[GH-ISSUE #1264] Crowdstrike antivirus flags ScreenToGif.dll as virus #932

New issue

Closed

opened 2026-02-26 09:33:04 +03:00 by kerem · 17 comments

kerem commented 2026-02-26 09:33:04 +03:00

Owner

Copy link

Originally created by @richardsjogren on GitHub (Dec 14, 2023).
Original GitHub issue: https://github.com/NickeManarin/ScreenToGif/issues/1264

Originally assigned to: @NickeManarin on GitHub.

Crowdstrike antivirus flags ScreenToGif as virus
(Sorry, not sure if it´s ok to report this as a "bug")

Steps to reproduce the behavior:

1. Try to install ScreedToGif on computer with Crowdstrike

https://www.virustotal.com/gui/file/95542221c818831363148465643614273f819c08065a0870dade8ddba6edb1ad

Originally created by @richardsjogren on GitHub (Dec 14, 2023). Original GitHub issue: https://github.com/NickeManarin/ScreenToGif/issues/1264 Originally assigned to: @NickeManarin on GitHub. Crowdstrike antivirus flags ScreenToGif as virus (Sorry, not sure if it´s ok to report this as a "bug") Steps to reproduce the behavior: 1. Try to install ScreedToGif on computer with Crowdstrike https://www.virustotal.com/gui/file/95542221c818831363148465643614273f819c08065a0870dade8ddba6edb1ad

kerem 2026-02-26 09:33:04 +03:00

• closed this issue
• added the
  🔷 Bug 🐛
  ⬜ Completed
  🔷Invalid / External
  labels

kerem commented 2026-02-26 09:33:04 +03:00

Author

Owner

Copy link

@Vincent-FundApps commented on GitHub (Dec 15, 2023):

+1

<!-- gh-comment-id:1857817834 --> @Vincent-FundApps commented on GitHub (Dec 15, 2023): +1

kerem commented 2026-02-26 09:33:04 +03:00

Author

Owner

Copy link

@TrevisanGMW commented on GitHub (Dec 15, 2023):

+1

<!-- gh-comment-id:1858308295 --> @TrevisanGMW commented on GitHub (Dec 15, 2023): +1

kerem commented 2026-02-26 09:33:04 +03:00

Author

Owner

Copy link

@mattspierce commented on GitHub (Dec 18, 2023):

I've had a few user experiencing this. Here are the details of the detection.

DETECT TIME
Dec. 17, 2023 12:48:24
HOSTNAME
computername
HOST TYPE
Workstation
USER NAME
place\user
ACTIONS TAKEN
Process blocked
File quarantined
SEVERITY
Low
OBJECTIVE
Falcon Detection Method
TACTIC & TECHNIQUE
Malware via PUP
TECHNIQUE ID
CST0013
SPECIFIC TO THIS DETECTION
This file is classified as Adware/PUP based on its SHA256 hash.
TRIGGERING INDICATOR
Associated IOC (SHA256 on library/DLL loaded)
ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d
GLOBAL PREVALENCE
Common
LOCAL PREVALENCE
Low
IOC MANAGEMENT ACTION
None

Associated File
\Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe
GROUPING TAGS
None
LOCAL PROCESS ID
26000
COMMAND LINE
"C:\Program Files\ScreenToGif\ScreenToGif.exe"
FILE PATH
\Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe
EXECUTABLE SHA256
ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d
GLOBAL PREVALENCE
Common
LOCAL PREVALENCE
Low
IOC MANAGEMENT ACTION
None

EXECUTABLE MD5
ce227688fe0d35e6b5381666dc1cd7db
RUN PERIOD
START TIME
Dec. 17, 2023 12:47:14
END TIME
Dec. 17, 2023 12:47:15
DURATION
Terminated

<!-- gh-comment-id:1860777513 --> @mattspierce commented on GitHub (Dec 18, 2023): I've had a few user experiencing this. Here are the details of the detection. DETECT TIME Dec. 17, 2023 12:48:24 HOSTNAME computername HOST TYPE Workstation USER NAME place\user ACTIONS TAKEN Process blocked File quarantined SEVERITY Low OBJECTIVE [Falcon Detection Method](https://falcon.laggar.gcw.crowdstrike.com/documentation/detections/objective/falcon-detection-method) TACTIC & TECHNIQUE [Malware ](https://falcon.laggar.gcw.crowdstrike.com/documentation/detections/tactic/malware-csta0001)via [PUP](https://falcon.laggar.gcw.crowdstrike.com/documentation/detections/technique/pup-cst0013) TECHNIQUE ID CST0013 SPECIFIC TO THIS DETECTION This file is classified as Adware/PUP based on its SHA256 hash. TRIGGERING INDICATOR Associated IOC (SHA256 on library/DLL loaded) ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d GLOBAL PREVALENCE Common LOCAL PREVALENCE Low IOC MANAGEMENT ACTION None Associated File \Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe GROUPING TAGS None LOCAL PROCESS ID 26000 COMMAND LINE "C:\Program Files\ScreenToGif\ScreenToGif.exe" FILE PATH \Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe EXECUTABLE SHA256 ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d GLOBAL PREVALENCE Common LOCAL PREVALENCE Low IOC MANAGEMENT ACTION None EXECUTABLE MD5 ce227688fe0d35e6b5381666dc1cd7db RUN PERIOD START TIME Dec. 17, 2023 12:47:14 END TIME Dec. 17, 2023 12:47:15 DURATION Terminated

kerem commented 2026-02-26 09:33:04 +03:00

Author

Owner

Copy link

@jduke-halls commented on GitHub (Dec 28, 2023):

Just had a trigger with the new version

Steps to reproduce detection:

• Download ScreenToGif Portable from link at screentogif.com
  • https://github.com/NickeManarin/ScreenToGif/releases/download/2.40.1/ScreenToGif.2.40.1.Portable.x64.zip
• Extract ScreenToGif.exe
• Run ScreenToGif.exe

Metadata from Crowdstrike Detection

ACTIONS TAKEN
Process blocked
File quarantined

SEVERITY
Low

OBJECTIVE
Falcon Detection Method

TACTIC & TECHNIQUE
Malware via PUP

TECHNIQUE ID
CST0013

SPECIFIC TO THIS DETECTION
This file is classified as Adware/PUP based on its SHA256 hash.

TRIGGERING INDICATOR
Associated IOC (SHA256 on library/DLL loaded)
fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6

GLOBAL PREVALENCE
Common

LOCAL PREVALENCE
Unique

IOC MANAGEMENT ACTION
None

Associated File
\Device\HarddiskVolume3\Apps\ScreenToGif.exe

VirusTotal has no detections https://www.virustotal.com/gui/file/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6/detection

HybridAnalysis doesn't have a sample: https://www.hybrid-analysis.com/sample/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6

What we did

We created a group in Falcon for those who can run ScreenToGif and tagged the computers to allow an exception to *\ScreenToGif.exe

<!-- gh-comment-id:1871250001 --> @jduke-halls commented on GitHub (Dec 28, 2023): Just had a trigger with the new version ## Steps to reproduce detection: * Download ScreenToGif Portable from link at screentogif.com * https://github.com/NickeManarin/ScreenToGif/releases/download/2.40.1/ScreenToGif.2.40.1.Portable.x64.zip * Extract ScreenToGif.exe * Run ScreenToGif.exe ## Metadata from Crowdstrike Detection ``` ACTIONS TAKEN Process blocked File quarantined SEVERITY Low OBJECTIVE Falcon Detection Method TACTIC & TECHNIQUE Malware via PUP TECHNIQUE ID CST0013 SPECIFIC TO THIS DETECTION This file is classified as Adware/PUP based on its SHA256 hash. TRIGGERING INDICATOR Associated IOC (SHA256 on library/DLL loaded) fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6 GLOBAL PREVALENCE Common LOCAL PREVALENCE Unique IOC MANAGEMENT ACTION None Associated File \Device\HarddiskVolume3\Apps\ScreenToGif.exe ``` VirusTotal has no detections https://www.virustotal.com/gui/file/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6/detection HybridAnalysis doesn't have a sample: https://www.hybrid-analysis.com/sample/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6 ## What we did We created a group in Falcon for those who can run ScreenToGif and tagged the computers to allow an exception to `*\ScreenToGif.exe`

kerem commented 2026-02-26 09:33:04 +03:00

Author

Owner

Copy link

@NickeManarin commented on GitHub (Jan 5, 2024):

I sent a message to the company, let's see if they give me a reply.

<!-- gh-comment-id:1879357833 --> @NickeManarin commented on GitHub (Jan 5, 2024): I sent a message to the company, let's see if they give me a reply.

kerem commented 2026-02-26 09:33:04 +03:00

Author

Owner

Copy link

@mcd92 commented on GitHub (Jan 11, 2024):

Same thing here. Antivirus McAfee.

<!-- gh-comment-id:1887590044 --> @mcd92 commented on GitHub (Jan 11, 2024): Same thing here. Antivirus McAfee.

kerem commented 2026-02-26 09:33:04 +03:00

Author

Owner

Copy link

@elliottttttttt commented on GitHub (Jan 18, 2024):

I sent a message to the company, let's see if they give me a reply.

We have the same issue and have asked our CrowdStrike TAM to assist. Hoping that you receive some assistance back from the vendor. In case it's helpful we've raised support case # 01326126 on our end for misidentification as a PUP.

<!-- gh-comment-id:1899357432 --> @elliottttttttt commented on GitHub (Jan 18, 2024): > I sent a message to the company, let's see if they give me a reply. We have the same issue and have asked our CrowdStrike TAM to assist. Hoping that you receive some assistance back from the vendor. In case it's helpful we've raised support case # 01326126 on our end for misidentification as a PUP.

kerem commented 2026-02-26 09:33:05 +03:00

Author

Owner

Copy link

@DavidMulder0 commented on GitHub (Jan 22, 2024):

Tip: When you install through the Microsoft Store it actually works just fine... 😕 No idea what that says about CrowdStrike, but at least a workaround for those who want to use ScreenToGif 👍.

<!-- gh-comment-id:1904644383 --> @DavidMulder0 commented on GitHub (Jan 22, 2024): Tip: When you install through the Microsoft Store it actually works just fine... 😕 No idea what that says about CrowdStrike, but at least a workaround for those who want to use ScreenToGif 👍.

kerem commented 2026-02-26 09:33:05 +03:00

Author

Owner

Copy link

@captainhunt commented on GitHub (Jan 24, 2024):

Well just as long as your company does not block MS store, too 😕.

<!-- gh-comment-id:1908261095 --> @captainhunt commented on GitHub (Jan 24, 2024): Well just as long as your company does not block MS store, too 😕.

kerem commented 2026-02-26 09:33:05 +03:00

Author

Owner

Copy link

@chrispy-snps commented on GitHub (Jan 24, 2024):

@NickeManarin - I hope we are able to resolve this. I am impacted too.

<!-- gh-comment-id:1908559856 --> @chrispy-snps commented on GitHub (Jan 24, 2024): @NickeManarin - I hope we are able to resolve this. I am impacted too.

kerem commented 2026-02-26 09:33:05 +03:00

Author

Owner

Copy link

@NickeManarin commented on GitHub (Feb 1, 2024):

<!-- gh-comment-id:1920380619 --> @NickeManarin commented on GitHub (Feb 1, 2024): 

kerem commented 2026-02-26 09:33:05 +03:00

Author

Owner

Copy link

@mattspierce commented on GitHub (Feb 1, 2024):

I would love for this issue to be resolved. The detection was heuristic. I am curious if this FP submission works with the AI engines or just a hash check. Do we know what was added to the code in mid December that triggered the alerts?

<!-- gh-comment-id:1921699005 --> @mattspierce commented on GitHub (Feb 1, 2024): I would love for this issue to be resolved. The detection was heuristic. I am curious if this FP submission works with the AI engines or just a hash check. Do we know what was added to the code in mid December that triggered the alerts?

kerem commented 2026-02-26 09:33:05 +03:00

Author

Owner

Copy link

@mattspierce commented on GitHub (Feb 1, 2024):

Also, I did a test with the current version against my CS client and did not get blocked. I will remove the IOC exception and see if my users are impacted.

<!-- gh-comment-id:1921709437 --> @mattspierce commented on GitHub (Feb 1, 2024): Also, I did a test with the current version against my CS client and did not get blocked. I will remove the IOC exception and see if my users are impacted.

kerem commented 2026-02-26 09:33:05 +03:00

Author

Owner

Copy link

@NickeManarin commented on GitHub (Feb 1, 2024):

I got this details from some other company, they got these results:

YARA signature "Bolonyokte" matched file "sample.bin" as "UnknownDotNet RAT - Bolonyokte" (Author: Jean-Philippe Teissier / @Jipe_) YARA
 signature "MALWARE_Win_AgentTeslaV3" matched file "sample.bin" as "AgentTeslaV3 infostealer payload" (Author: ditekSHen)

and

 "ScreenToGif.exe" wrote 00000FB8 bytes to a remote process "C:\Windows\System32\WindowsPowerShe l\v1.0\powershe l.exe" (Handle: 1728)

YARA Bolonyokte is a really generic rule-set as for example, it matches apps with "CaptureScreen" and "CaptureCursor" which of course this app would have. 🙄

<!-- gh-comment-id:1921713933 --> @NickeManarin commented on GitHub (Feb 1, 2024): I got this details from some other company, they got these results: ``` YARA signature "Bolonyokte" matched file "sample.bin" as "UnknownDotNet RAT - Bolonyokte" (Author: Jean-Philippe Teissier / @Jipe_) YARA signature "MALWARE_Win_AgentTeslaV3" matched file "sample.bin" as "AgentTeslaV3 infostealer payload" (Author: ditekSHen) ``` and ``` "ScreenToGif.exe" wrote 00000FB8 bytes to a remote process "C:\Windows\System32\WindowsPowerShe l\v1.0\powershe l.exe" (Handle: 1728) ``` YARA Bolonyokte is a really generic rule-set as for example, it matches apps with "CaptureScreen" and "CaptureCursor" which of course this app would have. 🙄

kerem commented 2026-02-26 09:33:05 +03:00

Author

Owner

Copy link

@NickeManarin commented on GitHub (Feb 1, 2024):

mid December that triggered the alerts?

I can check, but the code base was mostly unchanged during the last 2 quarters of 2023.

<!-- gh-comment-id:1921719369 --> @NickeManarin commented on GitHub (Feb 1, 2024): > mid December that triggered the alerts? I can check, but the code base was mostly unchanged during the last 2 quarters of 2023.

kerem commented 2026-02-26 09:33:05 +03:00

Author

Owner

Copy link

@NickeManarin commented on GitHub (Mar 24, 2024):

This should no longer be a problem, as the company removed the false-positive.

<!-- gh-comment-id:2016870645 --> @NickeManarin commented on GitHub (Mar 24, 2024): This should no longer be a problem, as the company removed the false-positive.

kerem commented 2026-02-26 09:33:05 +03:00

Author

Owner

Copy link

@p1r473 commented on GitHub (May 22, 2024):

@NickeManarin Nope its still flagging for me here as of May 5
Hash
aaa562c84f22ea0fc63d3fef74ee4c4fbb26d873c3b609555e2870008c01c98c

<!-- gh-comment-id:2125349079 --> @p1r473 commented on GitHub (May 22, 2024): @NickeManarin Nope its still flagging for me here as of May 5 Hash aaa562c84f22ea0fc63d3fef74ee4c4fbb26d873c3b609555e2870008c01c98c 

kerem referenced this issue 2026-03-01 19:01:32 +03:00

[GH-ISSUE #932] [BUG] mscorlib.ThrowIfExceptional #2711

kerem referenced this issue 2026-03-01 19:01:35 +03:00

[GH-ISSUE #932] [BUG] mscorlib.ThrowIfExceptional #2714

kerem referenced this issue 2026-03-01 19:01:39 +03:00

[GH-ISSUE #932] [BUG] mscorlib.ThrowIfExceptional #2717

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dev

v2.40

2.43.1

2.43

2.42.1

2.42

2.41.5

2.41.4

2.41.3

2.41.2

2.41.1

2.41

2.40.1

2.40

2.39

2.38.1

2.38

2.37.2

2.37.1

2.37

2.36

2.35.4

2.35.3

2.35.2

2.35.1

2.35

2.34.1

2.34

2.33.1

2.33

2.32.1

2.32

2.31

2.30.1

2.30

2.29.1

2.29

2.28.2

2.28.1

2.28

2.27.3

2.27.2

2.27.1

2.27

2.26.1

2.26

2.25

2.24.2

2.24.1

2.24

2.23.2

2.23.1

2.23

2.22.1

2.22

2.21.2

2.21.1

2.21

2.20.4

2.20.3

2.20.2

2.20.1

2.20

2.19.3

2.19.2

2.19.1

2.19

2.18

2.17.1

2.17

2.16

2.15.2

2.15.1

2.15

2.14.1

2.14

2.13.3

2.13.2

2.13.1

2.13

2.12.1

2.12

2.11

2.10

2.9

2.8.1

2.8

2.7.3

2.7.2

2.7.1

2.7

2.6

2.5

2.4

2.3.2

2.3.1

2.3

2.2

2.1

Labels

Clear labels   

copy cats

  

duplicated

  

future feature

  

pull-request

Mirrored from GitHub Pull Request

  

⬜ Accepted

  

⬜ Completed

  

⬜ Help Wanted 💪

  

⬜ In Progress

  

⬜ Missing Details

  

⬜ Pending

  

⬜ Waiting For Answer ⏳

  

🆕 feature preview

  

🔷 Bug 🐛

  

🔷 Out Of Scope

  

🔷 Out Of Scope

  

🔷 Question

  

🔷Enhancement

  

🔷Enhancement

  

🔷Invalid / External

  

🔷Knowledge Base

  

🔷Won't Fix

  

🕑 High

  

🕑 High

  

🕑 High

  

🕕 Medium

  

🕙 Low

  

🕛 Critical

No labels

copy cats

duplicated

future feature

pull-request

⬜ Accepted

⬜ Completed

⬜ Help Wanted 💪

⬜ In Progress

⬜ Missing Details

⬜ Pending

⬜ Waiting For Answer ⏳

🆕 feature preview

🔷 Bug 🐛

🔷 Out Of Scope

🔷 Out Of Scope

🔷 Question

🔷Enhancement

🔷Enhancement

🔷Invalid / External

🔷Knowledge Base

🔷Won't Fix

🕑 High

🕑 High

🕑 High

🕕 Medium

🕙 Low

🕛 Critical

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ScreenToGif#932

No description provided.