Edit tour

Windows Analysis Report
setup-lightshot.exe

Overview

General Information

Sample Name:	setup-lightshot.exe
Analysis ID:	1285697
MD5:	a1f6923e771b4ff0df9fec9555f97c65
SHA1:	545359cd68d0ee37f4b15e1a22c2c9a5fda69e22
SHA256:	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Drops PE files

Tries to load missing DLLs

Creates files inside the system directory

Queries keyboard layouts

Stores files to the Windows start menu directory

Uses taskkill to terminate processes

Creates job files (autostart)

Found dropped PE file which has not been started or loaded

Creates a process in suspended mode (likely to inject code)

Searches for user specific document files

Enables debug privileges

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Process Tree

System is w10x64_ra

setup-lightshot.exe (PID: 6568 cmdline: C:\Users\user\Desktop\setup-lightshot.exe MD5: A1F6923E771B4FF0DF9FEC9555F97C65)

setup-lightshot.tmp (PID: 748 cmdline: "C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp" /SL5="$70054,2148280,486912,C:\Users\user\Desktop\setup-lightshot.exe" MD5: C6BFFD4DA620B07CB214F1BD8E7F21D2)

taskkill.exe (PID: 6064 cmdline: "C:\Windows\System32\taskkill.exe" /f /im lightshot.exe MD5: 07D18817187E87CFC6AB2A4670061AE0)

conhost.exe (PID: 2480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

taskkill.exe (PID: 3544 cmdline: "taskkill.exe" /F /IM lightshot.exe MD5: 07D18817187E87CFC6AB2A4670061AE0)

conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

Lightshot.exe (PID: 6708 cmdline: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe MD5: 62EB961457DF016FA3949E9601A1A845)

Lightshot.exe (PID: 6764 cmdline: "C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe" MD5: 1E1C83B9680029AD4A9F8D3B3AC93197)

splwow64.exe (PID: 8160 cmdline: C:\Windows\splwow64.exe 12288 MD5: 7FE20527607797A8DADE19838B8B1573)

setupupdater.exe (PID: 3644 cmdline: "C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe" /verysilent MD5: 843D23F6AAB075A3C032B06D30CE9C5D)

setupupdater.tmp (PID: 3424 cmdline: "C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp" /SL5="$7035C,490430,120832,C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe" /verysilent MD5: 3613E29D2A7B90C1012EC676819CC1CD)

net.exe (PID: 6368 cmdline: "C:\Windows\system32\net.exe" START SCHEDULE MD5: 2D09708A2B7FD7391E50A1A8E4915BD7)

conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

net1.exe (PID: 6284 cmdline: C:\Windows\system32\net1 START SCHEDULE MD5: DACD2D80B3942C3064B29BC0D0382EF3)

Updater.exe (PID: 6744 cmdline: "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addsystask MD5: FBE0664E1C333E36E3CE73D8BD5CC8A1)

Updater.exe (PID: 3496 cmdline: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml MD5: 3EC8F4BD54EF439A8FAB6467122DA0C4)

Updater.exe (PID: 3520 cmdline: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml MD5: FBE0664E1C333E36E3CE73D8BD5CC8A1)

Updater.exe (PID: 3684 cmdline: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true MD5: 3EC8F4BD54EF439A8FAB6467122DA0C4)

Updater.exe (PID: 5184 cmdline: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true MD5: FBE0664E1C333E36E3CE73D8BD5CC8A1)

Updater.exe (PID: 3120 cmdline: "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addtask MD5: 3EC8F4BD54EF439A8FAB6467122DA0C4)

Updater.exe (PID: 6336 cmdline: "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addtask MD5: FBE0664E1C333E36E3CE73D8BD5CC8A1)

Updater.exe (PID: 1280 cmdline: C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml MD5: 3EC8F4BD54EF439A8FAB6467122DA0C4)

Updater.exe (PID: 6160 cmdline: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml MD5: FBE0664E1C333E36E3CE73D8BD5CC8A1)

chrome.exe (PID: 3352 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://app.prntscr.com/thankyou_desktop.html#install_source=default MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

chrome.exe (PID: 236 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1776,i,8368913202449086638,2137170749968665542,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: setup-lightshot.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright 2009-2020 Skillbrains. All rights reserved.User is not allowed to upload anything that can be remotely construed as porn copyrighted material harassment or spam. The following types of files constitute "abuse" and may not be uploaded under any circumstances: 1. Pornography adult or mature content 2. Violent content 3. Content related to racial intolerance or advocacy against any individual group or organisation 4. Excessive profanity 5. Hacking/cracking content 6. Illicit drugs and drug paraphernalia content 7. Sales of beer or hard alcohol 8. Sales of tobacco or tobacco-related products 9. Sales of prescription drugs 10. Sales of weapons or ammunition (e.g. firearms firearm components fighting knives stun guns. 11. Sales of products that are replicas or imitations of designer or other goods 12. Sales or distribution of coursework or student essays 13. Content regarding programs which compensate users for clicking ads or offers performing searches surfing websites or reading emails 14. Any other content that is illegal promotes illegal activity or infringes on the legal rights of othersRedistribution in binary forms without modification are permitted provided that the following conditions are met: 1. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 2. Redistributions should have linkback to app.prntscr.com website. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the Skillbrains. THIS SOFTWARE IS PROVIDED BY SKILLBRAINS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SKILLBRAINS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright 2009-2020 Skillbrains. All rights reserved.User is not allowed to upload anything that can be remotely construed as porn copyrighted material harassment or spam. The following types of files constitute "abuse" and may not be uploaded under any circumstances: 1. Pornography adult or mature content 2. Violent content 3. Content related to racial intolerance or advocacy against any individual group or organisation 4. Excessive profanity 5. Hacking/cracking content 6. Illicit drugs and drug paraphernalia content 7. Sales of beer or hard alcohol 8. Sales of tobacco or tobacco-related products 9. Sales of prescription drugs 10. Sales of weapons or ammunition (e.g. firearms firearm components fighting knives stun guns. 11. Sales of products that are replicas or imitations of designer or other goods 12. Sales or distribution of coursework or student essays 13. Content regarding programs which compensate users for clicking ads or offers performing searches surfing websites or reading emails 14. Any other content that is illegal promotes illegal activity or infringes on the legal rights of othersRedistribution in binary forms without modification are permitted provided that the following conditions are met: 1. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 2. Redistributions should have linkback to app.prntscr.com website. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the Skillbrains. THIS SOFTWARE IS PROVIDED BY SKILLBRAINS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SKILLBRAINS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright 2009-2020 Skillbrains. All rights reserved.User is not allowed to upload anything that can be remotely construed as porn copyrighted material harassment or spam. The following types of files constitute "abuse" and may not be uploaded under any circumstances: 1. Pornography adult or mature content 2. Violent content 3. Content related to racial intolerance or advocacy against any individual group or organisation 4. Excessive profanity 5. Hacking/cracking content 6. Illicit drugs and drug paraphernalia content 7. Sales of beer or hard alcohol 8. Sales of tobacco or tobacco-related products 9. Sales of prescription drugs 10. Sales of weapons or ammunition (e.g. firearms firearm components fighting knives stun guns. 11. Sales of products that are replicas or imitations of designer or other goods 12. Sales or distribution of coursework or student essays 13. Content regarding programs which compensate users for clicking ads or offers performing searches surfing websites or reading emails 14. Any other content that is illegal promotes illegal activity or infringes on the legal rights of othersRedistribution in binary forms without modification are permitted provided that the following conditions are met: 1. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 2. Redistributions should have linkback to app.prntscr.com website. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the Skillbrains. THIS SOFTWARE IS PROVIDED BY SKILLBRAINS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SKILLBRAINS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright 2009-2020 Skillbrains. All rights reserved.User is not allowed to upload anything that can be remotely construed as porn copyrighted material harassment or spam. The following types of files constitute "abuse" and may not be uploaded under any circumstances: 1. Pornography adult or mature content 2. Violent content 3. Content related to racial intolerance or advocacy against any individual group or organisation 4. Excessive profanity 5. Hacking/cracking content 6. Illicit drugs and drug paraphernalia content 7. Sales of beer or hard alcohol 8. Sales of tobacco or tobacco-related products 9. Sales of prescription drugs 10. Sales of weapons or ammunition (e.g. firearms firearm components fighting knives stun guns. 11. Sales of products that are replicas or imitations of designer or other goods 12. Sales or distribution of coursework or student essays 13. Content regarding programs which compensate users for clicking ads or offers performing searches surfing websites or reading emails 14. Any other content that is illegal promotes illegal activity or infringes on the legal rights of othersRedistribution in binary forms without modification are permitted provided that the following conditions are met: 1. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 2. Redistributions should have linkback to app.prntscr.com website. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the Skillbrains. THIS SOFTWARE IS PROVIDED BY SKILLBRAINS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SKILLBRAINS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I &accept the agreementI &do not accept the agreement&Next >Cancel

Source: setup-lightshot.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 77.88.21.119:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.250.251.119:443 -> 192.168.2.3:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.158.134.119:443 -> 192.168.2.3:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.23.139.12:443 -> 192.168.2.3:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.23.139.12:443 -> 192.168.2.3:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.23.139.12:443 -> 192.168.2.3:49802 version: TLS 1.2

Source: setup-lightshot.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: mc.yandex.ru

Source: global traffic	HTTP traffic detected: GET /getver/updater?ping=true HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: updater.prntscr.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /thankyou_desktop.html HTTP/1.1Host: app.prntscr.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unknown	HTTPS traffic detected: 77.88.21.119:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.250.251.119:443 -> 192.168.2.3:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.158.134.119:443 -> 192.168.2.3:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.23.139.12:443 -> 192.168.2.3:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.23.139.12:443 -> 192.168.2.3:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.23.139.12:443 -> 192.168.2.3:49802 version: TLS 1.2

Source: setup-lightshot.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe

Section loaded: d3dx9_32.dll

Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe

File created: C:\Windows\Tasks\update-sys.job

Source: C:\Users\user\Desktop\setup-lightshot.exe

File read: C:\Users\user\Desktop\setup-lightshot.exe

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\setup-lightshot.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: unknown	Process created: C:\Users\user\Desktop\setup-lightshot.exe C:\Users\user\Desktop\setup-lightshot.exe
Source: C:\Users\user\Desktop\setup-lightshot.exe	Process created: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp "C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp" /SL5="$70054,2148280,486912,C:\Users\user\Desktop\setup-lightshot.exe"
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im lightshot.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "taskkill.exe" /F /IM lightshot.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe
Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Process created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe "C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe"
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe "C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe" /verysilent
Source: C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe	Process created: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp "C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp" /SL5="$7035C,490430,120832,C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe" /verysilent
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" START SCHEDULE
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 START SCHEDULE
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addsystask
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im lightshot.exe
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addtask
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addtask
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://app.prntscr.com/thankyou_desktop.html#install_source=default
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1776,i,8368913202449086638,2137170749968665542,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\setup-lightshot.exe	Process created: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp "C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp" /SL5="$70054,2148280,486912,C:\Users\user\Desktop\setup-lightshot.exe"
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "taskkill.exe" /F /IM lightshot.exe
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe "C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe" /verysilent
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addtask
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://app.prntscr.com/thankyou_desktop.html#install_source=default
Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Process created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe "C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe"
Source: C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe	Process created: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp "C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp" /SL5="$7035C,490430,120832,C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe" /verysilent
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" START SCHEDULE
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addsystask
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 START SCHEDULE
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2480:304:WilStaging_02
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Mutant created: \Sessions\1\BaseNamedObjects\LightshotStandAloneAppMainMutex
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Mutant created: \Sessions\1\BaseNamedObjects\COOL_SCREENSHOT_MUTEX_YARRR
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2480:120:WilError_02

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "lightshot.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "lightshot.exe")

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp

File created: C:\Program Files (x86)\Skillbrains

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp

File created: C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp

Source: classification engine

Classification label: clean3.winEXE@43/166@14/140

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp

Window found: window name: TSelectLanguageForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe

Window detected: Number of UI elements: 12

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright 2009-2020 Skillbrains. All rights reserved.User is not allowed to upload anything that can be remotely construed as porn copyrighted material harassment or spam. The following types of files constitute "abuse" and may not be uploaded under any circumstances: 1. Pornography adult or mature content 2. Violent content 3. Content related to racial intolerance or advocacy against any individual group or organisation 4. Excessive profanity 5. Hacking/cracking content 6. Illicit drugs and drug paraphernalia content 7. Sales of beer or hard alcohol 8. Sales of tobacco or tobacco-related products 9. Sales of prescription drugs 10. Sales of weapons or ammunition (e.g. firearms firearm components fighting knives stun guns. 11. Sales of products that are replicas or imitations of designer or other goods 12. Sales or distribution of coursework or student essays 13. Content regarding programs which compensate users for clicking ads or offers performing searches surfing websites or reading emails 14. Any other content that is illegal promotes illegal activity or infringes on the legal rights of othersRedistribution in binary forms without modification are permitted provided that the following conditions are met: 1. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 2. Redistributions should have linkback to app.prntscr.com website. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the Skillbrains. THIS SOFTWARE IS PROVIDED BY SKILLBRAINS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SKILLBRAINS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright 2009-2020 Skillbrains. All rights reserved.User is not allowed to upload anything that can be remotely construed as porn copyrighted material harassment or spam. The following types of files constitute "abuse" and may not be uploaded under any circumstances: 1. Pornography adult or mature content 2. Violent content 3. Content related to racial intolerance or advocacy against any individual group or organisation 4. Excessive profanity 5. Hacking/cracking content 6. Illicit drugs and drug paraphernalia content 7. Sales of beer or hard alcohol 8. Sales of tobacco or tobacco-related products 9. Sales of prescription drugs 10. Sales of weapons or ammunition (e.g. firearms firearm components fighting knives stun guns. 11. Sales of products that are replicas or imitations of designer or other goods 12. Sales or distribution of coursework or student essays 13. Content regarding programs which compensate users for clicking ads or offers performing searches surfing websites or reading emails 14. Any other content that is illegal promotes illegal activity or infringes on the legal rights of othersRedistribution in binary forms without modification are permitted provided that the following conditions are met: 1. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 2. Redistributions should have linkback to app.prntscr.com website. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the Skillbrains. THIS SOFTWARE IS PROVIDED BY SKILLBRAINS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SKILLBRAINS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright 2009-2020 Skillbrains. All rights reserved.User is not allowed to upload anything that can be remotely construed as porn copyrighted material harassment or spam. The following types of files constitute "abuse" and may not be uploaded under any circumstances: 1. Pornography adult or mature content 2. Violent content 3. Content related to racial intolerance or advocacy against any individual group or organisation 4. Excessive profanity 5. Hacking/cracking content 6. Illicit drugs and drug paraphernalia content 7. Sales of beer or hard alcohol 8. Sales of tobacco or tobacco-related products 9. Sales of prescription drugs 10. Sales of weapons or ammunition (e.g. firearms firearm components fighting knives stun guns. 11. Sales of products that are replicas or imitations of designer or other goods 12. Sales or distribution of coursework or student essays 13. Content regarding programs which compensate users for clicking ads or offers performing searches surfing websites or reading emails 14. Any other content that is illegal promotes illegal activity or infringes on the legal rights of othersRedistribution in binary forms without modification are permitted provided that the following conditions are met: 1. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 2. Redistributions should have linkback to app.prntscr.com website. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the Skillbrains. THIS SOFTWARE IS PROVIDED BY SKILLBRAINS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SKILLBRAINS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright 2009-2020 Skillbrains. All rights reserved.User is not allowed to upload anything that can be remotely construed as porn copyrighted material harassment or spam. The following types of files constitute "abuse" and may not be uploaded under any circumstances: 1. Pornography adult or mature content 2. Violent content 3. Content related to racial intolerance or advocacy against any individual group or organisation 4. Excessive profanity 5. Hacking/cracking content 6. Illicit drugs and drug paraphernalia content 7. Sales of beer or hard alcohol 8. Sales of tobacco or tobacco-related products 9. Sales of prescription drugs 10. Sales of weapons or ammunition (e.g. firearms firearm components fighting knives stun guns. 11. Sales of products that are replicas or imitations of designer or other goods 12. Sales or distribution of coursework or student essays 13. Content regarding programs which compensate users for clicking ads or offers performing searches surfing websites or reading emails 14. Any other content that is illegal promotes illegal activity or infringes on the legal rights of othersRedistribution in binary forms without modification are permitted provided that the following conditions are met: 1. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 2. Redistributions should have linkback to app.prntscr.com website. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the Skillbrains. THIS SOFTWARE IS PROVIDED BY SKILLBRAINS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SKILLBRAINS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I &accept the agreementI &do not accept the agreement&Next >Cancel

Source: setup-lightshot.exe

Static file information: File size 2786328 > 1048576

Source: setup-lightshot.exe

Static PE information: certificate valid

Source: setup-lightshot.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\is-83UO2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\net.dll (copy)
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	File created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\is-A7PF5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe (copy)
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-94U68.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\DXGIODScreenshot.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\unins000.exe (copy)
Source: C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe	File created: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	File created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-JG8JA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\is-2F2BU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	File created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-PQ4AC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-DA1S1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	File created: C:\Program Files (x86)\Skillbrains\Updater\is-L7PTH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\_isetup\_setup64.tmp
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\uploader.dll (copy)
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-8UHCP.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightshot
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightshot\Uninstall Lightshot.lnk
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightshot\Lightshot.lnk
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightshot\Learn More.url
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightshot\Screenshot history.url

Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe

File created: C:\Windows\Tasks\update-sys.job

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\setup-lightshot.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\net.dll (copy)
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-94U68.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-JG8JA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-DA1S1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\_isetup\_setup64.tmp
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-8UHCP.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp

Process information queried: ProcessInformation

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im lightshot.exe
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "taskkill.exe" /F /IM lightshot.exe

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im lightshot.exe
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe "C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe" /verysilent
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addtask
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://app.prntscr.com/thankyou_desktop.html#install_source=default
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml
Source: C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 START SCHEDULE

Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation

Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Directory queried: C:\Users\user\Documents
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Directory queried: C:\Users\user\Documents\Lightshot
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Directory queried: C:\Users\user\Documents
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Directory queried: C:\Users\user\Documents

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	12 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	Security Account Manager	2 System Owner/User Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	11 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
setup-lightshot.exe	5%	ReversingLabs
setup-lightshot.exe	6%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-8UHCP.tmp	0%	ReversingLabs
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-8UHCP.tmp	0%	Virustotal	Browse
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-94U68.tmp	0%	ReversingLabs
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-94U68.tmp	0%	Virustotal	Browse
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-DA1S1.tmp	0%	ReversingLabs
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-DA1S1.tmp	0%	Virustotal	Browse
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-JG8JA.tmp	0%	ReversingLabs
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-PQ4AC.tmp	0%	ReversingLabs
C:\Program Files (x86)\Skillbrains\lightshot\is-2F2BU.tmp	2%	ReversingLabs
C:\Program Files (x86)\Skillbrains\lightshot\is-83UO2.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\Skillbrains\Updater\Updater.exe (copy)	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5U1EQ.tmp\setupupdater.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp	3%	ReversingLabs

Name	IP	Active	Malicious	Reputation
mc.yandex.ru	77.88.21.119	true	false	high
static.cloudflareinsights.com	104.16.57.101	true	false	unknown
accounts.google.com	142.250.185.109	true	false	high
app.prntscr.com	104.23.139.12	true	false	high
updater.prntscr.com	104.23.140.12	true	false	high
st.prntscr.com	104.23.139.12	true	false	high
api.prntscr.com	104.23.139.12	true	false	high
upload.prntscr.com	104.23.139.12	true	false	high
clients.l.google.com	142.250.186.78	true	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://updater.prntscr.com/getver/updater?ping=true	false		high
http://app.prntscr.com/thankyou_desktop.html	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.109	accounts.google.com	United States	15169	GOOGLEUS	false
142.250.186.78	clients.l.google.com	United States	15169	GOOGLEUS	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
104.23.140.12	updater.prntscr.com	United States	13335	CLOUDFLARENETUS	false
104.23.139.12	app.prntscr.com	United States	13335	CLOUDFLARENETUS	false
216.239.34.36	unknown	United States	15169	GOOGLEUS	false
142.250.185.227	unknown	United States	15169	GOOGLEUS	false
216.58.206.46	unknown	United States	15169	GOOGLEUS	false
93.158.134.119	unknown	Russian Federation	13238	YANDEXRU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
77.88.21.119	mc.yandex.ru	Russian Federation	13238	YANDEXRU	false
104.16.57.101	static.cloudflareinsights.com	United States	13335	CLOUDFLARENETUS	false
142.250.186.142	unknown	United States	15169	GOOGLEUS	false
87.250.251.119	unknown	Russian Federation	13238	YANDEXRU	false
142.250.184.238	unknown	United States	15169	GOOGLEUS	false
142.250.184.206	unknown	United States	15169	GOOGLEUS	false
142.250.186.168	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1285697
Start date and time:	2023-08-04 13:47:50 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample file name:	setup-lightshot.exe
Detection:	CLEAN
Classification:	clean3.winEXE@43/166@14/140
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Created / dropped Files have been reduced to 100
Excluded IPs from analysis (whitelisted): 142.250.184.238, 142.250.186.142, 216.58.206.46, 142.250.185.227, 34.104.35.123, 142.250.186.168, 142.250.184.206, 216.239.34.36, 216.239.32.36
Excluded domains from analysis (whitelisted): login.live.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-JG8JA.tmp

Process:	C:\Users\user\AppData\Local\Temp\is-K12B0.tmp\setupupdater.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	875160
Entropy (8bit):	6.524839226424313
Encrypted:	false
SSDEEP:
MD5:	FBE0664E1C333E36E3CE73D8BD5CC8A1
SHA1:	D7F284E9A8D3A3B5A832C37B58382000B583FBC1
SHA-256:	C4CE15B1BC8ADECBF20A655256AAB267C1D72E7A33947598AF48EA287CCA5670
SHA-512:	7B7E34AA69E2E92590B79D2B9C9FD095D15FC5A2943335D0F59CDEE15083A8BB1A66B669615CE716BB714A59A1BE54E8FEA88A5889BFA8E0371E7EB8902FA555
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...WbQ.WbQ.WbQ...Q.WbQ...Q.WbQ...Q.WbQ...Q.WbQ./.Q.WbQ./.Q.WbQ.WcQvWbQ...Q.WbQ...Q.WbQ.W.Q.WbQ...Q.WbQRich.WbQ........PE..L......X.............................[....... ....@.......................................@..................................Q..,........)...........D.......0..`~...$..8............................\..@............ ..`............................text............................... ..`.rdata...E... ...F..................@..@.data........p...L...N..............@....rsrc....).......*..................@..@.reloc..`~...0......................@..B................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\is-0KHQ7.tmp\setup-lightshot.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95656
Entropy (8bit):	6.415071063495964
Encrypted:	false
SSDEEP:
MD5:	25C632CD2F529BA142FA706205AC00C9
SHA1:	495B777348D26E5FA75DFBF6B50498428FE7748B
SHA-256:	6ACDCD817CC5DF637AA4CD101C25C9E0A69C778347A7A40CE7511EEEA26FD6F0
SHA-512:	606E9856EB8153F9DAB7F4C23FF967B2D9CE9FCF1902823A424CA4B4EE0A4F1A95BFDD316356DD65831C494F7E74EC4562BF684AB6A20C3376ABEF8FF10F6C7A
Malicious:	false
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......X}.............(......*......+.....d]....'B....'B....'B.8...dJ...........B.....B.....B&......N.....B....Rich...........................PE..L....M5]...........!.................-....................................................@..........................9..\....9..x....................\...............+..p....................,......0,..@...............d............................text............................... ..`.rdata...b.......d..................@..@.data........P.......8..............@....gfids.......p.......B..............@..@.tls.................D..............@....rsrc................F..............@..@.reloc...............L..............@..B........................................................................................................................................................................................

Entrypoint:	0x41181c
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B226D52 [Thu Jun 14 13:27:46 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	20dd26497880c05caed9305b3c8b9109

Signature Valid:	true
Signature Issuer:	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	5/30/2019 2:39:46 AM 5/30/2022 2:39:46 AM
Subject Chain	CN=Kilonova LLC, O=Kilonova LLC, L=Seattle, S=Washington, C=US
Version:	3
Thumbprint MD5:	01CF5F0DB47B2689D338B977568A2CED
Thumbprint SHA-1:	65F3B3CC35EFDEC600A6E68FF7A5C1DEF5054EC9
Thumbprint SHA-256:	450898F0278E753151C321FF1A5C4CF37B7AE36B03A8214447A486D4D41A27E1
Serial:	00C93423CE0C606667

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19000	0xe04	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x64408	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2a6a70	0x19a8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1b000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19304	0x214	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf25c	0xf400	False	0.5482197745901639	data	6.375879013420213	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x11000	0xfa4	0x1000	False	0.563720703125	data	5.778765357049134	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x12000	0xc8c	0xe00	False	0.25362723214285715	data	2.3028287433175367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x13000	0x56bc	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x19000	0xe04	0x1000	False	0.321533203125	data	4.597812557707959	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1a000	0x8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1b000	0x18	0x200	False	0.05078125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x64408	0x64600	False	0.21693551525529264	data	4.905507363696471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1c47c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6675531914893617
RT_ICON	0x1c8e4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5098499061913696
RT_ICON	0x1d98c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.41773858921161827
RT_ICON	0x1ff34	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.3512045347189419
RT_ICON	0x2415c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.25592984739145863
RT_ICON	0x34984	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.19482498446607688
RT_STRING	0x769ac	0x68	data			0.6538461538461539
RT_STRING	0x76a14	0xd4	data			0.5283018867924528
RT_STRING	0x76ae8	0xa4	data			0.6524390243902439
RT_STRING	0x76b8c	0x2ac	data			0.45614035087719296
RT_STRING	0x76e38	0x34c	data			0.4218009478672986
RT_STRING	0x77184	0x294	data			0.4106060606060606
RT_RCDATA	0x77418	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x7f700	0x10	data			1.5
RT_RCDATA	0x7f710	0x150	data			0.8392857142857143
RT_RCDATA	0x7f860	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x7f88c	0x5a	data	English	United States	0.7555555555555555
RT_VERSION	0x7f8e8	0x4f4	data	English	United States	0.27602523659305994
RT_MANIFEST	0x7fddc	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup-lightshot.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe (copy)

C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\is-A7PF5.tmp

C:\Program Files (x86)\Skillbrains\Updater\MachineProducts.xml

C:\Program Files (x86)\Skillbrains\Updater\Updater.exe (copy)

C:\Program Files (x86)\Skillbrains\Updater\info.xml

C:\Program Files (x86)\Skillbrains\Updater\is-L7PTH.tmp

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\DXGIODScreenshot.dll (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.dll (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-8UHCP.tmp

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-94U68.tmp

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-DA1S1.tmp

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-JG8JA.tmp

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-MJHCD.tmp

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-P680B.tmp

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-PQ4AC.tmp

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\learnmore.url (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\learnmore_ru.url (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\ar.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\be.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\bg.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\bn-BD.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\bs.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\ca.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\cs.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\da.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\de.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\el.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\en.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\es.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\et.txt (copy)

C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\fa.txt (copy)

Windows Analysis Report
setup-lightshot.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre