cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
Size

3.5MB
MD5

e7c183620a2bc16aff6815096913fc49
SHA1

d9580ede84a5fd2e79d0f055219d720d0d943c8e
SHA256

cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca
SHA512

bf5a1d48952db6a879211068512a4d2704e824a9d3d0d5566f3b3b1e150e686c40ea12c7adcd24623cf851846cf9b13b753377ceef757dfc170426781ec8442b
SSDEEP

49152:zv26srWDXTpLrTCwNvWVXIswbvYJ9lpbQudI4XFKnAXUq7kOkqGTglRU8Kove1gz:zvCVVYsGdO7XmoSdndSgAGY

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 27 IoCs

pid	Process
2632	dskgelddzawtcavcbzlqcahovrfmzsz-elevate.exe
4116	getscreen.exe
4892	getscreen.exe
2216	getscreen.exe
3240	getscreen.exe
4820	getscreen.exe
1672	getscreen.exe
1292	getscreen.exe
4364	getscreen.exe
744	getscreen.exe
4872	getscreen.exe
2728	getscreen.exe
2716	getscreen.exe
3316	getscreen.exe
1496	getscreen.exe
1444	getscreen.exe
3160	getscreen.exe
5040	getscreen.exe
2312	getscreen.exe
860	getscreen.exe
4316	getscreen.exe
1980	getscreen.exe
3204	getscreen.exe
1744	getscreen.exe
548	getscreen.exe
3496	getscreen.exe
4452	getscreen.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Getscreen.me\settings.dat	getscreen.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Getscreen.me\settings.dat	getscreen.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2076-0-0x0000000000420000-0x0000000001B78000-memory.dmp	upx
behavioral2/memory/456-6-0x0000000000420000-0x0000000001B78000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-7.dat	upx
behavioral2/memory/2632-9-0x0000000000930000-0x0000000002088000-memory.dmp	upx
behavioral2/memory/1160-18-0x0000000000420000-0x0000000001B78000-memory.dmp	upx
behavioral2/memory/1160-28-0x0000000000420000-0x0000000001B78000-memory.dmp	upx
behavioral2/memory/456-34-0x0000000000420000-0x0000000001B78000-memory.dmp	upx
behavioral2/memory/2076-35-0x0000000000420000-0x0000000001B78000-memory.dmp	upx
behavioral2/memory/2632-36-0x0000000000930000-0x0000000002088000-memory.dmp	upx
behavioral2/memory/2076-45-0x0000000000420000-0x0000000001B78000-memory.dmp	upx
behavioral2/memory/2632-44-0x0000000000930000-0x0000000002088000-memory.dmp	upx
behavioral2/memory/1092-55-0x0000000000420000-0x0000000001B78000-memory.dmp	upx
behavioral2/memory/4892-60-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2076-61-0x0000000000420000-0x0000000001B78000-memory.dmp	upx
behavioral2/memory/4116-62-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2076-69-0x0000000000420000-0x0000000001B78000-memory.dmp	upx
behavioral2/memory/2216-76-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/3240-75-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4116-80-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4820-83-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2216-84-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/1672-90-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4116-91-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/1292-97-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2216-98-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4364-104-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4116-105-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/744-111-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2216-112-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4872-118-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4116-119-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2216-120-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2728-126-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4116-127-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2716-133-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2216-134-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/3316-140-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4116-141-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2216-148-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/1496-147-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/1444-154-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4116-155-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/3160-161-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2216-162-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/5040-168-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4116-169-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2312-175-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2216-176-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/860-182-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4116-183-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4316-189-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2216-190-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/1980-196-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4116-197-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2216-198-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/3204-204-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4116-205-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/1744-211-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2216-212-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/548-218-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4116-219-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/3496-225-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/2216-226-0x0000000000140000-0x0000000001898000-memory.dmp	upx
behavioral2/memory/4452-232-0x0000000000140000-0x0000000001898000-memory.dmp	upx

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Getscreen.me\getscreen.exe	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\getscreen.exe	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe
File opened for modification	C:\Program Files (x86)\Getscreen.me\logs\20241119.log	getscreen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dskgelddzawtcavcbzlqcahovrfmzsz-elevate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getscreen.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\getscreen.exe = "11001"	getscreen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	getscreen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main	getscreen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl	getscreen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	getscreen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe = "11001"	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe = "11001"	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\GetScreen	getscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\GetScreen\Getscreen.me	getscreen.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\GetScreen\Getscreen.me\ProxyEnable = "0"	getscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\GetScreen\Getscreen.me\ProxyServer	getscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\GetScreen\Getscreen.me\ProxyPassword	getscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	getscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\GetScreen\Getscreen.me	getscreen.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	getscreen.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\GetScreen\Getscreen.me\ProxyType = "0"	getscreen.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\GetScreen\Getscreen.me\ProxyPort = "0"	getscreen.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\GetScreen\Getscreen.me\ProxyLogin	getscreen.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4116	getscreen.exe
4116	getscreen.exe
4892	getscreen.exe
4892	getscreen.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4116	getscreen.exe
Token: SeIncBasePriorityPrivilege	4116	getscreen.exe
Token: SeIncBasePriorityPrivilege	2076	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
456	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
456	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
456	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
456	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
456	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
2216	getscreen.exe
2216	getscreen.exe
2216	getscreen.exe
2216	getscreen.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
456	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
456	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
456	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
456	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
456	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
2216	getscreen.exe
2216	getscreen.exe
2216	getscreen.exe
2216	getscreen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 456	2076	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe	83
PID 2076 wrote to memory of 456	2076	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe	83
PID 2076 wrote to memory of 456	2076	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe	83
PID 2076 wrote to memory of 1160	2076	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe	93
PID 2076 wrote to memory of 1160	2076	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe	93
PID 2076 wrote to memory of 1160	2076	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe	93
PID 4116 wrote to memory of 4892	4116	getscreen.exe	96
PID 4116 wrote to memory of 4892	4116	getscreen.exe	96
PID 4116 wrote to memory of 4892	4116	getscreen.exe	96
PID 4116 wrote to memory of 2216	4116	getscreen.exe	97
PID 4116 wrote to memory of 2216	4116	getscreen.exe	97
PID 4116 wrote to memory of 2216	4116	getscreen.exe	97
PID 2076 wrote to memory of 1092	2076	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe	100
PID 2076 wrote to memory of 1092	2076	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe	100
PID 2076 wrote to memory of 1092	2076	cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe	100
PID 4116 wrote to memory of 3240	4116	getscreen.exe	101
PID 4116 wrote to memory of 3240	4116	getscreen.exe	101
PID 4116 wrote to memory of 3240	4116	getscreen.exe	101
PID 4116 wrote to memory of 4820	4116	getscreen.exe	102
PID 4116 wrote to memory of 4820	4116	getscreen.exe	102
PID 4116 wrote to memory of 4820	4116	getscreen.exe	102
PID 4116 wrote to memory of 1672	4116	getscreen.exe	105
PID 4116 wrote to memory of 1672	4116	getscreen.exe	105
PID 4116 wrote to memory of 1672	4116	getscreen.exe	105
PID 4116 wrote to memory of 1292	4116	getscreen.exe	107
PID 4116 wrote to memory of 1292	4116	getscreen.exe	107
PID 4116 wrote to memory of 1292	4116	getscreen.exe	107
PID 4116 wrote to memory of 4364	4116	getscreen.exe	109
PID 4116 wrote to memory of 4364	4116	getscreen.exe	109
PID 4116 wrote to memory of 4364	4116	getscreen.exe	109
PID 4116 wrote to memory of 744	4116	getscreen.exe	110
PID 4116 wrote to memory of 744	4116	getscreen.exe	110
PID 4116 wrote to memory of 744	4116	getscreen.exe	110
PID 4116 wrote to memory of 4872	4116	getscreen.exe	111
PID 4116 wrote to memory of 4872	4116	getscreen.exe	111
PID 4116 wrote to memory of 4872	4116	getscreen.exe	111
PID 4116 wrote to memory of 2728	4116	getscreen.exe	112
PID 4116 wrote to memory of 2728	4116	getscreen.exe	112
PID 4116 wrote to memory of 2728	4116	getscreen.exe	112
PID 4116 wrote to memory of 2716	4116	getscreen.exe	113
PID 4116 wrote to memory of 2716	4116	getscreen.exe	113
PID 4116 wrote to memory of 2716	4116	getscreen.exe	113
PID 4116 wrote to memory of 3316	4116	getscreen.exe	114
PID 4116 wrote to memory of 3316	4116	getscreen.exe	114
PID 4116 wrote to memory of 3316	4116	getscreen.exe	114
PID 4116 wrote to memory of 1496	4116	getscreen.exe	115
PID 4116 wrote to memory of 1496	4116	getscreen.exe	115
PID 4116 wrote to memory of 1496	4116	getscreen.exe	115
PID 4116 wrote to memory of 1444	4116	getscreen.exe	116
PID 4116 wrote to memory of 1444	4116	getscreen.exe	116
PID 4116 wrote to memory of 1444	4116	getscreen.exe	116
PID 4116 wrote to memory of 3160	4116	getscreen.exe	117
PID 4116 wrote to memory of 3160	4116	getscreen.exe	117
PID 4116 wrote to memory of 3160	4116	getscreen.exe	117
PID 4116 wrote to memory of 5040	4116	getscreen.exe	118
PID 4116 wrote to memory of 5040	4116	getscreen.exe	118
PID 4116 wrote to memory of 5040	4116	getscreen.exe	118
PID 4116 wrote to memory of 2312	4116	getscreen.exe	119
PID 4116 wrote to memory of 2312	4116	getscreen.exe	119
PID 4116 wrote to memory of 2312	4116	getscreen.exe	119
PID 4116 wrote to memory of 860	4116	getscreen.exe	120
PID 4116 wrote to memory of 860	4116	getscreen.exe	120
PID 4116 wrote to memory of 860	4116	getscreen.exe	120
PID 4116 wrote to memory of 4316	4116	getscreen.exe	121

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1"	getscreen.exe

C:\Users\Admin\AppData\Local\Temp\cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
"C:\Users\Admin\AppData\Local\Temp\cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
  "C:\Users\Admin\AppData\Local\Temp\cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe" -gpipe \\.\pipe\PCommand97Getscreen.me -gui
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:456
- C:\Users\Admin\AppData\Local\Temp\cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
  "C:\Users\Admin\AppData\Local\Temp\cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe" -install
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe
  "C:\Users\Admin\AppData\Local\Temp\cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca.exe" -cpipe \\.\pipe\PCommand96Getscreen.me -cmem 0000pipe0PCommand96Getscreen0me9vvsqjuchvc5c5q -child
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1092

C:\ProgramData\Getscreen.me\dskgelddzawtcavcbzlqcahovrfmzsz-elevate.exe
"C:\ProgramData\Getscreen.me\dskgelddzawtcavcbzlqcahovrfmzsz-elevate.exe" -elevate \\.\pipe\elevateGS512dskgelddzawtcavcbzlqcahovrfmzsz
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632

C:\Program Files (x86)\Getscreen.me\getscreen.exe
"C:\Program Files (x86)\Getscreen.me\getscreen.exe" -service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4116
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -cpipe \\.\pipe\PCommand96Getscreen.me -cmem 0000pipe0PCommand96Getscreen0me5z97hulk5e7mdmr -child
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4892
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -gpipe \\.\pipe\PCommand99Getscreen.me -guihide
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2216
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3240
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4820
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1672
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1292
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4364
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:744
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4872
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2728
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3316
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1444
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3160
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5040
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:860
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4316
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1980
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3204
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1744
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:548
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3496
- C:\Program Files (x86)\Getscreen.me\getscreen.exe
  "C:\Program Files (x86)\Getscreen.me\getscreen.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
9KB

MD5
7cdd0894520abae5ede9d8a218428449

SHA1
4c0d37b3fdf3ce2d455f4a2fb960e60216f1dd51

SHA256
7b71d357a81e552837e21fd0fb2deb856a14e520ae09611f3d9b7ddb29f7d317

SHA512
d26c75b97fda16e7d379eeebe00216343092fa840d4d6896d7179f7d279538c887af57254388309c19e64afa7a841ab4c199b99b4cdc71f0f31fbb52309057c4

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
9KB

MD5
65fbc800f2f6e9004ab1db25229a5f95

SHA1
2e2cc03432ff36b6139b82970498c33cdb415bbb

SHA256
a973ebfc8530c92c596583d3016b87441c2b4c608cc86fa8475cf6d29ec3fdd6

SHA512
e50209add462ec3dab0dabd3b42717138e7a94068bf7e5f180bd6530fed359a75be6357fee8a402c73c2821950cf4e15edd5596241066e17e47f6c73064beb9e

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
9KB

MD5
b8292a04ef97357c0389afe7d9df0e75

SHA1
8952995efb5123f83194d3aa7590771cc3ce0568

SHA256
f3baaad8a7f04ab38929646b7f4f0b33d555941edc877d3133ad99a0996f73c4

SHA512
b55bcbb4baf24a0976e7223cdcb861c35849b11f74c7b8338295515a6dc6a2b7f3ecaf278ac4b9bbc59a20260a4844e1876ca21aebf8be976ac6d64af17ba81f

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
10KB

MD5
2d4cf9a922708cd1a05df4c6f5633089

SHA1
bdb7cc745884da0d570c34f2c71de05d90a7d76a

SHA256
68d32ea6c8c858ad76f0d590fe2cdb420e216cb3060a32a43e5d4eda1f791ac4

SHA512
ef7f15cd89e4539ca3e4eebe98ae142319643b4164694a963a2d2e62f3a6a5145ca51f589b5f5257fe20bfae5af50256103672a2ef9938da6cdf73bf26574c75

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
10KB

MD5
0d81d0667cbb9a1f7c3cf895feb62755

SHA1
0a8277386d7da157e125757b500cc0758d6f6bd1

SHA256
0ecdcb03e76f6a725545106d7e9644d325025322911d564e48536cb42b024b01

SHA512
c6eab0d588a3cdacf3c1faec35f6174e373560983b784dbb59ac7c92275f766550f55b6cd74acb74919e2bcaaa08de5b242832d198400211359bd4a06d1ee50b

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
10KB

MD5
a688c3b662fadb433fa1d9185a02ff20

SHA1
2533bb636c56092007ae234c25db13ef94f3f91c

SHA256
d69ac09e6357862101a464791edceef34cdb28a43961f792e0a83b43e2692130

SHA512
4219f736ed5ced16726fa01b2699a2bb3a5d438ec11dd1c53195b549edee629e21d6184c509f46da5c1f5422ed43d64753384b4e128827003233d90d458b1ae7

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
10KB

MD5
49f60dd3d4f7425afd39e37c195e716c

SHA1
c82660c4c7fc559041a6b0cdd486a5926ef0f8d4

SHA256
0a648e7462ac5e836ecd712e78c474588b0b2c0188e463c96555ddfbc7bfc758

SHA512
c5e5f7643e9e61fc557b6119e64e9929b2f593aefaa17cd71dc6d01e5bceedc95fad0ba76f54f0e867fdd9bda818151f615294045cc28a8d7eab3f049dd6a2e9

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
11KB

MD5
edd0989fff00d176f46f2d7c9b7665b0

SHA1
92dd5bb34f3c51304cca2c1d425655448b67033f

SHA256
b53fd8c3845f0132bac41335983643cf7facf90d7f944f30e4c652ca9b2b8c61

SHA512
915aeed07c240fbffdd8b20fb0dce59173a3686b2a449361c894f724982272f82413df4be5fee12451accc5e0285aa91e55f84a3ebd5f935b087064d2d92e7a9

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
11KB

MD5
fbca4df68e34ee79492a2d0f2ff0c1cc

SHA1
c1fa489ca97d58b6895a8627da5bc9063ce81e92

SHA256
8f7546cbac709df766e597b371f9d0bf8507b3516fb6390e58e55b45788494c1

SHA512
d09a9b9b46c9924452952002fe40c702e3dc5e0930d387b9bd245889ccb4e1cce5e0c184b041d7e5d66ce981052e0e743afb2acea9591d8919864b0a318cfa00

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
11KB

MD5
6aa6e2d635ce0a849ca8fd38e3ea38d4

SHA1
852a25c01c51a74f917b2a85b6d14dcf9a0f0181

SHA256
027459960ef4ad7f1979bc5cae6288a9af86c366795a67be99d0d3d219001595

SHA512
fae9ea3d1ca74371129745758d918c610a5cde3b412ce1b2b4195b1fd88e5f150b956a6e47ff13c0d86f098ef0f6f065fd2e66884babe89953b05d4a817faff0

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
11KB

MD5
0d8b3ba69cbf1edb1e1d136febf27035

SHA1
55080fbbba9aa4b1e8929a0a6b1894db9740fe1b

SHA256
01a76e44550c404fcf86cd13093f1735200a1123636d9bc0343a0c1a5ab40ce3

SHA512
115b83917f511b4abe68d92dec7f0f266ffbf7282b6872723b3a6e212b905ac68e1f2d9a54880ae3f0aa4f022ef6034c21e3854dd0d624de6877c69c9af48fcf

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
12KB

MD5
f44544bcc8f0f2625fd278bdc137fcd6

SHA1
80935c0bb1d28327bf65f1defb4be26e31c975b4

SHA256
b7cbb2f67f66f055116ffe199ebb89c9625fb2ecac90f1294ddbe3f5f9ab1ac3

SHA512
09671fa4f4b5e1cba7340a7b8f2c1035b2502a1b7aca98f00b1896d9bcbc28aba44eb3b5db425bee10d1829896e701408d14117390402f0b709fc8fe7f5b351f

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
12KB

MD5
1263cd5689876be097e7b22f73923df0

SHA1
175b6b30f74de48e9b0657c8ba285af4e47d5c58

SHA256
24faad19084cce70066f53c18eb4d9d87181efaa1692766bf1a93557a3bca0bd

SHA512
065f076ab379fb6af47e903b251327cde975cbd54a3c03f8861b2165520dbb989caac89af81d8d92ffc09ad1f99d2b7a301843d2ae8e27422f9d944aaaf737d6

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
12KB

MD5
8d093cd0c1f2490f72931e22264897cb

SHA1
344ca27d8d9c2f141d6e7594b8f32eaacd0c13da

SHA256
39fc3d86c0b088189d160d5a1022869b9be9f5fc1c7e8addacb6d1e4f873cdf7

SHA512
93275049e008a30336a17243ab8bd6ce328f4d574e3269d6c79db884250e4c8ba85a6eda69235b798ebdcace2139e6ff90d385a7625f4e7bf7e6118933b25a53

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
12KB

MD5
4a091c1ddb68e1c64636969deb986e77

SHA1
68e83d085233fe614b51ea10a4ff2b2efed98c94

SHA256
8c07974398428ec61188f80fc5353ebf2457ac4ca316270c4adb6b1fb1832037

SHA512
6a47b2b35e19ef7c90373527030fa87cc05faff1aa584ac0ab286f3939101cef429b7c36bdaa69b9d2e6c6b72cd5a2945ccca87d09721cfaee81622a55a8f7c5

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
12KB

MD5
922b5a139c8c293171678e399e84f807

SHA1
cb5a225d2987bd229c01fe181834dcb34b46a89c

SHA256
e5a740197cc129b737c2a7b0227d5e841be8743e935fde19ec40208f4bc7cf1f

SHA512
104c3e47ebdabef3626ef70001bf1600d5918648a014ed9a30cbdacca2dd9a2690ce9d48430e671ccd28b49cc01bf8e9c6ec97de306311ad6305b6785fbf1a27

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
13KB

MD5
36af9fef35729b511e9f60529b18eff5

SHA1
a74a06273e861291269039fb3dec48a558b97649

SHA256
391aacea052535617252760a2fe64bdff1df9c78120087ac18423120ccbd5f1e

SHA512
7aa11dfcaa02168454f3f2c53321a01384444405ff1185c37ce1e3da5b5adfa3740d24728177a17c43652d0292d88920cf5340dd5e3ac411afa1ff98e7c12493

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
13KB

MD5
8bf78c32d36515d562b04b52f28f7f8f

SHA1
1ddc73d449d94b3efff10e7c8a2635b18d2746b3

SHA256
03126bc6294c99bd751ba7d69c0083e567b4ade1baf1ecd49e63fe9ff603ef7d

SHA512
158cbdfbbdbae98651a4d32cfc63093f7d2e5f97eeeebdfebd58e78cb4f181342517bf2db8d2a36b1227fc05487b66e7f7b6f7a68d328afa750e6751b291e660

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
13KB

MD5
b295f9357e6d1fe929ac1ad4824e0b31

SHA1
590e62c545eb923224e9e1a1659c20ca7f0b2732

SHA256
3de870d4c90e941168631223049aaea4ef429944205064855dc264735a0878d2

SHA512
d4599d763adf341adb76a61bd22b6b348423da0d113fb556204be0871b407e9e7c31da8cd2ded443b58601177b3c698980f57790b4fefcc3b729d3ca61f214f5

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
1KB

MD5
218da20c0694144a28105eb557ef6006

SHA1
dbcc0e13063a49eb63360fb8cd76a6123e9f69c1

SHA256
b3c563ff03a1ccfbdbc393b9984834392828af889f5a1defe41aae04fdacfaf8

SHA512
e94667b246c8d768407ec849dd4f7a8fb01c9d198cecf2f27046080024841954fab9ab92bd442d52dc94769d5957fa7749a1eddc7c5543884935161211ebc10e

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
7KB

MD5
9c4f7fc9ccfeab4ae351b59c16118ea3

SHA1
922b495d86a5ffdc713cf3d7eda10119f57d3596

SHA256
9394c3ef3d4eaa1e825e2a445b724eccc624a9db917b62e9ca8f62e9052dbf4d

SHA512
5b28cc839661e333fedc32c1cb6b17ff2c6e73a114a4b331bb54a77ebb822e6fef38747ff59e86445d7829e2f8dfb8bf65e1d8df4eab5343c4db41dd0e2e1559

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
8KB

MD5
fc00a88e0aec45a415dfc6254bbb3292

SHA1
2e2df75ba033ce3ef6c387a7b8b6ee8970b31a4c

SHA256
9531b55aa19ca85cdde0251c78180639c53307eb6e0e9eb03faadfe2793f7034

SHA512
08e3d7cb6125da4c4b7267261088fa8685f4b52f4720e766984cbc253808f67280c57cf641c6df4517d937792f1af6d271de76ba6b112d0c9e99e27c88b769f9

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
8KB

MD5
4472be7ee4468c72647441af46fc57bc

SHA1
b89f718b044f9dc3d2abf1d572cef59d45e3fcdf

SHA256
467987dbb06f8d2ea79001346b7231b198efcb97199f0b330015786a9f2e6b36

SHA512
6b2c24ac379bf052ac4eaca70a2e9c49b715b041d45c9948f003aa31bfab431904faff865db6b4c78d20b438a5200c79b0770013597caa955bc7e29fff8480c9

Download Submit
C:\Program Files (x86)\Getscreen.me\logs\20241119.log

Filesize
9KB

MD5
25432cfce6252411528e0b5081521c59

SHA1
325f22052747eb297277b99810c98af530d6cde9

SHA256
6945ef920253f3dc4a6b836e038c461db5f001575fc148af632d5e192b9eb4d7

SHA512
e2ab6766f641ea84b3a78990a08c158f14a2b6f5239f9e958f6747d8f2c4d08f9ddf03f16158ae49ec335353ac76ab3bd96662bda1947f9bd042c48765b01fc7

Download Submit
C:\ProgramData\Getscreen.me\dskgelddzawtcavcbzlqcahovrfmzsz-elevate.exe

Filesize
3.5MB

MD5
e7c183620a2bc16aff6815096913fc49

SHA1
d9580ede84a5fd2e79d0f055219d720d0d943c8e

SHA256
cf28f40e7d3c1a0ed4c461d0c1d89bb9dfb3e3e0fe5e27ef81e5098be8d852ca

SHA512
bf5a1d48952db6a879211068512a4d2704e824a9d3d0d5566f3b3b1e150e686c40ea12c7adcd24623cf851846cf9b13b753377ceef757dfc170426781ec8442b

Download Submit
C:\ProgramData\Getscreen.me\logs\20241119.log

Filesize
725B

MD5
10cb431314c2e46203e45f63fa1127b8

SHA1
9d072567f38ecc1978886114b4deb841dd20aaa3

SHA256
037b20ff3b4ab1b702c8f632fe6b3f20c24cb53394c0fc4b30dbbcbb10f015ba

SHA512
50d6bd8b9a1973946fcf641520561580463295650f82a732cb11981205ef4faaf3a0ede1a0e12b87922f8255a9bd03eb3d68cb47188671e567601d85eef4f9c8

Download Submit
C:\ProgramData\Getscreen.me\logs\20241119.log

Filesize
261B

MD5
8f9ff809f4021e1df3805c16f0a9fce0

SHA1
23c670c4c80c863274f078a3b583c8485caf2b2c

SHA256
ff3c7d826a1304e1456b9f94964e1b639450eecc4aae62b76d65bdf1684ea7ca

SHA512
9cd2a88f680be36d3024c6b116c183c611a36885bac27aaaab3b651b0b25c856b483cf444e6f02e39a91bdc616114eb5c1f201bd4f021ac0c0d8ea1571d9ed9c

Download Submit
C:\ProgramData\Getscreen.me\logs\20241119.log

Filesize
1KB

MD5
95c4a18a795de9495d5469ab2505a4fc

SHA1
63f883f2e49a3cf8f443a25c47c80fa2a9f02a8d

SHA256
9b63c3bc66955137ca8ced83dd1932b3fe96873d8436258629e0017abfa3d239

SHA512
9001856b26de12897d84aed3fc06c37ce9a55ac6c6d1676c78d0d37d92acba332dc4db56a86a348765015a506db0687de8b33e97f673a57d8626f6fbbbd468e2

Download Submit
C:\ProgramData\Getscreen.me\logs\20241119.log

Filesize
1KB

MD5
10af9548547afbf99f627e25da711884

SHA1
4ed4623c0efe2aee7a1960151e7ba8e884bc4830

SHA256
fbee987097b86f1a02bdb95fabb28ddfbc015f3a4dcfe27040d870f5ded16724

SHA512
242f1633e919a214c46681a8d09e462cc620d8041bf75bdd6e201fccbdc9703a5ccf9969e19fe0caa9626e65b2ac351fadeb6f42f77b4928f25edc1654311de2

Download Submit
C:\ProgramData\Getscreen.me\logs\20241119.log

Filesize
3KB

MD5
87b6b38a81730bf85064ad09c514146d

SHA1
558c2119ebb3195bb53c91d923334d5a474e8c99

SHA256
cd6145ad379a95882647d3b6de7a8a375567e1b6918bf4df2dc9eb92275ddf65

SHA512
9c0e2536549d0539c9dc0ffc452ac00616f9d75862f9f1a95e89ad353673af6e464d84e46ceb3ba760a799fd673657771e872b50dbb67c3d8306d5d01470e310

Download Submit
C:\ProgramData\Getscreen.me\memory\0000pipe0PCommand96Getscreen0me5z97hulk5e7mdmr

Filesize
16.0MB

MD5
8cca8765ba082ecc53e001b1d237a8ee

SHA1
de616ffc2282b6e4d6d2ec1524dcbe2cd8f270f7

SHA256
46d9d79b8be089abf16344f1e491613d6710b051ec184a69ac183c349bd71746

SHA512
9d884a535930529684e88ddb3aea26964a5ca984cc07de6efe2bfda6ca5f5d437c521e61aced07e9379a8337bb1892f13ca67592d8e1e6673ccdbbd89e17de40

Download Submit
C:\ProgramData\Getscreen.me\settings.dat

Filesize
128B

MD5
fdd36a4b195b99df330aa3ddf01d0341

SHA1
a745b06e62acd3775e492dcdb80310a0df9448aa

SHA256
7f2c6b1a64958d4e33e9c4df4a439e86e5c8f3377de5dd650a40ffec3a87aca8

SHA512
4e51ddb844a4a5e1ce5395320011e5222502767738c805b7ffd5ad43167d9be4dc89ffa33c28ae4c4bb33377dd7b6c12f113277ea42b155a5c2feac405a3a48c

Download Submit
memory/456-6-0x0000000000420000-0x0000000001B78000-memory.dmp

Filesize
23.3MB

Download
memory/456-34-0x0000000000420000-0x0000000001B78000-memory.dmp

Filesize
23.3MB

Download
memory/548-218-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/744-111-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/860-182-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/1092-55-0x0000000000420000-0x0000000001B78000-memory.dmp

Filesize
23.3MB

Download
memory/1160-28-0x0000000000420000-0x0000000001B78000-memory.dmp

Filesize
23.3MB

Download
memory/1160-18-0x0000000000420000-0x0000000001B78000-memory.dmp

Filesize
23.3MB

Download
memory/1292-97-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/1444-154-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/1496-147-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/1672-90-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/1744-211-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/1980-196-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2076-69-0x0000000000420000-0x0000000001B78000-memory.dmp

Filesize
23.3MB

Download
memory/2076-35-0x0000000000420000-0x0000000001B78000-memory.dmp

Filesize
23.3MB

Download
memory/2076-0-0x0000000000420000-0x0000000001B78000-memory.dmp

Filesize
23.3MB

Download
memory/2076-61-0x0000000000420000-0x0000000001B78000-memory.dmp

Filesize
23.3MB

Download
memory/2076-45-0x0000000000420000-0x0000000001B78000-memory.dmp

Filesize
23.3MB

Download
memory/2216-212-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2216-190-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2216-76-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2216-198-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2216-176-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2216-112-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2216-148-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2216-162-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2216-226-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2216-98-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2216-84-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2216-134-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2216-120-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2312-175-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2632-44-0x0000000000930000-0x0000000002088000-memory.dmp

Filesize
23.3MB

Download
memory/2632-9-0x0000000000930000-0x0000000002088000-memory.dmp

Filesize
23.3MB

Download
memory/2632-36-0x0000000000930000-0x0000000002088000-memory.dmp

Filesize
23.3MB

Download
memory/2716-133-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/2728-126-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/3160-161-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/3204-204-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/3240-75-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/3316-140-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/3496-225-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-205-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-105-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-183-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-62-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-197-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-80-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-127-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-169-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-233-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-141-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-91-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-155-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-219-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4116-119-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4316-189-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4364-104-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4452-232-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4820-83-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4872-118-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/4892-60-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download
memory/5040-168-0x0000000000140000-0x0000000001898000-memory.dmp

Filesize
23.3MB

Download