore.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\WindowManagementAPI.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wrpcrt4.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.000000000526B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wbemsvc.pdb\**m3r source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.000000000881C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009D37000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\fwpuclnt.pdb| source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\rasadhlp.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\JSAMSIProvider32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\exe\getscreen-799952897-x86.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: secur32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009472000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: TextInputFramework.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A218000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-799952897-x86.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003088000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netutils.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000984A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\rasadhlp.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp_win.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085E4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WinTypes.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A382000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: WindowManagementAPI.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A2CD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: shlwapi.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000085EB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.0000000008602000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wsspicli.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009839000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: MMDevAPI.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009F84000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\propsys.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Amsi.pdbA source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: FirewallAPI.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009D37000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdbp source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\JSAMSIProvider32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: powrprof.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000935B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dnsapi.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009D9E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CoreUIComponents.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A272000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wwin32u.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005282000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\exe\getscreen-799952897-x86.pdbU source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003088000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: winhttp.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.000000000958A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Windows.Storage.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009C10000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sechost.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005266000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: devobj.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009FDF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A73D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\InputHost.pdbb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A56D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\DLL\dhcpcsvc.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005260000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A73D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: profapi.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009C71000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\MpOAV.pdbb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\fastprox.pdb\*I.dl~ source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.000000000881C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \user\Desktop\dll\wbemsvc.pdbs\ source: getscreen-799952897-x86.exe, 00000000.00000002.1920990574.000000000881C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\rasadhlp.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\DLL\dhcpcsvc6.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005248000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wmswsock.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A7F5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\Windows.Storage.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\CoreMessaging.pdbbx source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.0000000003126000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\fastprox.pdbT source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbcens4 source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009C77000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wUxTheme.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.0000000009AF8000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: cryptbase.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1924941258.0000000009844000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wkernelbase.pdb( source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005255000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\symbols\dll\wbemsvc.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oleaut32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.0000000008602000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\InputHost.pdb* source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\wmswsock.pdb\* source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: comctl32.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.000000000860D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wbemprox.pdb source: getscreen-799952897-x86.exe, 00000000.00000002.1927550647.000000000A56D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\dll\samlib.pdbP* source: getscreen-799952897-x86.exe, 00000000.00000002.1917313238.00000000084AE000.00000004.00000020.00020000.00000000.sdmp
    Source: ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe.0.drStatic PE information: real checksum: 0x6bdc2f should be: 0x6bc1e5
    Source: getscreen-799952897-x86.exeStatic PE information: real checksum: 0x6bdc2f should be: 0x6bc1e5
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: initial sampleStatic PE information: section name: UPX0
    Source: initial sampleStatic PE information: section name: UPX1
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeFile created: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeFile created: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeJump to dropped file
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Size FROM Win32_DiskDrive
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Size FROM Win32_DiskDrive
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 14
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 14
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 14
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = &apos;True&apos;
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, VolumeName, FileSystem, Size, FreeSpace FROM Win32_LogicalDisk
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, VolumeName, FileSystem, Size, FreeSpace FROM Win32_LogicalDisk
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\ProgramData\Getscreen.me\ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWindow / User API: threadDelayed 789Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWindow / User API: windowPlacementGot 866Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWindow / User API: threadDelayed 889Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exe TID: 7440Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exe TID: 7748Thread sleep count: 889 > 30Jump to behavior
    Source: C:\Windows\System32\svchost.exe TID: 7680Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1914974406.00000000063CB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: {"token":"","uid":"71434D56-1548-ED3D-AEE6-C75AECD93BF0","turbo":"2342341740972258tHcdbwBFJVpavwsYDHgm","turbo_old":"","invite":"","brand":"","install":false,"admin":true,"isadmin":true,"onetime":true,"file_download":true,"name":"320946","nonadmin":true,"islock":false,"blackscreen_available":true,"hibernate":true,"power_supply":true,"silent":false,"confirm":false,"start_time":1740973392,"os":"win","rdp":false,"os_user":"user","os_username":"","build":327,"version":"3.2.12","hardware":"{\"CPU\":\"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\",\"CPUSpeed\":2000,\"CPUCores\":4,\"CPUCoresLogical\":1,\"CPUFamily\":\"Intel64 Family 6 Model 143 Stepping 8\",\"BIOS\":\"9YD9CE4UHG\",\"BIOSVersion\":\"20221121\",\"BIOSDate\":\"\",\"RAMPhys\":8191,\"RAMPhysAvail\":2077,\"RAMVirt\":2047,\"RAMVirtAvail\":1866,\"RAMPageFile\":8191,\"RAMBanks\":[{\"Bank\":\"RAM slot #0\",\"Locator\":\"RAM slot #0\",\"DataWidth\":64,\"Manufacturer\":\"VMware Virtual RAM\",\"PartNumber\":\"VMW-4096MB\",\"SerialNumber\":\"00000001\",\"Capacity\":40@
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $VMware Virtual RAM
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1914974406.00000000063CB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: {"CPU":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","CPUSpeed":2000,"CPUCores":4,"CPUCoresLogical":1,"CPUFamily":"Intel64 Family 6 Model 143 Stepping 8","BIOS":"9YD9CE4UHG","BIOSVersion":"20221121","BIOSDate":"","RAMPhys":8191,"RAMPhysAvail":2077,"RAMVirt":2047,"RAMVirtAvail":1866,"RAMPageFile":8191,"RAMBanks":[{"Bank":"RAM slot #0","Locator":"RAM slot #0","DataWidth":64,"Manufacturer":"VMware Virtual RAM","PartNumber":"VMW-4096MB","SerialNumber":"00000001","Capacity":4096}],"VideoName":"CO86W23","VideoRAM":1024,"VideoCards":[{"Name":"CO86W23","RAM":1024,"Integrated":false}],"Locale":"0809","LocaleOemPage":"1252","LocaleCountry":"Switzerland","LocaleCurrency":"CHF","LocaleTimezone":60,"LocaleFormatTime":"HH:mm:ss","LocaleFormatDate":"dd\/MM\/yyyy","ComputerModel":"Hc3 GS9d","ComputerDomain":"tylnd","ComputerWorkgroup":"WORKGROUP","ComputerName":"user-PC","ComputerIP":["192.168.2.4","fe80::29b9:a951:1791:4eb3"],"OSName":"Microsoft Windows 10 Pro","OSVersion":"10.0.19045","HDD":[{"Model":"Z369DRGT SCSI Disk Device
    Source: getscreen-799952897-x86.exe, 00000002.00000002.1983516626.0000000003426000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1907037485.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.00000000013F2000.00000040.00000001.01000000.00000004.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1978893585.0000000001BD2000.00000040.00000001.01000000.00000003.sdmp, getscreen-799952897-x86.exe, 00000004.00000002.1928499402.0000000001BD2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Hyper-V console (use port 2179, disable negotiation)
    Source: getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMnet
    Source: getscreen-799952897-x86.exe, 00000004.00000002.1928499402.00000000017C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1914974406.00000000063C0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: RAM slot #0RAM slot #0@VMware Virtual RAMVMW-4096MB00000001
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"token":"","uid":"71434D56-1548-ED3D-AEE6-C75AECD93BF0","turbo":"2342341740972258tHcdbwBFJVpavwsYDHgm","turbo_old":"","invite":"","brand":"","install":false,"admin":true,"isadmin":true,"onetime":true,"file_download":true,"name":"320946","nonadmin":true,"islock":false,"blackscreen_available":true,"hibernate":true,"power_supply":true,"silent":false,"confirm":false,"start_time":1740973392,"os":"win","rdp":false,"os_user":"user","os_username":"","build":327,"version":"3.2.12","hardware":"{\"CPU\":\"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\",\"CPUSpeed\":2000,\"CPUCores\":4,\"CPUCoresLogical\":1,\"CPUFamily\":\"Intel64 Family 6 Model 143 Stepping 8\",\"BIOS\":\"9YD9CE4UHG\",\"BIOSVersion\":\"20221121\",\"BIOSDate\":\"\",\"RAMPhys\":8191,\"RAMPhysAvail\":2077,\"RAMVirt\":2047,\"RAMVirtAvail\":1866,\"RAMPageFile\":8191,\"RAMBanks\":[{\"Bank\":\"RAM slot #0\",\"Locator\":\"RAM slot #0\",\"DataWidth\":64,\"Manufacturer\":\"VMware Virtual RAM\",\"PartNumber\":\"VMW-4096MB\",\"SerialNumber\":\"00000001\",\"Capacity\":4096}],\"VideoName\":\"CO86W23\",\"VideoRAM\":1024,\"VideoCards\":[{\"Name\":\"CO86W23\",\"RAM\":1024,\"Integrated\":false}],\"Locale\":\"0809\",\"LocaleOemPage\":\"1252\",\"LocaleCountry\":\"Switzerland\",\"LocaleCurrency\":\"CHF\",\"LocaleTimezone\":60,\"LocaleFormatTime\":\"HH:mm:ss\",\"LocaleFormatDate\":\"dd\\\/MM\\\/yyyy\",\"ComputerModel\":\"Hc3 GS9d\",\"ComputerDomain\":\"tylnd\",\"ComputerWorkgroup\":\"WORKGROUP\",\"ComputerName\":\"user-PC\",\"ComputerIP\":[\"192.168.2.4\",\"fe80::29b9:a951:1791:4eb3\"],\"OSName\":\"Microsoft Windows 10 Pro\",\"OSVersion\":\"10.0.19045\",\"HDD\":[{\"Model\":\"Z369DRGT SCSI Disk Device\",\"Size\":393199}],\"LogicalDisks\":[{\"Disk\":\"C:\",\"Name\":\"\",\"FileSystem\":\"NTFS\",\"Size\":213143,\"FreeSpace\":19035}],\"SoundDevices\":[],\"NetAdapters\":[{\"Name\":\"Intel(R) 82574L Gigabit Network Connection\",\"Manufacturer\":\"Intel Corporation\",\"MACAddress\":\"EC:F4:BB:EA:15:88\",\"Speed\":953,\"Addresses\":\"192.168.2.4, fe80::29b9:a951:1791:4eb3\",\"DNS\":\"1.1.1.1\",\"DCHP\":\"\",\"Cable\":true,\"WoL\":false}],\"Monitors\":[]}"}
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $VMware Virtual RAMpiL
    Source: ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1739872358.0000000000FE1000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: sWebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=
    Source: getscreen-799952897-x86.exe, 00000002.00000003.1974569137.00000000034D4000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000002.00000003.1978215297.00000000034D8000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000002.00000003.1959219965.00000000034CD000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1984267881.00000000034D8000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000002.00000002.1984978864.00000000055D0000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000002.00000003.1941422082.00000000034CC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2958415860.00000255B282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2960392962.00000255B7E5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1914974406.00000000063C0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1911383903.0000000005201000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"token":"","uid":"71434D56-1548-ED3D-AEE6-C75AECD93BF0","turbo":"2342341740972258tHcdbwBFJVpavwsYDHgm","turbo_old":"","invite":"","brand":"","install":false,"admin":true,"isadmin":true,"onetime":true,"file_download":true,"name":"320946","nonadmin":true,"islock":false,"blackscreen_available":true,"hibernate":true,"power_supply":true,"silent":false,"confirm":false,"start_time":1740973392,"os":"win","rdp":false,"os_user":"user","os_username":"","build":327,"version":"3.2.12","hardware":"{\"CPU\":\"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\",\"CPUSpeed\":2000,\"CPUCores\":4,\"CPUCoresLogical\":1,\"CPUFamily\":\"Intel64 Family 6 Model 143 Stepping 8\",\"BIOS\":\"9YD9CE4UHG\",\"BIOSVersion\":\"20221121\",\"BIOSDate\":\"\",\"RAMPhys\":8191,\"RAMPhysAvail\":2077,\"RAMVirt\":2047,\"RAMVirtAvail\":1866,\"RAMPageFile\":8191,\"RAMBanks\":[{\"Bank\":\"RAM slot #0\",\"Locator\":\"RAM slot #0\",\"DataWidth\":64,\"Manufacturer\":\"VMware Virtual RAM\",\"PartNumber\":\"VMW-4096MB\",\"SerialNumber\":\"00000001\",\"Capacity\":4096}],\"VideoName\":\"CO86W23\",\"VideoRAM\":1024,\"VideoCards\":[{\"Name\":\"CO86W23\",\"RAM\":1024,\"Integrated\":false}],\"Locale\":\"0809\",\"LocaleOemPage\":\"1252\",\"LocaleCountry\":\"Switzerland\",\"LocaleCurrency\":\"CHF\",\"LocaleTimezone\":60,\"LocaleFormatTime\":\"HH:mm:ss\",\"LocaleFormatDate\":\"dd\\\/MM\\\/yyyy\",\"ComputerModel\":\"Hc3 GS9d\",\"ComputerDomain\":\"tylnd\",\"ComputerWorkgroup\":\"WORKGROUP\",\"ComputerName\":\"user-PC\",\"ComputerIP\":[\"192.168.2.4\",\"fe80::29b9:a951:1791:4eb3\"],\"OSName\":\"Microsoft Windows 10 Pro\",\"OSVersion\":\"10.0.19045\",\"HDD\":[{\"Model\":\"Z369DRGT SCSI Disk Device\",\"Size\":393199}],\"LogicalDisks\":[{\"Disk\":\"C:\",\"Name\":\"\",\"FileSystem\":\"NTFS\",\"Size\":213143,\"FreeSpace\":19035}],\"SoundDevices\":[],\"NetAdapters\":[{\"Name\":\"Intel(R) 82574L Gigabit Network Connection\",\"Manufacturer\":\"Intel Corporation\",\"MACAddress\":\"EC:F4:BB:EA:15:88\",\"Speed\":953,\"Addresses\":\"192.168.2.4, fe80::29b9:a951:1791:4eb3\",\"DNS\":\"1.1.1.1\",\"DCHP\":\"\",\"Cable\":true,\"WoL\":false}],\"Monitors\":[]}"}NNX-@]
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1910127385.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, ivtkpwzprvppfnmizjgmaphqjacyyxy-elevate.exe, 00000001.00000002.1742055711.00000000028A5000.00000004.00000020.00020000.00000000.sdmp, getscreen-799952897-x86.exe, 00000004.00000003.1926504894.0000000000946000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Users\user\Desktop\getscreen-799952897-x86.exe "C:\Users\user\Desktop\getscreen-799952897-x86.exe" -cpipe \\.\pipe\PCommand96svmlgziainmihfp -cmem 0000pipe0PCommand96svmlgziainmihfp9tpqq2l9fuzsra9 -childJump to behavior
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1924513905.0000000008C28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
    Source: getscreen-799952897-x86.exe, 00000000.00000002.1924513905.0000000008C28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
    Source: C:\Users\user\Desktop\getscreen-799952897-x86.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts631
    Windows Management Instrumentation
    1
    DLL Side-Loading
    12
    Process Injection
    11
    Masquerading
    11
    Input Capture
    741
    Security Software Discovery
    Remote Services11
    Input Capture
    1
    Encrypted Channel
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading
    551
    Virtualization/Sandbox Evasion
    LSASS Memory551
    Virtualization/Sandbox Evasion
    Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
    Process Injection
    Security Account Manager2
    Process Discovery
    SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information
    NTDS1
    Application Window Discovery
    Distributed Component Object ModelInput Capture3
    Application Layer Protocol
    Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Software Packing
    LSA Secrets142
    System Information Discovery
    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading
    Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.