Windows Analysis Report
setup-lightshot 1.exe

Overview

General Information

Sample name:	setup-lightshot 1.exe
Analysis ID:	1520341
MD5:	a1f6923e771b4ff0df9fec9555f97c65
SHA1:	545359cd68d0ee37f4b15e1a22c2c9a5fda69e22
SHA256:	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1
Infos:

Detection

Score:	10
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Signatures

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00F8B820 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	8_2_00F8B820
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FB96F0 CryptDestroyHash,	8_2_00FB96F0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00F8E6C0 CryptDecrypt,	8_2_00F8E6C0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00F8E640 CryptEncrypt,	8_2_00F8E640
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FB9710 CryptDestroyKey,	8_2_00FB9710
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00F8EC90 CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,	8_2_00F8EC90
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00F8ED80 CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,	8_2_00F8ED80
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00F8EFD0 CryptAcquireContextW,CryptImportKey,	8_2_00F8EFD0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF26FD0 CryptEncrypt,	8_2_6CF26FD0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF24F20 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	8_2_6CF24F20
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF279F0 CryptAcquireContextW,CryptImportKey,	8_2_6CF279F0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF459D0 CryptDestroyKey,	8_2_6CF459D0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF459B0 CryptDestroyHash,	8_2_6CF459B0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF276B0 CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,	8_2_6CF276B0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF277A0 CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,	8_2_6CF277A0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF27050 CryptDecrypt,	8_2_6CF27050
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_008FED80 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	16_2_008FED80
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_008FEE10 CryptAcquireContextW,CryptCreateHash,CreateFileW,ReadFile,ReadFile,CryptHashData,CryptHashData,ReadFile,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	16_2_008FEE10
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_008FED80 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	20_2_008FED80
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_008FEE10 CryptAcquireContextW,CryptCreateHash,CreateFileW,ReadFile,ReadFile,CryptHashData,CryptHashData,ReadFile,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	20_2_008FEE10

Uses 32bit PE files

Source: setup-lightshot 1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright 2009-2020 Skillbrains. All rights reserved.User is not allowed to upload anything that can be remotely construed as porn copyrighted material harassment or spam. The following types of files constitute "abuse" and may not be uploaded under any circumstances: 1. Pornography adult or mature content 2. Violent content 3. Content related to racial intolerance or advocacy against any individual group or organisation 4. Excessive profanity 5. Hacking/cracking content 6. Illicit drugs and drug paraphernalia content 7. Sales of beer or hard alcohol 8. Sales of tobacco or tobacco-related products 9. Sales of prescription drugs 10. Sales of weapons or ammunition (e.g. firearms firearm components fighting knives stun guns. 11. Sales of products that are replicas or imitations of designer or other goods 12. Sales or distribution of coursework or student essays 13. Content regarding programs which compensate users for clicking ads or offers performing searches surfing websites or reading emails 14. Any other content that is illegal promotes illegal activity or infringes on the legal rights of othersRedistribution in binary forms without modification are permitted provided that the following conditions are met: 1. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 2. Redistributions should have linkback to app.prntscr.com website. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the Skillbrains. THIS SOFTWARE IS PROVIDED BY SKILLBRAINS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SKILLBRAINS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Copyright 2009-2020 Skillbrains. All rights reserved.User is not allowed to upload anything that can be remotely construed as porn copyrighted material harassment or spam. The following types of files constitute "abuse" and may not be uploaded under any circumstances: 1. Pornography adult or mature content 2. Violent content 3. Content related to racial intolerance or advocacy against any individual group or organisation 4. Excessive profanity 5. Hacking/cracking content 6. Illicit drugs and drug paraphernalia content 7. Sales of beer or hard alcohol 8. Sales of tobacco or tobacco-related products 9. Sales of prescription drugs 10. Sales of weapons or ammunition (e.g. firearms firearm components fighting knives stun guns. 11. Sales of products that are replicas or imitations of designer or other goods 12. Sales or distribution of coursework or student essays 13. Content regarding programs which compensate users for clicking ads or offers performing searches surfing websites or reading emails 14. Any other content that is illegal promotes illegal activity or infringes on the legal rights of othersRedistribution in binary forms without modification are permitted provided that the following conditions are met: 1. Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 2. Redistributions should have linkback to app.prntscr.com website. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the Skillbrains. THIS SOFTWARE IS PROVIDED BY SKILLBRAINS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SKILLBRAINS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE DATA OR PROFITS; OR BUSINESS INTERRUPTION. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I &accept the agreementI &do not accept the agreement&Next >Cancel

Source: setup-lightshot 1.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.158.134.119:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.158.134.119:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.158.134.119:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.158.134.119:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.158.134.119:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:56535 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:56540 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:56594 version: TLS 1.2

Source: setup-lightshot 1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Dev\skillbrains\lightshot-windows-app\Screenshot\StandAloneApp\Release\net.pdb source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, is-V4MCF.tmp.1.dr
Source:	Binary string: D:\sources\lightshot\DeployingSystem\Starter\Starter\Release\Starter.pdb source: setupupdater.tmp, 0000000A.00000003.1966583875.0000000005DE0000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000013.00000002.1957009525.000000000042E000.00000002.00000001.01000000.00000010.sdmp, Updater.exe, 00000013.00000000.1956022104.000000000042E000.00000002.00000001.01000000.00000010.sdmp, Updater.exe, 00000015.00000000.1959277201.000000000042E000.00000002.00000001.01000000.00000010.sdmp, Updater.exe, 00000015.00000002.1964643190.000000000042E000.00000002.00000001.01000000.00000010.sdmp, Updater.exe, 00000017.00000002.1968683385.000000000042E000.00000002.00000001.01000000.00000010.sdmp, Updater.exe, 00000017.00000000.1966208614.000000000042E000.00000002.00000001.01000000.00000010.sdmp, Updater.exe, 00000019.00000000.1981206795.000000000042E000.00000002.00000001.01000000.00000010.sdmp, Updater.exe, 00000019.00000002.1982103928.000000000042E000.00000002.00000001.01000000.00000010.sdmp, Updater.exe, 0000001B.00000002.1985104572.000000000042E000.00000002.00000001.01000000.00000010.sdmp, Updater.exe, 0000001B.00000000.1983782111.000000000042E000.00000002.00000001.01000000.00000010.sdmp, Updater.exe, 0000001D.00000002.1995033659.000000000042E000.00000002.00000001.01000000.00000010.sdmp, Updater.exe, 0000001D.00000000.1991436692.000000000042E000.00000002.00000001.01000000.00000010.sdmp, is-A39OF.tmp.10.dr
Source:	Binary string: D:\Dev\skillbrains\lightshot-windows-app\Screenshot\StandAloneApp\Release\Lightshot_exe.pdb source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2984279872.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, Lightshot.exe, 00000008.00000000.1900232423.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, Lightshot.exe, 00000020.00000002.2021598587.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, Lightshot.exe, 00000020.00000000.2019458088.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, is-NJRC2.tmp.1.dr
Source:	Binary string: D:\Dev\skillbrains\lightshot-windows-app\Screenshot\StandAloneApp\Release\Lightshot.pdb source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2987158647.000000006F85B000.00000002.00000001.01000000.0000000A.sdmp, is-A5GK1.tmp.1.dr
Source:	Binary string: D:\Dev\skillbrains\lightshot-windows-app\Screenshot\StandAloneApp\Release\curl_uploader.pdb source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2986656310.000000006CF46000.00000002.00000001.01000000.00000014.sdmp, is-BMVNO.tmp.1.dr
Source:	Binary string: C:\BuildAgent\work\a197c1fa8a223363\downloader\Release\downloader.pdb source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\sources\lightshot\DeployingSystem\Updater\bin\1.0.0.0\Updater.pdb source: setupupdater.tmp, 0000000A.00000003.1966583875.0000000005DE0000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000010.00000000.1942727683.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000010.00000002.1954397813.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000014.00000002.2018945693.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000014.00000000.1956742873.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000016.00000000.1960928619.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000016.00000002.2018369560.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000018.00000000.1968421177.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000018.00000002.2024612113.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001A.00000002.1983196279.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001A.00000000.1981811985.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001C.00000000.1984569546.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001C.00000002.2018286305.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001E.00000000.1994043299.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001E.00000002.2026488455.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, is-QU5BV.tmp.10.dr
Source:	Binary string: D:\Dev\skillbrains\lightshot-windows-app\Screenshot\StandAloneApp\Release\DXGIODScreenshot.pdb source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2986912049.000000006F81E000.00000002.00000001.01000000.0000000D.sdmp, is-1I1L2.tmp.1.dr

Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Code function: 7_2_00E52C10 FindFirstFileW,_DebugHeapAllocator,_DebugHeapAllocator,FindNextFileW,FindClose,	7_2_00E52C10
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00F8E1A0 PathFileExistsW,PathIsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,	8_2_00F8E1A0
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_008FB120 PathAddBackslashW,_wcsnlen,PathAddBackslashW,_wcsnlen,FindFirstFileW,_memcpy_s,PathAddBackslashW,_wcsnlen,FindNextFileW,FindClose,	16_2_008FB120
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_008FD200 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	16_2_008FD200
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_008FB7D0 PathAddBackslashW,_wcsnlen,PathAddBackslashW,_wcsnlen,FindFirstFileW,FindNextFileW,FindClose,_free,	16_2_008FB7D0
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_003F1860 FindFirstFileW,FindNextFileW,FindClose,	19_2_003F1860
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00418E52 FindFirstFileExW,	19_2_00418E52
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00418E27 FindFirstFileExA,	19_2_00418E27
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_008FD200 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	20_2_008FD200
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_008FB120 PathAddBackslashW,_wcsnlen,PathAddBackslashW,_wcsnlen,FindFirstFileW,_memcpy_s,PathAddBackslashW,_wcsnlen,FindNextFileW,FindClose,	20_2_008FB120
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_008FB7D0 PathAddBackslashW,_wcsnlen,PathAddBackslashW,_wcsnlen,FindFirstFileW,FindNextFileW,FindClose,_free,	20_2_008FB7D0

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.4:56527 -> 1.1.1.1:53

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.16.80.73 104.16.80.73
Source: Joe Sandbox View	IP Address: 93.158.134.119 93.158.134.119
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.74
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.74
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.74
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.74
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26

Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe

Code function: 16_2_008FE5F0 DeleteUrlCacheEntryW,URLDownloadToFileW,

16_2_008FE5F0

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=wRU+RlmW167yutC&MD=pYEwBk3e HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /watch/44161209?page-url=%2Fusr%2FUpdater%2FAddProduct%2Fupdater&ut=noindex HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /watch/44161209?page-url=%2Fsys%2FUpdater%2FTimeToUpdate&ut=noindex HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /watch/44161209?page-url=%2Fusr%2FUpdater%2FPing&ut=noindex HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /watch/44161209?page-url=%2Fusr%2FUpdater%2FAddProduct%2Flightshot&ut=noindex HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /watch/44161209?page-url=%2Fusr%2FUpdater%2FTimeToUpdate&ut=noindex HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /watch/44161209/1?page-url=%2Fusr%2FUpdater%2FAddProduct%2Fupdater&ut=noindex&redirnss=1 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: yabs-sid=318014041727418627; ymex=1758954627.yrts.1727418627#1758954627.yrtsi.1727418627; yandexuid=9373816541727418627; i=U4ukxXBwiLTuoJfI/Ft9HsbBqnTr8cF2TTd+ViPIZOySZPiEKX/S+Eu8ZUtCNUkb7wnnQZFQX0AujeitHvnqJFHVPA8=
Source: global traffic	HTTP traffic detected: GET /watch/44161209/1?page-url=%2Fusr%2FUpdater%2FPing&ut=noindex&redirnss=1 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: yabs-sid=2276765981727418627; ymex=1758954627.yrts.1727418627#1758954627.yrtsi.1727418627; yandexuid=9373816541727418627; i=U4ukxXBwiLTuoJfI/Ft9HsbBqnTr8cF2TTd+ViPIZOySZPiEKX/S+Eu8ZUtCNUkb7wnnQZFQX0AujeitHvnqJFHVPA8=
Source: global traffic	HTTP traffic detected: GET /watch/44161209/1?page-url=%2Fsys%2FUpdater%2FTimeToUpdate&ut=noindex&redirnss=1 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: yabs-sid=834489591727418627; i=5WR7ieDRgvmtg6sGWbxFzyNRk1yD8wGmOVyh90lv7Z4CD1m8S3IzBq8HbFrgTrg2g5Hy+V/SiUGohZPA59SEadkMhYQ=; yandexuid=2733293781727418627; ymex=1758954627.yrts.1727418627#1758954627.yrtsi.1727418627
Source: global traffic	HTTP traffic detected: GET /watch/44161209/1?page-url=%2Fusr%2FUpdater%2FAddProduct%2Flightshot&ut=noindex&redirnss=1 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: ymex=1758954627.yrts.1727418627#1758954627.yrtsi.1727418627; yandexuid=7454964041727418627; i=4IMBjOyhOXs04BWrOMy15PEo9eZrsWGKlLPpmZ15XKBnpOUrO1XdEqICaOIhJL+rYF1HSagKWKtOmoy63cdNztX+Sr8=; yabs-sid=1574500721727418627
Source: global traffic	HTTP traffic detected: GET /watch/44161209/1?page-url=%2Fusr%2FUpdater%2FTimeToUpdate&ut=noindex&redirnss=1 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: mc.yandex.ruConnection: Keep-AliveCookie: ymex=1758954628.yrts.1727418628#1758954628.yrtsi.1727418628; yandexuid=2967564481727418628; i=MGnnKl86RPDr8ZkUnGfRyJbCm+51V/l5IlsZvoHhIHru8F5Xhtn3RmNGgPFh751pbsRVJnKOSGIB9tBawnRA52diEIU=; _yasc=c9TJMy9H31OgANP4T34MyV8ThXBxohSh+jOnoDYr3UI9/ldMjXtS3UNyAWqx7nRzviI=; yabs-sid=2442611291727418628
Source: global traffic	HTTP traffic detected: GET /thankyou_desktop.html HTTP/1.1Host: app.prntscr.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /en/thankyou_desktop.html HTTP/1.1Host: app.prntscr.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/css/main.css HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://app.prntscr.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/js/jquery.1.8.2.min.js HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://app.prntscr.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/js/script.mix.js HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://app.prntscr.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/button-download.png HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://st.prntscr.com/2023/07/24/0635/css/main.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/icon-facebook_gscale.png HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://st.prntscr.com/2023/07/24/0635/css/main.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/js/script.mix.js HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/helper-button.png HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://st.prntscr.com/2023/07/24/0635/css/main.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015 HTTP/1.1Host: static.cloudflareinsights.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://app.prntscr.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://app.prntscr.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/button-icon-sep.png HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://st.prntscr.com/2023/07/24/0635/css/main.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/shadow-top.png HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://st.prntscr.com/2023/07/24/0635/css/main.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/helper-select.png HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://st.prntscr.com/2023/07/24/0635/css/main.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/js/jquery.1.8.2.min.js HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/icon-twitter_gscale.png HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://st.prntscr.com/2023/07/24/0635/css/main.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/helper-share.png HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://st.prntscr.com/2023/07/24/0635/css/main.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/button-download.png HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/icon-facebook_gscale.png HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/img-pic-480.jpg HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://app.prntscr.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/footer-logo.png HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://app.prntscr.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/css/jquery.smartbanner.css HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://app.prntscr.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/shadow-top.png HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/helper-select.png HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/js/jquery.smartbanner.js HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://app.prntscr.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/button-icon-sep.png HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015 HTTP/1.1Host: static.cloudflareinsights.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/helper-button.png HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/page-bg.png HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://st.prntscr.com/2023/07/24/0635/css/main.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/icon-twitter_gscale.png HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/header-logo.png HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://st.prntscr.com/2023/07/24/0635/css/main.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/helper-share.png HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _ga=GA1.2.698250061.1727418640; _gid=GA1.2.2001955101.1727418640; _gat=1
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/footer-logo.png HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _gid=GA1.2.2001955101.1727418640; _gat=1; _ga_0DR1D0LZJH=GS1.1.1727418639.1.0.1727418639.0.0.0; _ga=GA1.1.698250061.1727418640
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/js/jquery.smartbanner.js HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _gid=GA1.2.2001955101.1727418640; _gat=1; _ga_0DR1D0LZJH=GS1.1.1727418639.1.0.1727418639.0.0.0; _ga=GA1.1.698250061.1727418640
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/img-pic-480.jpg HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _gid=GA1.2.2001955101.1727418640; _gat=1; _ga_0DR1D0LZJH=GS1.1.1727418639.1.0.1727418639.0.0.0; _ga=GA1.1.698250061.1727418640
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/page-bg.png HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _gid=GA1.2.2001955101.1727418640; _gat=1; _ga_0DR1D0LZJH=GS1.1.1727418639.1.0.1727418639.0.0.0; _ga=GA1.1.698250061.1727418640
Source: global traffic	HTTP traffic detected: GET /manifest.json HTTP/1.1Host: app.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: manifestReferer: https://app.prntscr.com/en/thankyou_desktop.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: app.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://app.prntscr.com/en/thankyou_desktop.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _gid=GA1.2.2001955101.1727418640; _gat=1; _ga_0DR1D0LZJH=GS1.1.1727418639.1.0.1727418639.0.0.0; _ga=GA1.1.698250061.1727418640
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/header-logo.png HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _gid=GA1.2.2001955101.1727418640; _gat=1; _ga_0DR1D0LZJH=GS1.1.1727418639.1.0.1727418639.0.0.0; _ga=GA1.1.698250061.1727418640
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/icon-lightshot-144.png HTTP/1.1Host: st.prntscr.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://app.prntscr.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _gid=GA1.2.2001955101.1727418640; _gat=1; _ga_0DR1D0LZJH=GS1.1.1727418639.1.0.1727418639.0.0.0; _ga=GA1.1.698250061.1727418640
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: app.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _gid=GA1.2.2001955101.1727418640; _gat=1; _ga_0DR1D0LZJH=GS1.1.1727418639.1.0.1727418639.0.0.0; _ga=GA1.1.698250061.1727418640
Source: global traffic	HTTP traffic detected: GET /v1/ HTTP/1.1Host: api.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _gid=GA1.2.2001955101.1727418640; _gat=1; _ga_0DR1D0LZJH=GS1.1.1727418639.1.0.1727418639.0.0.0; _ga=GA1.1.698250061.1727418640
Source: global traffic	HTTP traffic detected: GET /2023/07/24/0635/img/icon-lightshot-144.png HTTP/1.1Host: st.prntscr.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _gid=GA1.2.2001955101.1727418640; _gat=1; _ga_0DR1D0LZJH=GS1.1.1727418639.1.0.1727418639.0.0.0; _ga=GA1.1.698250061.1727418640
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=wRU+RlmW167yutC&MD=pYEwBk3e HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /getver/updater?ping=true HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: updater.prntscr.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /getver/updater HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: updater.prntscr.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /getver/lightshot HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: updater.prntscr.comConnection: Keep-Alive

Source: chromecache_210.34.dr	String found in binary or memory: </a></li> <li><a href="//app.prntscr.com/translate-lightshot.html">Add your language</a></li></ul></div> </div> <div id="signin"><a href="https://prntscr.com/gallery.html" target="_self">Sign in</a></div> <div class="header-auth js-auth-trigger"> <div class="header-auth__name"><i id="login_system_icon"></i><span id="username">%username%</span></div> <div class="header-auth-popup js-auth-popup"><ul><li><a id="mygallery_btn" href="https://prntscr.com/gallery.html" target="_self"><i class="icon-gallery"></i>My Gallery</a></li> <li><a id="logout_btn" href="#"><i class="icon-logout"></i>Logout</a></li></ul></div> </div> <div class="header-downloads js-download-last-home"> <span class="button_blue_download header-downloads__button js-download-last-trigger"> <div class="button__wrap download-open-download-page-goal">Download Lightshot for free</div> </span> </div> <div class="header-social"> <a href="https://twitter.com/Light_shot"><i class="icon-twitter_gscale"></i></a> <a href="http://www.facebook.com/Lighshot"><i class="icon-facebook_gscale"></i></a> </div> </div> </div> <div class="page-constrain m-pagetype_thankyou"> <div class="page-header"><h1 class="page-header__title">Thank You!</h1><h2 class="page-header__title_small">Let equals www.facebook.com (Facebook)
Source: chromecache_210.34.dr	String found in binary or memory: </a></li> <li><a href="//app.prntscr.com/translate-lightshot.html">Add your language</a></li></ul></div> </div> <div id="signin"><a href="https://prntscr.com/gallery.html" target="_self">Sign in</a></div> <div class="header-auth js-auth-trigger"> <div class="header-auth__name"><i id="login_system_icon"></i><span id="username">%username%</span></div> <div class="header-auth-popup js-auth-popup"><ul><li><a id="mygallery_btn" href="https://prntscr.com/gallery.html" target="_self"><i class="icon-gallery"></i>My Gallery</a></li> <li><a id="logout_btn" href="#"><i class="icon-logout"></i>Logout</a></li></ul></div> </div> <div class="header-downloads js-download-last-home"> <span class="button_blue_download header-downloads__button js-download-last-trigger"> <div class="button__wrap download-open-download-page-goal">Download Lightshot for free</div> </span> </div> <div class="header-social"> <a href="https://twitter.com/Light_shot"><i class="icon-twitter_gscale"></i></a> <a href="http://www.facebook.com/Lighshot"><i class="icon-facebook_gscale"></i></a> </div> </div> </div> <div class="page-constrain m-pagetype_thankyou"> <div class="page-header"><h1 class="page-header__title">Thank You!</h1><h2 class="page-header__title_small">Let equals www.twitter.com (Twitter)
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2986656310.000000006CF46000.00000002.00000001.01000000.00000014.sdmp, is-BMVNO.tmp.1.dr	String found in binary or memory: Please be sure configuration is correct and proxy does not block Lightshot requests.[[screenshot_plugin.upl_fail.check_proxy_settings]]Continue - open Lightshot proxy configuration[[screenshot_plugin.upl_fail.continue_open_lightshot_proxy]]Try Again - retry with current settings[[screenshot_plugin.upl_fail.try_again_with_current_settings]]Cancel - cancel uploading screenshot[[screenshot_plugin.upl_fail.cancel_uploading_screenshot]]Lightshot uses current system proxy settings: %proxy%[[screenshot_plugin.upl_fail.lightshot_uses_system_proxy]]Continue - open system proxy configuration[[screenshot_plugin.upl_fail.continue_open_system_proxy]]%proxy%Error[[screenshot_plugin.error_capt]]shell32.dll,Control_RunDLL inetcpl.cpl,,4rundll32.exeopenAutoCopyAutoCloseScreenshot uploaded. Link copied to your clipboard.[[screenshot_plugin.screenshot_uploaded_link_copied]]Lightshothttps://www.google.com/searchbyimage?image_url=%20https://twitter.com/home?source=Lightshot&status=https://www.facebook.com/sharer.php?u=https://vk.com/share.php?url=&media=https://pinterest.com/pin/create/button/?url=Uploading Image[[screenshot_plugin.uploading_window_capt]] equals www.facebook.com (Facebook)
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2986656310.000000006CF46000.00000002.00000001.01000000.00000014.sdmp, is-BMVNO.tmp.1.dr	String found in binary or memory: Please be sure configuration is correct and proxy does not block Lightshot requests.[[screenshot_plugin.upl_fail.check_proxy_settings]]Continue - open Lightshot proxy configuration[[screenshot_plugin.upl_fail.continue_open_lightshot_proxy]]Try Again - retry with current settings[[screenshot_plugin.upl_fail.try_again_with_current_settings]]Cancel - cancel uploading screenshot[[screenshot_plugin.upl_fail.cancel_uploading_screenshot]]Lightshot uses current system proxy settings: %proxy%[[screenshot_plugin.upl_fail.lightshot_uses_system_proxy]]Continue - open system proxy configuration[[screenshot_plugin.upl_fail.continue_open_system_proxy]]%proxy%Error[[screenshot_plugin.error_capt]]shell32.dll,Control_RunDLL inetcpl.cpl,,4rundll32.exeopenAutoCopyAutoCloseScreenshot uploaded. Link copied to your clipboard.[[screenshot_plugin.screenshot_uploaded_link_copied]]Lightshothttps://www.google.com/searchbyimage?image_url=%20https://twitter.com/home?source=Lightshot&status=https://www.facebook.com/sharer.php?u=https://vk.com/share.php?url=&media=https://pinterest.com/pin/create/button/?url=Uploading Image[[screenshot_plugin.uploading_window_capt]] equals www.twitter.com (Twitter)
Source: Lightshot.exe	String found in binary or memory: https://www.facebook.com/sharer.php?u= equals www.facebook.com (Facebook)
Source: chromecache_187.34.dr, chromecache_173.34.dr, chromecache_203.34.dr, chromecache_200.34.dr	String found in binary or memory: return b}DC.H="internal.enableAutoEventOnTimer";var gc=ja(["data-gtm-yt-inspected-"]),FC=["www.youtube.com","www.youtube-nocookie.com"],GC,HC=!1; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: updater.prntscr.com
Source: global traffic	DNS traffic detected: DNS query: mc.yandex.ru
Source: global traffic	DNS traffic detected: DNS query: app.prntscr.com
Source: global traffic	DNS traffic detected: DNS query: st.prntscr.com
Source: global traffic	DNS traffic detected: DNS query: static.cloudflareinsights.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: api.prntscr.com

Source: unknown

HTTP traffic detected: POST /cdn-cgi/rum? HTTP/1.1Host: app.prntscr.comConnection: keep-aliveContent-Length: 1562sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36content-type: application/jsonAccept: */*Origin: https://app.prntscr.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://app.prntscr.com/en/thankyou_desktop.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _gid=GA1.2.2001955101.1727418640; _gat=1; _ga_0DR1D0LZJH=GS1.1.1727418639.1.0.1727418639.0.0.0; _ga=GA1.1.698250061.1727418640

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 27 Sep 2024 06:30:42 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8c9972525e047c84-EWR

Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, is-IAHQC.tmp.1.dr	String found in binary or memory: http://app.prntscr.com
Source: is-UAHT4.tmp.1.dr	String found in binary or memory: http://app.prntscr.com/
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, is-CC49K.tmp.1.dr	String found in binary or memory: http://app.prntscr.com/.
Source: setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/.http://app.prntscr.com/.http://app.prntscr.com/
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000A71000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/1
Source: setup-lightshot 1.tmp, 00000001.00000003.2089150359.00000000022A2000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, Screenshot history.url.1.dr	String found in binary or memory: http://app.prntscr.com/about-gallery.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2089150359.0000000002328000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/about-gallery.html1
Source: setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.00000000022B5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/bs/about-gallery.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2089150359.0000000002328000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/bs/learnmore.html
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000940000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003614000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003672000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.000000000226A000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.dr	String found in binary or memory: http://app.prntscr.com/bs/thankyou_desktop.html
Source: setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/cs/about-gallery.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2089150359.00000000022B5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/cs/about-gallery.htmlaa
Source: setup-lightshot 1.tmp, 00000001.00000003.2089150359.0000000002328000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/cs/learnmore.html
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000940000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003614000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003672000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.000000000226A000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.dr	String found in binary or memory: http://app.prntscr.com/cs/thankyou_desktop.html
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000940000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003614000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003672000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.000000000226A000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.dr	String found in binary or memory: http://app.prntscr.com/et/thankyou_desktop.html
Source: Lightshot.exe, 00000008.00000002.2984661570.0000000001178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/html5-chrome-ext
Source: Lightshot.exe, 00000020.00000003.2020393162.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, is-CLMGG.tmp.1.dr, is-6A71J.tmp.1.dr, is-33HLK.tmp.1.dr, is-OLJSA.tmp.1.dr, is-7FPIH.tmp.1.dr, is-V2G6L.tmp.1.dr, is-C53KF.tmp.1.dr, is-U9KAA.tmp.1.dr, is-IAHQC.tmp.1.dr, is-RC65G.tmp.1.dr, is-59G3F.tmp.1.dr, is-JRP0E.tmp.1.dr, is-IMREP.tmp.1.dr, is-3OTJ0.tmp.1.dr, is-9MOHS.tmp.1.dr, is-BSHMP.tmp.1.dr, is-340BK.tmp.1.dr, is-OOBMK.tmp.1.dr, is-F63GH.tmp.1.dr, is-I74P8.tmp.1.dr	String found in binary or memory: http://app.prntscr.com/html5-chrome-extension.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2087336595.000000000346B000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.000000000230C000.00000004.00001000.00020000.00000000.sdmp, is-4BJ6H.tmp.1.dr, Learn More.url.1.dr	String found in binary or memory: http://app.prntscr.com/learnmore.html
Source: setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.00000000022B5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/pt-br/about-gallery.html
Source: setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/pt-br/learnmore.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2089150359.0000000002328000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/pt-br/learnmore.htmla
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000940000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003614000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003672000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.000000000226A000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.dr	String found in binary or memory: http://app.prntscr.com/pt-br/thankyou_desktop.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2089150359.000000000231A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/q
Source: setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/ru/about-gallery.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2089150359.00000000022B5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/ru/about-gallery.htmlQ
Source: setup-lightshot 1.tmp, 00000001.00000003.2089150359.0000000002328000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, is-1M2R2.tmp.1.dr	String found in binary or memory: http://app.prntscr.com/ru/learnmore.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/ru/learnmore.htmlMZ
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000940000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003614000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003672000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.000000000226A000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.dr	String found in binary or memory: http://app.prntscr.com/ru/thankyou_desktop.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2092281565.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2092281565.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2100760361.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, unins000.dat.1.dr	String found in binary or memory: http://app.prntscr.com/thankyou_desktop.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2092281565.000000000083E000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003672000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.00000000022A2000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2092281565.0000000000825000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2092281565.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2100760361.000000000082D000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2100760361.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/thankyou_desktop.html#install_source=default
Source: setup-lightshot 1.tmp, 00000001.00000003.2092281565.0000000000825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/thankyou_desktop.html#install_source=default(
Source: setup-lightshot 1.tmp, 00000001.00000002.2097870225.00000000001F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/thankyou_desktop.html#install_source=defaultC:
Source: setup-lightshot 1.tmp, 00000001.00000003.2092281565.0000000000825000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2100760361.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/thankyou_desktop.html#install_source=defaultx
Source: setup-lightshot 1.tmp, 00000001.00000003.2092281565.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/thankyou_desktop.htmlRy
Source: setup-lightshot 1.tmp, 00000001.00000003.2092281565.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2100760361.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/thankyou_desktop.htmle/english&utmac=UA-11927135-1&utmcc=__utma%3D1.175951283
Source: setup-lightshot 1.tmp, 00000001.00000003.2092281565.0000000000825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/thankyou_desktop.urlu
Source: setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/tr/about-gallery.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2089150359.00000000022B5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/tr/about-gallery.html1_
Source: setup-lightshot 1.tmp, 00000001.00000003.2089150359.0000000002328000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/tr/learnmore.html
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000940000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003614000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003672000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.000000000226A000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.dr	String found in binary or memory: http://app.prntscr.com/tr/thankyou_desktop.html
Source: setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.00000000022B5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/uk/about-gallery.html
Source: setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/uk/learnmore.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2089150359.0000000002328000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://app.prntscr.com/uk/learnmore.html)
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000940000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003614000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003672000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.000000000226A000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.dr	String found in binary or memory: http://app.prntscr.com/uk/thankyou_desktop.html
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, is-U9KAA.tmp.1.dr	String found in binary or memory: http://app.prntsrc.com/
Source: Lightshot.exe, 00000008.00000002.2984661570.0000000001178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.chromium.org/2013/09/saying-goodb
Source: Lightshot.exe, 00000020.00000003.2020393162.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, is-CLMGG.tmp.1.dr, is-6A71J.tmp.1.dr, is-33HLK.tmp.1.dr, is-OLJSA.tmp.1.dr, is-7FPIH.tmp.1.dr, is-V2G6L.tmp.1.dr, is-C53KF.tmp.1.dr, is-U9KAA.tmp.1.dr, is-IAHQC.tmp.1.dr, is-RC65G.tmp.1.dr, is-59G3F.tmp.1.dr, is-JRP0E.tmp.1.dr, is-IMREP.tmp.1.dr, is-3OTJ0.tmp.1.dr, is-9MOHS.tmp.1.dr, is-BSHMP.tmp.1.dr, is-340BK.tmp.1.dr, is-OOBMK.tmp.1.dr, is-F63GH.tmp.1.dr, is-I74P8.tmp.1.dr	String found in binary or memory: http://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000940000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.00000000021F0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://counter-strike.com.ua/
Source: Lightshot.exe, 00000020.00000003.2020393162.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, is-CLMGG.tmp.1.dr, is-6A71J.tmp.1.dr, is-CQ1UE.tmp.1.dr, is-33HLK.tmp.1.dr, is-OLJSA.tmp.1.dr, is-7FPIH.tmp.1.dr, is-V2G6L.tmp.1.dr, is-C53KF.tmp.1.dr, is-U9KAA.tmp.1.dr, is-IAHQC.tmp.1.dr, is-RC65G.tmp.1.dr, is-59G3F.tmp.1.dr, is-JRP0E.tmp.1.dr, is-3OTJ0.tmp.1.dr, is-9MOHS.tmp.1.dr, is-BSHMP.tmp.1.dr, is-340BK.tmp.1.dr, is-OOBMK.tmp.1.dr, is-F63GH.tmp.1.dr, is-I74P8.tmp.1.dr	String found in binary or memory: http://crbug.com/415297
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gscodesignsha2g2.crl0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0X
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: http://crl.godaddy.com/gdig2s5-4.crl0
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, setupupdater.tmp.9.dr, is-A39OF.tmp.10.dr, setupupdater.exe.1.dr, is-QU5BV.tmp.10.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://downloader.yandex.net/yandex-pack/downloader/info.rssDownloading
Source: Lightshot.exe, 00000008.00000003.2084152861.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084713849.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084450149.0000000003373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.wikipedia
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, is-KB65G.tmp.1.dr	String found in binary or memory: http://legal.yandex.com.tr/browser_agreement/
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, is-I3RL7.tmp.1.dr	String found in binary or memory: http://legal.yandex.com.tr/desktop_software_agreement/
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: http://ocsp.godaddy.com/0
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: http://ocsp.godaddy.com/05
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, setupupdater.tmp.9.dr, is-A39OF.tmp.10.dr, setupupdater.exe.1.dr, is-QU5BV.tmp.10.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g20
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g2.crt08
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006984000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2097711056.000000000018E000.00000004.00000010.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1904214885.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1903784482.0000000002496000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005DE0000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005F11000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000002.1977241508.000000000018D000.00000004.00000010.00020000.00000000.sdmp, setupupdater.tmp.9.dr, is-A39OF.tmp.10.dr, setupupdater.exe.1.dr, is-QU5BV.tmp.10.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006984000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2097711056.000000000018E000.00000004.00000010.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1904214885.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1903784482.0000000002496000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005DE0000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005F11000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000002.1977241508.000000000018D000.00000004.00000010.00020000.00000000.sdmp, setupupdater.tmp.9.dr, is-A39OF.tmp.10.dr, setupupdater.exe.1.dr, is-QU5BV.tmp.10.dr	String found in binary or memory: http://t2.symcb.com0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006984000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2097711056.000000000018E000.00000004.00000010.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1904214885.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1903784482.0000000002496000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005DE0000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005F11000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000002.1977241508.000000000018D000.00000004.00000010.00020000.00000000.sdmp, setupupdater.tmp.9.dr, is-A39OF.tmp.10.dr, setupupdater.exe.1.dr, is-QU5BV.tmp.10.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006984000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2097711056.000000000018E000.00000004.00000010.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1904214885.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1903784482.0000000002496000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005DE0000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005F11000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000002.1977241508.000000000018D000.00000004.00000010.00020000.00000000.sdmp, setupupdater.tmp.9.dr, is-A39OF.tmp.10.dr, setupupdater.exe.1.dr, is-QU5BV.tmp.10.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006984000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2097711056.000000000018E000.00000004.00000010.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1904214885.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1903784482.0000000002496000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005DE0000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005F11000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000002.1977241508.000000000018D000.00000004.00000010.00020000.00000000.sdmp, setupupdater.tmp.9.dr, is-A39OF.tmp.10.dr, setupupdater.exe.1.dr, is-QU5BV.tmp.10.dr	String found in binary or memory: http://tl.symcd.com0&
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, setupupdater.tmp.9.dr, is-A39OF.tmp.10.dr, setupupdater.exe.1.dr, is-QU5BV.tmp.10.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, setupupdater.tmp.9.dr, is-A39OF.tmp.10.dr, setupupdater.exe.1.dr, is-QU5BV.tmp.10.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, setupupdater.tmp.9.dr, is-A39OF.tmp.10.dr, setupupdater.exe.1.dr, is-QU5BV.tmp.10.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: chromecache_186.34.dr, chromecache_175.34.dr	String found in binary or memory: http://twitter.com/
Source: Updater.exe, 00000018.00000002.2024101673.00000000006B4000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 0000001E.00000002.2026802401.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/%
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/6)
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/=
Source: Updater.exe, 00000018.00000002.2024101673.00000000006B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/E
Source: Updater.exe, 00000018.00000002.2024101673.00000000006B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/US_
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, lightshot[1].xml.30.dr	String found in binary or memory: http://updater.prntscr.com/builds/setup-lightshot-5.5.0.7.exe
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/builds/setup-lightshot-5.5.0.7.exe#
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/builds/setup-lightshot-5.5.0.7.exe5
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/builds/setup-lightshot-5.5.0.7.exes
Source: Updater.exe, 00000018.00000002.2024101673.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, updater[1].xml.22.dr, updater[1].xml.24.dr	String found in binary or memory: http://updater.prntscr.com/builds/setup-updater-1.8.0.0.exe
Source: Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/builds/setup-updater-1.8.0.0.exe0
Source: Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/builds/setup-updater-1.8.0.0.exeO
Source: Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/builds/setup-updater-1.8.0.0.exem
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F0C000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 0000001E.00000002.2026802401.0000000000F54000.00000004.00000020.00020000.00000000.sdmp, unins000.dat.1.dr, info.xml.1.dr, UserProducts.xml.28.dr	String found in binary or memory: http://updater.prntscr.com/getver/lightshot
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/lightshot&
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/lightshot2
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/lightshot2z
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/lightshot34C:
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/lightshotLMEMX
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/lightshotR
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/lightshotVVC:
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/lightshotb
Source: Updater.exe, 0000001C.00000002.2018984318.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/lightshotuni
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/lightshot~zg
Source: Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000018.00000002.2024101673.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, info.xml.10.dr, MachineProducts.xml.20.dr	String found in binary or memory: http://updater.prntscr.com/getver/updater
Source: Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updater-
Source: Updater.exe, 00000018.00000002.2024101673.00000000006B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updater4
Source: Updater.exe, 00000018.00000002.2024101673.00000000006B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updater40
Source: Updater.exe, 00000016.00000002.2018866086.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000016.00000002.2018689264.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updater?ping=true
Source: Updater.exe, 00000016.00000002.2018866086.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updater?ping=true9
Source: Updater.exe, 00000015.00000002.1965630267.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updater?ping=truek3
Source: Updater.exe, 00000016.00000002.2018866086.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updater?ping=truex9
Source: Updater.exe, 00000018.00000002.2024101673.00000000006A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updaterC:
Source: Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updaterCon
Source: Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updaterI
Source: Updater.exe, 00000018.00000002.2024101673.00000000006B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updateral
Source: Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updatere
Source: Updater.exe, 00000014.00000002.2019298918.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updaterj
Source: Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updaterq
Source: Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updateru
Source: Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updater.prntscr.com/getver/updaterz
Source: Updater.exe	String found in binary or memory: http://updater.skillbrains.com/machine.xml
Source: setupupdater.tmp, 0000000A.00000003.1966583875.0000000005DE0000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000010.00000000.1942727683.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000010.00000002.1954397813.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000014.00000002.2018945693.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000014.00000000.1956742873.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000016.00000000.1960928619.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000016.00000002.2018369560.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000018.00000000.1968421177.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000018.00000002.2024612113.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001A.00000002.1983196279.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001A.00000000.1981811985.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001C.00000000.1984569546.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001C.00000002.2018286305.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001E.00000000.1994043299.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001E.00000002.2026488455.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, is-QU5BV.tmp.10.dr	String found in binary or memory: http://updater.skillbrains.com/machine.xmlhttp://updater.skillbrains.com/user.xmlChecking
Source: Updater.exe	String found in binary or memory: http://updater.skillbrains.com/user.xml
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000940000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2087336595.000000000349E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.adilyildiz.com.tr%1
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: setup-lightshot 1.exe, 00000000.00000003.2105416556.00000000026C2000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2087336595.000000000349E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.bernamegeh.net%1
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000940000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.00000000021F0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: Lightshot.exe, 00000008.00000003.2083546580.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084152861.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084713849.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2085299580.0000000003379000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084450149.0000000003373000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Lightshot.exe, 00000008.00000003.2084152861.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084713849.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084450149.0000000003373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/jp/h
Source: Lightshot.exe, 00000008.00000003.1970496282.000000000337B000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.1975331249.000000000337B000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000940000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2086605077.0000000003614000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2089150359.000000000226A000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2087336595.000000000348F000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2087336595.000000000344D000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.dr	String found in binary or memory: http://www.google-analytics.com/__utm.gif?&utmn=
Source: setup-lightshot 1.tmp, 00000001.00000003.2092281565.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2100760361.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2085245188.00000000037BA000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2092281565.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google-analytics.com/__utm.gif?&utmn=1090119&utmwv=4.4sh&utmp=Lightshot/Install
Source: setup-lightshot 1.tmp, 00000001.00000003.2085069769.0000000000849000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2101647090.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google-analytics.com/__utm.gif?&utmn=1090119&utmwv=4.4sh&utmp=Lightshot/Install%20version
Source: setup-lightshot 1.tmp, 00000001.00000003.2091538525.00000000037CC000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2085245188.00000000037CA000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2085069769.0000000000849000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2092281565.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2101647090.000000000084E000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2102521073.00000000037CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google-analytics.com/__utm.gif?&utmn=2154796&utmwv=4.4sh&utmp=Lightshot/General
Source: setup-lightshot 1.tmp, 00000001.00000003.2085245188.00000000037CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google-analytics.com/__utm.gif?&utmn=2154796&utmwv=4.4sh&utmp=Lightshot/General%20Install
Source: setup-lightshot 1.tmp, 00000001.00000003.2092281565.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2087336595.000000000340E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google-analytics.com/__utm.gif?&utmn=4162002&utmwv=4.4sh&utmp=Lightshot/Language/english&
Source: Updater.exe	String found in binary or memory: http://www.google-analytics.com/__utm.gif?utmwv=4.4sh
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2984279872.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, Lightshot.exe, 00000008.00000000.1900232423.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, Lightshot.exe, 00000008.00000002.2986656310.000000006CF46000.00000002.00000001.01000000.00000014.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005DE0000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000010.00000000.1942727683.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000010.00000002.1954397813.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000014.00000002.2018945693.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000014.00000000.1956742873.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000016.00000000.1960928619.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000016.00000002.2018369560.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000018.00000000.1968421177.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 00000018.00000002.2024612113.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001A.00000002.1983196279.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001A.00000000.1981811985.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001C.00000000.1984569546.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001C.00000002.2018286305.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001E.00000000.1994043299.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Updater.exe, 0000001E.00000002.2026488455.0000000000972000.00000002.00000001.01000000.0000000E.sdmp, Lightshot.exe, 00000020.00000002.2021598587.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, Lightshot.exe, 00000020.00000000.2019458088.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.google-analytics.com/__utm.gif?utmwv=4.4sh&utmac=&utmp=%2F.&utmcc=__utma%3D1.&utmn=-bit&u
Source: Updater.exe, 00000014.00000002.2019482560.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 0000001C.00000002.2018984318.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 0000001C.00000002.2018984318.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google-analytics.com/__utm.gif?utmwv=4.4sh&utmac=UA-38715315-1&utmp=%2FUpdater%2Fusr%2FAd
Source: Updater.exe, 00000016.00000002.2018866086.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000016.00000002.2018866086.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google-analytics.com/__utm.gif?utmwv=4.4sh&utmac=UA-38715315-1&utmp=%2FUpdater%2Fusr%2FPi
Source: setup-lightshot 1.exe, 00000000.00000003.2109288878.0000000000940000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2087336595.000000000349E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.haysoft.org%1-k
Source: setup-lightshot 1.exe, 00000000.00000003.1728945109.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1729384305.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000000.1730462641.0000000000401000.00000020.00000001.01000000.00000004.sdmp, setupupdater.exe, 00000009.00000003.1903784482.0000000002380000.00000004.00001000.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1904214885.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000000.1905986524.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, is-5TND1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, setupupdater.tmp.9.dr	String found in binary or memory: http://www.innosetup.com/
Source: Lightshot.exe, 00000008.00000003.2082927253.000000000336A000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2085299580.0000000003379000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084450149.0000000003373000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Lightshot.exe, 00000008.00000003.2076393306.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082698245.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2078047904.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2077474913.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/&z
Source: Lightshot.exe, 00000008.00000003.2083546580.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084152861.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084713849.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084450149.0000000003373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/2
Source: Lightshot.exe, 00000008.00000003.2083546580.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084152861.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084450149.0000000003373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: Lightshot.exe, 00000008.00000003.2076393306.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082698245.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2078047904.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2077474913.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/M
Source: Lightshot.exe, 00000008.00000003.2083125560.0000000003373000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2083546580.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082698245.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082927253.000000000336A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Lightshot.exe, 00000008.00000003.2083125560.0000000003373000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082698245.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082927253.000000000336A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: Lightshot.exe, 00000008.00000003.2083125560.0000000003373000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082698245.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082927253.000000000336A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/h
Source: Lightshot.exe, 00000008.00000003.2082698245.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2078047904.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2077474913.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082927253.000000000336A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Lightshot.exe, 00000008.00000003.2083125560.0000000003373000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2083546580.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084152861.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084713849.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082927253.000000000336A000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084450149.0000000003373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/&z
Source: Lightshot.exe, 00000008.00000003.2083125560.0000000003373000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2083546580.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084152861.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084713849.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082927253.000000000336A000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084450149.0000000003373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/M
Source: Lightshot.exe, 00000008.00000003.2083546580.0000000003372000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/h
Source: Lightshot.exe, 00000008.00000003.2083546580.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084152861.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084713849.000000000336C000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2084450149.0000000003373000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/s
Source: Lightshot.exe, 00000008.00000003.2083125560.0000000003373000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082698245.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2082927253.000000000336A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: Lightshot.exe, 00000008.00000003.2076393306.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2078047904.0000000003372000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.2077474913.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: setup-lightshot 1.exe, setupupdater.exe.1.dr	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: setup-lightshot 1.exe, 00000000.00000003.2105416556.00000000026C2000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1728264426.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.1731784002.0000000003200000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2087336595.000000000349E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.palkornel.hu/innosetup%1
Source: setup-lightshot 1.exe, 00000000.00000003.1728945109.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.exe, 00000000.00000003.1729384305.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000000.1730462641.0000000000401000.00000020.00000001.01000000.00000004.sdmp, setupupdater.exe, 00000009.00000003.1903784482.0000000002380000.00000004.00001000.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1904214885.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000000.1905986524.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, is-5TND1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, setupupdater.tmp.9.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Lightshot.exe, 00000008.00000002.2985878473.00000000044D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: chromecache_200.34.dr	String found in binary or memory: https://adservice.google.com/pagead/regclk?
Source: chromecache_191.34.dr, chromecache_216.34.dr	String found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
Source: Lightshot.exe	String found in binary or memory: https://api.prntscr.com/v1.1/
Source: Lightshot.exe, 00000008.00000002.2984279872.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, Lightshot.exe, 00000008.00000000.1900232423.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, Lightshot.exe, 00000020.00000002.2021598587.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, Lightshot.exe, 00000020.00000000.2019458088.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://api.prntscr.com/v1.1/useridDetachRequestDoneXB
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, is-NJRC2.tmp.1.dr	String found in binary or memory: https://api.prntscr.com/v1.1/useridDetachRequestDoneXBD
Source: chromecache_186.34.dr, chromecache_175.34.dr	String found in binary or memory: https://api.prntscr.com/v1/
Source: is-NJRC2.tmp.1.dr	String found in binary or memory: https://app.prntscr.com/
Source: chromecache_187.34.dr, chromecache_173.34.dr, chromecache_203.34.dr, chromecache_200.34.dr	String found in binary or memory: https://cct.google/taggy/agent.js
Source: setup-lightshot 1.exe, is-1I1L2.tmp.1.dr, is-NJRC2.tmp.1.dr, is-Q717B.tmp.1.dr, is-5TND1.tmp.1.dr, is-A5GK1.tmp.1.dr, setup-lightshot 1.tmp.0.dr, is-BMVNO.tmp.1.dr, is-V4MCF.tmp.1.dr	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: Lightshot.exe, 00000008.00000002.2984661570.0000000001178000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000020.00000003.2020393162.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://code.google.com/p
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2984661570.00000000011B9000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.1937566566.0000000001199000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2984661570.00000000011D5000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.1937566566.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.1938246577.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000003.1937514842.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, Lightshot.exe, 00000020.00000003.2020393162.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, is-CLMGG.tmp.1.dr, is-6A71J.tmp.1.dr, is-33HLK.tmp.1.dr, is-OLJSA.tmp.1.dr, is-7FPIH.tmp.1.dr, is-V2G6L.tmp.1.dr, is-C53KF.tmp.1.dr, is-U9KAA.tmp.1.dr, is-IAHQC.tmp.1.dr, is-RC65G.tmp.1.dr, is-59G3F.tmp.1.dr, is-JRP0E.tmp.1.dr, is-IMREP.tmp.1.dr	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=150835
Source: Updater.exe, 00000016.00000003.2003631534.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsgac:163:0
Source: setup-lightshot 1.tmp, 00000001.00000002.2102521073.00000000037D2000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2085245188.00000000037CA000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2091538525.00000000037D2000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000016.00000003.2003631534.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascnsrsgac:163:0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, is-V4MCF.tmp.1.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: chromecache_180.34.dr, chromecache_176.34.dr	String found in binary or memory: https://itunes.apple.com/
Source: chromecache_186.34.dr, chromecache_175.34.dr	String found in binary or memory: https://itunes.apple.com/us/app/lightshot-screenshot/id526298438
Source: setup-lightshot 1.tmp, 00000001.00000003.2085245188.00000000037BA000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000014.00000003.2017953336.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000014.00000002.2019482560.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000016.00000002.2018866086.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000018.00000002.2024101673.000000000066D000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 0000001C.00000002.2018984318.0000000000D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000F0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comF
Source: chromecache_200.34.dr	String found in binary or memory: https://pagead2.googlesyndication.com
Source: chromecache_187.34.dr, chromecache_173.34.dr, chromecache_203.34.dr, chromecache_200.34.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=tcfe
Source: Lightshot.exe	String found in binary or memory: https://pinterest.com/pin/create/button/?url=
Source: chromecache_193.34.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.prntscr.app
Source: Lightshot.exe	String found in binary or memory: https://prntscr.com/
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2984279872.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, Lightshot.exe, 00000008.00000000.1900232423.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, Lightshot.exe, 00000020.00000002.2021598587.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, Lightshot.exe, 00000020.00000000.2019458088.0000000000FBA000.00000002.00000001.01000000.00000009.sdmp, is-NJRC2.tmp.1.dr	String found in binary or memory: https://prntscr.com/app/attach_app.php?id=Signed
Source: chromecache_210.34.dr	String found in binary or memory: https://prntscr.com/gallery.html
Source: chromecache_210.34.dr	String found in binary or memory: https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015
Source: chromecache_187.34.dr, chromecache_173.34.dr, chromecache_203.34.dr, chromecache_200.34.dr	String found in binary or memory: https://stats.g.doubleclick.net/g/collect
Source: chromecache_216.34.dr	String found in binary or memory: https://stats.g.doubleclick.net/j/collect
Source: chromecache_191.34.dr, chromecache_216.34.dr	String found in binary or memory: https://tagassistant.google.com/
Source: chromecache_187.34.dr, chromecache_173.34.dr, chromecache_203.34.dr, chromecache_200.34.dr	String found in binary or memory: https://td.doubleclick.net
Source: chromecache_186.34.dr, chromecache_175.34.dr	String found in binary or memory: https://twitter.com/#
Source: chromecache_186.34.dr, chromecache_175.34.dr	String found in binary or memory: https://twitter.com/$1
Source: chromecache_210.34.dr	String found in binary or memory: https://twitter.com/Light_shot
Source: Lightshot.exe	String found in binary or memory: https://twitter.com/home?source=Lightshot&status=
Source: chromecache_186.34.dr, chromecache_175.34.dr	String found in binary or memory: https://twitter.com/share
Source: Lightshot.exe	String found in binary or memory: https://upload.prntscr.com/upload
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2986656310.000000006CF46000.00000002.00000001.01000000.00000014.sdmp, is-BMVNO.tmp.1.dr	String found in binary or memory: https://upload.prntscr.com/upload%s/%I64d/%s/application/octet-streamimagethumbTruedirect_linkwidthh
Source: Lightshot.exe	String found in binary or memory: https://vk.com/share.php?url=
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/03
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006680000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: chromecache_191.34.dr, chromecache_216.34.dr	String found in binary or memory: https://www.google-analytics.com/debug/bootstrap?id=
Source: chromecache_191.34.dr, chromecache_216.34.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=
Source: chromecache_191.34.dr, chromecache_216.34.dr	String found in binary or memory: https://www.google.%/ads/ga-audiences
Source: chromecache_200.34.dr	String found in binary or memory: https://www.google.com
Source: chromecache_191.34.dr, chromecache_216.34.dr	String found in binary or memory: https://www.google.com/ads/ga-audiences
Source: Lightshot.exe	String found in binary or memory: https://www.google.com/searchbyimage?image_url=
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, Lightshot.exe, 00000008.00000002.2986656310.000000006CF46000.00000002.00000001.01000000.00000014.sdmp, is-BMVNO.tmp.1.dr	String found in binary or memory: https://www.google.com/searchbyimage?image_url=%20https://twitter.com/home?source=Lightshot&status=h
Source: chromecache_187.34.dr, chromecache_173.34.dr, chromecache_203.34.dr, chromecache_200.34.dr	String found in binary or memory: https://www.googleadservices.com
Source: chromecache_200.34.dr	String found in binary or memory: https://www.googletagmanager.com
Source: chromecache_191.34.dr, chromecache_216.34.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
Source: chromecache_210.34.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-0DR1D0LZJH
Source: chromecache_187.34.dr, chromecache_173.34.dr, chromecache_203.34.dr, chromecache_200.34.dr	String found in binary or memory: https://www.merchant-center-analytics.goog
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006984000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2097711056.000000000018E000.00000004.00000010.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1904214885.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1903784482.0000000002496000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005DE0000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005F11000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000002.1977241508.000000000018D000.00000004.00000010.00020000.00000000.sdmp, setupupdater.tmp.9.dr, is-A39OF.tmp.10.dr, setupupdater.exe.1.dr, is-QU5BV.tmp.10.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.0000000006984000.00000004.00001000.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000002.2097711056.000000000018E000.00000004.00000010.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1904214885.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, setupupdater.exe, 00000009.00000003.1903784482.0000000002496000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005DE0000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000003.1966583875.0000000005F11000.00000004.00001000.00020000.00000000.sdmp, setupupdater.tmp, 0000000A.00000002.1977241508.000000000018D000.00000004.00000010.00020000.00000000.sdmp, setupupdater.tmp.9.dr, is-A39OF.tmp.10.dr, setupupdater.exe.1.dr, is-QU5BV.tmp.10.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, is-QUFDK.tmp.1.dr	String found in binary or memory: https://yandex.com.tr/legal/browser_agreement/
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, is-QUFDK.tmp.1.dr	String found in binary or memory: https://yandex.com.tr/legal/desktop_software_agreement/
Source: setup-lightshot 1.tmp, 00000001.00000003.2077553501.00000000066DC000.00000004.00001000.00020000.00000000.sdmp, is-QUFDK.tmp.1.dr	String found in binary or memory: https://yandex.com.tr/soft/distribution/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56558
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56559
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56554
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56555
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56556
Source: unknown	Network traffic detected: HTTP traffic on port 56566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56557
Source: unknown	Network traffic detected: HTTP traffic on port 56586 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56540 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56561
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56562
Source: unknown	Network traffic detected: HTTP traffic on port 56589 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56563 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56563
Source: unknown	Network traffic detected: HTTP traffic on port 56537 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56564
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56560
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 56592 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56554 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56546 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56569
Source: unknown	Network traffic detected: HTTP traffic on port 56560 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56565
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56566
Source: unknown	Network traffic detected: HTTP traffic on port 56581 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56567
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56568
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56572
Source: unknown	Network traffic detected: HTTP traffic on port 56543 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56570
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56557 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56578 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56561 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56576
Source: unknown	Network traffic detected: HTTP traffic on port 56580 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56549 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56578
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56579
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56583
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56584
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56585
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56586
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56580
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56581
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56582
Source: unknown	Network traffic detected: HTTP traffic on port 56558 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56535 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56594 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 56583 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56544 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56589
Source: unknown	Network traffic detected: HTTP traffic on port 56569 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56594
Source: unknown	Network traffic detected: HTTP traffic on port 56538 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56596
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56590
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56591
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56592
Source: unknown	Network traffic detected: HTTP traffic on port 56572 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56555 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56576 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56553 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56582 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56547 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56579 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56556 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56596 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56567 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56585 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56564 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56536 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56570 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56591 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56536
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56537
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56538
Source: unknown	Network traffic detected: HTTP traffic on port 56545 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56539
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56534
Source: unknown	Network traffic detected: HTTP traffic on port 56584 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56535
Source: unknown	Network traffic detected: HTTP traffic on port 56568 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56539 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56540
Source: unknown	Network traffic detected: HTTP traffic on port 56565 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56590 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56542 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56542
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56547
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56548
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56549
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56543
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56544
Source: unknown	Network traffic detected: HTTP traffic on port 56548 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56545
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56546
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56553
Source: unknown	Network traffic detected: HTTP traffic on port 56562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56534 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 56559 -> 443

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.158.134.119:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.158.134.119:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.158.134.119:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.158.134.119:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.158.134.119:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:56535 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:56540 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:56594 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe

Code function: 8_2_6CF28860 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,

8_2_6CF28860

Contains functionality to modify clipboard data

Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF28860 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,		8_2_6CF28860
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F83CA70 OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,EndDialog,MessageBeep,		8_2_6F83CA70

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe

Code function: 8_2_00F932B0 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,SetWindowTextW,

8_2_00F932B0

Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00F8EFD0 CryptAcquireContextW,CryptImportKey,		8_2_00F8EFD0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF279F0 CryptAcquireContextW,CryptImportKey,		8_2_6CF279F0

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe

Code function: 16_2_008FD5C0 WTSGetActiveConsoleSessionId,WTSQueryUserToken,_memset,CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,

16_2_008FD5C0

Creates files inside the system directory

Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	File created: C:\Windows\Tasks\update-sys.job	Jump to behavior
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\1[1].gif
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\updater[1].xml
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	File created: C:\Windows\Tasks\update-S-1-5-21-2246122658-3693405117-2476756634-1002.job

Deletes files inside the Windows folder

Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe

File deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\1[1].gif

Detected potential crypto function

Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Code function: 7_2_00E5B896	7_2_00E5B896
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FB500C	8_2_00FB500C
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FA94D0	8_2_00FA94D0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FA559D	8_2_00FA559D
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FA763E	8_2_00FA763E
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FA57CC	8_2_00FA57CC
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00F8E740	8_2_00F8E740
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FB0B61	8_2_00FB0B61
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF3DC9E	8_2_6CF3DC9E
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF368CC	8_2_6CF368CC
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF42938	8_2_6CF42938
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF3669D	8_2_6CF3669D
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF37750	8_2_6CF37750
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF270D0	8_2_6CF270D0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F811D50	8_2_6F811D50
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F81C708	8_2_6F81C708
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F852BBE	8_2_6F852BBE
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F84CB5C	8_2_6F84CB5C
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F857858	8_2_6F857858
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F852710	8_2_6F852710
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F83F020	8_2_6F83F020
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_00944607	16_2_00944607
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_008F2870	16_2_008F2870
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_0095CA6B	16_2_0095CA6B
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_008F6D30	16_2_008F6D30
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_00924D60	16_2_00924D60
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_00930F42	16_2_00930F42
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_0092B610	16_2_0092B610
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_008DF9A0	16_2_008DF9A0
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_008EBBF0	16_2_008EBBF0
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_00941DE4	16_2_00941DE4
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_0095BE46	16_2_0095BE46
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_0042220F	19_2_0042220F
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00408294	19_2_00408294
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_004084C3	19_2_004084C3
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_004086FD	19_2_004086FD
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_0042A68A	19_2_0042A68A
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_0040892C	19_2_0040892C
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00408B5B	19_2_00408B5B
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_0042AB86	19_2_0042AB86
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_003F6DA7	19_2_003F6DA7
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00408D95	19_2_00408D95
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00428F1F	19_2_00428F1F
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00408FC4	19_2_00408FC4
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_0042AF9E	19_2_0042AF9E
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_004210F0	19_2_004210F0
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00409221	19_2_00409221
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_0042B3D3	19_2_0042B3D3
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_0040948D	19_2_0040948D
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00421630	19_2_00421630
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_004096EA	19_2_004096EA
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_0042B808	19_2_0042B808
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00409947	19_2_00409947
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00421AE0	19_2_00421AE0
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00409BB3	19_2_00409BB3
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_0041FC74	19_2_0041FC74
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_0095C3B8	20_2_0095C3B8
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_00944607	20_2_00944607
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_0095CA6B	20_2_0095CA6B
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_00924D60	20_2_00924D60
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_00930F42	20_2_00930F42
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_00929A9A	20_2_00929A9A
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_00941DE4	20_2_00941DE4
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_0095E5E5	20_2_0095E5E5
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_00926727	20_2_00926727
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_008F2870	20_2_008F2870
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_008F6D30	20_2_008F6D30
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_0092B610	20_2_0092B610
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_008DF9A0	20_2_008DF9A0
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_008EBBF0	20_2_008EBBF0
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_0095BE46	20_2_0095BE46

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: String function: 6CF21D70 appears 76 times
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: String function: 6F831B10 appears 80 times
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: String function: 00F875C0 appears 207 times
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: String function: 6F848F10 appears 31 times
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: String function: 6F848842 appears 40 times
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: String function: 008DDB60 appears 32 times
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: String function: 0091134E appears 64 times
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: String function: 00944072 appears 41 times
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: String function: 0091929B appears 34 times
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: String function: 009174C4 appears 140 times
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: String function: 008D3490 appears 44 times
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: String function: 0091137C appears 87 times
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: String function: 008D1830 appears 72 times
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: String function: 00925C7D appears 238 times
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: String function: 00926D80 appears 96 times
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: String function: 00902340 appears 90 times
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: String function: 004172FF appears 34 times
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: String function: 00417896 appears 60 times
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: String function: 003F43E0 appears 47 times

PE file contains executable resources (Code or Archives)

Source: setup-lightshot 1.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: setup-lightshot 1.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-5TND1.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-5TND1.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: setupupdater.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: setupupdater.tmp.9.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Sample file is different than original file name gathered from version info

Source: setup-lightshot 1.exe, 00000000.00000003.1728945109.0000000002541000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs setup-lightshot 1.exe
Source: setup-lightshot 1.exe, 00000000.00000003.1729384305.000000007FE3D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs setup-lightshot 1.exe

Uses 32bit PE files

Source: setup-lightshot 1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean10.evad.winEXE@64/253@24/9

Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe

Code function: 7_2_00E53820 CoCreateInstance,

7_2_00E53820

Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe

Code function: 7_2_00E544A0 LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

7_2_00E544A0

Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp

File created: C:\Program Files (x86)\Skillbrains

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4408:120:WilError_03
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Mutant created: \Sessions\1\BaseNamedObjects\LightshotStandAloneAppMainMutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_03
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Mutant created: \BaseNamedObjects\Skillbrains_Updarer_CMDARG_RUNMODE_CHECKUPDATE
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Mutant created: \Sessions\1\BaseNamedObjects\Skillbrains_Updarer_CMDARG_RUNMODE_CHECKUPDATE

Source: C:\Users\user\Desktop\setup-lightshot 1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\setupupdater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "lightshot.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "lightshot.exe")
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "lightshot.exe")

Source: Updater.exe	String found in binary or memory: InstallerManager/Installed
Source: Updater.exe	String found in binary or memory: InstallerManager/Installed
Source: setup-lightshot 1.exe	String found in binary or memory: /LOADINF="filename"

Source: unknown	Process created: C:\Users\user\Desktop\setup-lightshot 1.exe "C:\Users\user\Desktop\setup-lightshot 1.exe"
Source: C:\Users\user\Desktop\setup-lightshot 1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp "C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp" /SL5="$10412,2148280,486912,C:\Users\user\Desktop\setup-lightshot 1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im lightshot.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "taskkill.exe" /F /IM lightshot.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe "C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe"
Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Process created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe "C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe"
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\setupupdater.exe "C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\setupupdater.exe" /verysilent
Source: C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\setupupdater.exe	Process created: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp "C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp" /SL5="$80080,490430,120832,C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\setupupdater.exe" /verysilent
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" START SCHEDULE
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 START SCHEDULE
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addsystask
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
Source: unknown	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=checkupdate
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=checkupdate
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addtask
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addtask
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
Source: unknown	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=checkupdate
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=checkupdate
Source: unknown	Process created: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe "C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe"
Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Process created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe "C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe"
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://app.prntscr.com/thankyou_desktop.html#install_source=default
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1888,i,7167525600281717774,4743937817464806075,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\setup-lightshot 1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp "C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp" /SL5="$10412,2148280,486912,C:\Users\user\Desktop\setup-lightshot 1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im lightshot.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "taskkill.exe" /F /IM lightshot.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe "C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\setupupdater.exe "C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\setupupdater.exe" /verysilent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addtask	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://app.prntscr.com/thankyou_desktop.html#install_source=default	Jump to behavior
Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Process created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe "C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\setupupdater.exe	Process created: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp "C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp" /SL5="$80080,490430,120832,C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\setupupdater.exe" /verysilent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" START SCHEDULE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addsystask	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 START SCHEDULE	Jump to behavior
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"	Jump to behavior
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=checkupdate
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addtask
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Process created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=checkupdate
Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Process created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe "C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1888,i,7167525600281717774,4743937817464806075,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Uninstall Lightshot.lnk.1.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\Skillbrains\lightshot\unins000.exe
Source: Lightshot.lnk.1.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe

Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Automated click: I accept the agreement

Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Code function: 7_2_00E587E9 push ecx; ret	7_2_00E587FC
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FA11E6 push ecx; ret	8_2_00FA11F9
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FB974F push esp; ret	8_2_00FB9759
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF32266 push ecx; ret	8_2_6CF32279
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F812FC6 push ecx; ret	8_2_6F812FD9
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F848F56 push ecx; ret	8_2_6F848F69
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_00926DC5 push ecx; ret	16_2_00926DD8
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_00925C4B push ecx; ret	16_2_00925C5E
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_003F4426 push ecx; ret	19_2_003F4439
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_00925C4B push ecx; ret	20_2_00925C5E
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_00926DC5 push ecx; ret	20_2_00926DD8

Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-1I1L2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\setupupdater.exe	File created: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup-lightshot 1.exe	File created: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\net.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\is-5TND1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-V4MCF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\is-Q717B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\DXGIODScreenshot.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-A5GK1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	File created: C:\Users\user\AppData\Local\Temp\is-S06D3.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	File created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	File created: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\is-QU5BV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-BMVNO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	File created: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-NJRC2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\setupupdater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\uploader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	File created: C:\Program Files (x86)\Skillbrains\Updater\is-A39OF.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightshot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightshot\Uninstall Lightshot.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightshot\Lightshot.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightshot\Learn More.url	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightshot\Screenshot history.url	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Lightshot			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Lightshot			Jump to behavior

Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\setup-lightshot 1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\setupupdater.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-1I1L2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\net.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-V4MCF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\DXGIODScreenshot.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-A5GK1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-S06D3.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-BMVNO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-P7E8S.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\uploader.dll (copy)	Jump to dropped file

Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	API coverage: 8.9 %
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	API coverage: 6.5 %
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	API coverage: 8.6 %
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	API coverage: 5.9 %
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	API coverage: 7.8 %

Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe TID: 4460	Thread sleep time: -56000s >= -30000s
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe TID: 2108	Thread sleep time: -57500s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UOU5D.tmp\setup-lightshot 1.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F1J96.tmp\setupupdater.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Thread delayed: delay time: 56000
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Thread delayed: delay time: 57500

Windows Analysis Report setup-lightshot 1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
setup-lightshot 1.exe

Source: setup-lightshot 1.tmp, 00000001.00000003.2092281565.0000000000825000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX"\|
Source: setup-lightshot 1.tmp, 00000001.00000003.2091538525.00000000037BE000.00000004.00000020.00020000.00000000.sdmp, setup-lightshot 1.tmp, 00000001.00000003.2085245188.00000000037BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn"
Source: Updater.exe, 0000001C.00000002.2018984318.0000000000D39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW/
Source: Updater.exe, 0000001E.00000002.2026802401.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: setup-lightshot 1.tmp, 00000001.00000003.2085245188.00000000037CA000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000014.00000003.2017953336.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000014.00000002.2019482560.0000000000B49000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000014.00000002.2019482560.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000014.00000003.2017953336.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000016.00000002.2018866086.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000016.00000002.2018866086.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000018.00000002.2024101673.0000000000696000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000018.00000002.2024101673.0000000000651000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 0000001C.00000002.2018984318.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 0000001C.00000002.2018984318.0000000000D66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Updater.exe, 00000014.00000003.2017953336.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000014.00000002.2019482560.0000000000B49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: Updater.exe, 00000016.00000002.2018866086.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: setup-lightshot 1.tmp, 00000001.00000003.2092281565.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\Y

Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FA16AD mov esi, dword ptr fs:[00000030h]	8_2_00FA16AD
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FAB764 mov eax, dword ptr fs:[00000030h]	8_2_00FAB764
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF38C5B mov eax, dword ptr fs:[00000030h]	8_2_6CF38C5B
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF326FD mov esi, dword ptr fs:[00000030h]	8_2_6CF326FD
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F815D01 mov eax, dword ptr fs:[00000030h]	8_2_6F815D01
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F847F08 mov esi, dword ptr fs:[00000030h]	8_2_6F847F08
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F84D9A1 mov eax, dword ptr fs:[00000030h]	8_2_6F84D9A1
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_004105C5 mov eax, dword ptr fs:[00000030h]	19_2_004105C5
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_00410653 mov eax, dword ptr fs:[00000030h]	19_2_00410653

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Code function: 7_2_00E590E4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00E590E4
Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Code function: 7_2_00E579E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00E579E4
Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Code function: 7_2_00E612EF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00E612EF
Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Code function: 7_2_00E5CF9E SetUnhandledExceptionFilter,	7_2_00E5CF9E
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FA0590 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00FA0590
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FA0DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00FA0DAB
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FA9E47 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00FA9E47
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00FA0F3D SetUnhandledExceptionFilter,	8_2_00FA0F3D
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF37D2F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6CF37D2F
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF31ED7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6CF31ED7
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF315E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6CF315E0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F812E5D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6F812E5D
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F812D3A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6F812D3A
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F81575D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6F81575D
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F848DED IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6F848DED
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F84BB7E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6F84BB7E
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F8488BD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6F8488BD
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_00926A67 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00926A67
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_003F41EF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_003F41EF
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_003FC2B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_003FC2B3
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_003F4384 SetUnhandledExceptionFilter,	19_2_003F4384
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: 19_2_003F443B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_003F443B
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_00926A36 SetUnhandledExceptionFilter,	20_2_00926A36
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_00926A67 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00926A67

Source: C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	Code function: GetLocaleInfoA,	7_2_00E61406
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: EnumSystemLocalesW,	19_2_0041E041
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	19_2_0041E0CE
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: GetLocaleInfoW,	19_2_0041E31E
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	19_2_0041E447
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: GetLocaleInfoW,	19_2_0041E54E
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	19_2_0041E61B
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: EnumSystemLocalesW,	19_2_00417386
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: EnumSystemLocalesW,	19_2_004174EE
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: EnumSystemLocalesW,	19_2_004174A2
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	19_2_0041DCC5
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: GetLocaleInfoW,	19_2_00417DD6
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: EnumSystemLocalesW,	19_2_0041DF3D
Source: C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	Code function: EnumSystemLocalesW,	19_2_0041DFA6
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	20_2_0094C8C5
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: GetLocaleInfoW,	20_2_0094CB0E

Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00F81180 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	8_2_00F81180
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00F812E0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	8_2_00F812E0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_00F81230 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	8_2_00F81230
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6CF21AB0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	8_2_6CF21AB0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F8117C0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	8_2_6F8117C0
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F811540 TakeScreenshotExp,__ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	8_2_6F811540
Source: C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe	Code function: 8_2_6F8319C0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	8_2_6F8319C0
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 16_2_0094F4F3 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	16_2_0094F4F3
Source: C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe	Code function: 20_2_0094F4F3 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	20_2_0094F4F3

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.196	www.google.com	United States	15169	GOOGLEUS	false
104.23.140.12	updater.prntscr.com	United States	13335	CLOUDFLARENETUS	false
104.23.139.12	app.prntscr.com	United States	13335	CLOUDFLARENETUS	false
104.16.80.73	unknown	United States	13335	CLOUDFLARENETUS	false
93.158.134.119	mc.yandex.ru	Russian Federation	13238	YANDEXRU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.16.79.73	static.cloudflareinsights.com	United States	13335	CLOUDFLARENETUS	false

Name	IP	Active
mc.yandex.ru	93.158.134.119	true
static.cloudflareinsights.com	104.16.79.73	true
app.prntscr.com	104.23.139.12	true
updater.prntscr.com	104.23.140.12	true
st.prntscr.com	104.23.140.12	true
www.google.com	142.250.184.196	true
api.prntscr.com	104.23.140.12	true

Name	Malicious	Antivirus Detection	Reputation
https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015	false	URL Reputation: safe	unknown
https://app.prntscr.com/en/thankyou_desktop.html#install_source=default	false		unknown
https://st.prntscr.com/2023/07/24/0635/js/jquery.smartbanner.js	false	Avira URL Cloud: safe	unknown
https://st.prntscr.com/2023/07/24/0635/img/footer-logo.png	false	Avira URL Cloud: safe	unknown
https://mc.yandex.ru/watch/44161209/1?page-url=%2Fusr%2FUpdater%2FAddProduct%2Flightshot&ut=noindex&redirnss=1	false	Avira URL Cloud: safe	unknown
https://st.prntscr.com/2023/07/24/0635/js/jquery.1.8.2.min.js	false	Avira URL Cloud: safe	unknown
https://mc.yandex.ru/watch/44161209/1?page-url=%2Fusr%2FUpdater%2FAddProduct%2Fupdater&ut=noindex&redirnss=1	false	Avira URL Cloud: safe	unknown
https://app.prntscr.com/cdn-cgi/rum?	false	Avira URL Cloud: safe	unknown
https://st.prntscr.com/2023/07/24/0635/img/helper-button.png	false	Avira URL Cloud: safe	unknown
https://st.prntscr.com/2023/07/24/0635/img/helper-share.png	false	Avira URL Cloud: safe	unknown
https://st.prntscr.com/2023/07/24/0635/img/icon-twitter_gscale.png	false	Avira URL Cloud: safe	unknown
https://api.prntscr.com/v1/	false	Avira URL Cloud: safe	unknown
https://st.prntscr.com/2023/07/24/0635/img/icon-facebook_gscale.png	false	Avira URL Cloud: safe	unknown

ID:	1520341
Product:	CloudBasic
Start time:	08:29:03
Start date:	27.09.2024
Sample:	setup-lightshot 1.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a1f6923e771b4ff0df9fec9555f97c65
SHA1:	545359cd68d0ee37f4b15e1a22c2c9a5fda69e22
SHA256:	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%