423eff9f75de1ecb2d6ad2db77fb4b28c3d5b7fdb7c0cd49c26cfac533904c6a

Analysis

max time kernel
80s
max time network
85s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09/07/2024, 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.exe
Size

2.7MB
MD5

a1f6923e771b4ff0df9fec9555f97c65
SHA1

545359cd68d0ee37f4b15e1a22c2c9a5fda69e22
SHA256

928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1
SHA512

c9e54f48208151dcf60bf049d09a5c69f6ef7e4f046359fdfd50c61d49a6f9a37c3d3a2016d4beb70ae47270e9e9689e03064c02bee1e1d3d95998000e47f153
SSDEEP

49152:/i85nVhfVnQiGmEwZbyVKf3tOOr/o2rm0mMXgT11rNjiG0C+0LRzasw:a85nVZarmEwZecPzJWDLN+GwOnw

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Lightshot = "C:\\Program Files (x86)\\Skillbrains\\lightshot\\Lightshot.exe"	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\DXGIODScreenshot.dll	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-KHBCS.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-D0NN0.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-3EQJ0.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-LJ08H.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-SFJ9F.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-I7LF4.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-SIDMA.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-QF5O7.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\Updater\info.xml	setupupdater.tmp
File created	C:\Program Files (x86)\Skillbrains\Updater\MachineProducts.xml	Updater.exe
File opened for modification	C:\Program Files (x86)\Skillbrains\Updater\MachineProducts.xml	Updater.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-K8VBO.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-18UFI.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-683UG.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-5P7H5.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\is-P4QFJ.tmp	setupupdater.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-48RRH.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-KF9IN.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-C3S2L.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-962OC.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-IB9RC.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-HQQ9J.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\net.dll	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\uploader.dll	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\Updater\Updater.exe	setupupdater.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-HKU1K.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\unins000.msg	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-D8VLL.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-3QGTK.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-0NPJR.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\is-E5D26.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-U3HGV.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-FRCDI.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-EB9Q8.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-CM42F.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\Updater\is-U62D6.tmp	setupupdater.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\info.xml	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-LTV48.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-QOH7B.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-K24FG.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-O98H8.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-LOVL3.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\is-IBN9L.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-COKR7.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-TGG4B.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-RTJBE.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-FHT20.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-RSJ2U.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-OHMPD.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-77FCJ.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-TPCSJ.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-ATOBI.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-6ECTE.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-MU3TN.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-OUOMJ.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-OR8HI.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-KG7LL.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-G1F8M.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\unins000.dat	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\unins000.dat	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-8CB6L.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-V9VGQ.tmp	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\update-sys.job	Updater.exe
File created	C:\Windows\Tasks\update-S-1-5-21-3699363923-1875576828-3287151903-1000.job	updater.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Executes dropped EXE 14 IoCs

pid	Process
5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
1376	Lightshot.exe
3940	Lightshot.exe
360	setupupdater.exe
428	setupupdater.tmp
4552	Updater.exe
660	Updater.exe
196	Updater.exe
4792	Updater.exe
4292	Updater.exe
4720	updater.exe
1072	updater.exe
2136	updater.exe
3068	updater.exe

Loads dropped DLL 3 IoCs

pid	Process
3940	Lightshot.exe
3940	Lightshot.exe
3940	Lightshot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2012	taskkill.exe
4804	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000077e7ce8c5f849a05b1099a87c865e4706f8dda89836268183cff9d9808d5cf2b9f4f7230e4ebd2ba1ff3089ad204ab3e4763badbddf578bd163d	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f59543230fd2da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Pack = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fee351230fd2da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 479381230fd2da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "648"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "1280"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{AA1C586D-DB76-493F-BD11-D72C9C832381} = "0"	MicrosoftEdge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
428	setupupdater.tmp
428	setupupdater.tmp

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1040	MicrosoftEdgeCP.exe
1040	MicrosoftEdgeCP.exe
1040	MicrosoftEdgeCP.exe
1040	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	368	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	368	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	368	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	368	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4260	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4260	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	784	MicrosoftEdge.exe
Token: SeDebugPrivilege	784	MicrosoftEdge.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
3940	Lightshot.exe
3940	Lightshot.exe
3940	Lightshot.exe
428	setupupdater.tmp

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3940	Lightshot.exe
3940	Lightshot.exe
3940	Lightshot.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
784	MicrosoftEdge.exe
1040	MicrosoftEdgeCP.exe
368	MicrosoftEdgeCP.exe
1040	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 5080	3320	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.exe	72
PID 3320 wrote to memory of 5080	3320	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.exe	72
PID 3320 wrote to memory of 5080	3320	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.exe	72
PID 5080 wrote to memory of 2012	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	73
PID 5080 wrote to memory of 2012	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	73
PID 5080 wrote to memory of 2012	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	73
PID 5080 wrote to memory of 4804	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	76
PID 5080 wrote to memory of 4804	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	76
PID 5080 wrote to memory of 4804	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	76
PID 5080 wrote to memory of 1376	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	78
PID 5080 wrote to memory of 1376	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	78
PID 5080 wrote to memory of 1376	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	78
PID 1376 wrote to memory of 3940	1376	Lightshot.exe	79
PID 1376 wrote to memory of 3940	1376	Lightshot.exe	79
PID 1376 wrote to memory of 3940	1376	Lightshot.exe	79
PID 5080 wrote to memory of 360	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	80
PID 5080 wrote to memory of 360	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	80
PID 5080 wrote to memory of 360	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	80
PID 360 wrote to memory of 428	360	setupupdater.exe	81
PID 360 wrote to memory of 428	360	setupupdater.exe	81
PID 360 wrote to memory of 428	360	setupupdater.exe	81
PID 428 wrote to memory of 3916	428	setupupdater.tmp	82
PID 428 wrote to memory of 3916	428	setupupdater.tmp	82
PID 428 wrote to memory of 3916	428	setupupdater.tmp	82
PID 3916 wrote to memory of 3156	3916	net.exe	84
PID 3916 wrote to memory of 3156	3916	net.exe	84
PID 3916 wrote to memory of 3156	3916	net.exe	84
PID 428 wrote to memory of 4552	428	setupupdater.tmp	85
PID 428 wrote to memory of 4552	428	setupupdater.tmp	85
PID 428 wrote to memory of 4552	428	setupupdater.tmp	85
PID 428 wrote to memory of 660	428	setupupdater.tmp	86
PID 428 wrote to memory of 660	428	setupupdater.tmp	86
PID 428 wrote to memory of 660	428	setupupdater.tmp	86
PID 660 wrote to memory of 196	660	Updater.exe	87
PID 660 wrote to memory of 196	660	Updater.exe	87
PID 660 wrote to memory of 196	660	Updater.exe	87
PID 428 wrote to memory of 4792	428	setupupdater.tmp	88
PID 428 wrote to memory of 4792	428	setupupdater.tmp	88
PID 428 wrote to memory of 4792	428	setupupdater.tmp	88
PID 4792 wrote to memory of 4292	4792	Updater.exe	89
PID 4792 wrote to memory of 4292	4792	Updater.exe	89
PID 4792 wrote to memory of 4292	4792	Updater.exe	89
PID 5080 wrote to memory of 4720	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	90
PID 5080 wrote to memory of 4720	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	90
PID 5080 wrote to memory of 4720	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	90
PID 4720 wrote to memory of 1072	4720	updater.exe	91
PID 4720 wrote to memory of 1072	4720	updater.exe	91
PID 4720 wrote to memory of 1072	4720	updater.exe	91
PID 5080 wrote to memory of 2136	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	92
PID 5080 wrote to memory of 2136	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	92
PID 5080 wrote to memory of 2136	5080	928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp	92
PID 2136 wrote to memory of 3068	2136	updater.exe	93
PID 2136 wrote to memory of 3068	2136	updater.exe	93
PID 2136 wrote to memory of 3068	2136	updater.exe	93
PID 1040 wrote to memory of 3012	1040	MicrosoftEdgeCP.exe	98
PID 1040 wrote to memory of 3012	1040	MicrosoftEdgeCP.exe	98
PID 1040 wrote to memory of 3012	1040	MicrosoftEdgeCP.exe	98
PID 1040 wrote to memory of 3012	1040	MicrosoftEdgeCP.exe	98
PID 1040 wrote to memory of 3012	1040	MicrosoftEdgeCP.exe	98
PID 1040 wrote to memory of 3012	1040	MicrosoftEdgeCP.exe	98
PID 1040 wrote to memory of 3012	1040	MicrosoftEdgeCP.exe	98
PID 1040 wrote to memory of 3012	1040	MicrosoftEdgeCP.exe	98
PID 1040 wrote to memory of 3012	1040	MicrosoftEdgeCP.exe	98
PID 1040 wrote to memory of 3012	1040	MicrosoftEdgeCP.exe	98

C:\Users\Admin\AppData\Local\Temp\928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.exe
"C:\Users\Admin\AppData\Local\Temp\928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\is-RLILI.tmp\928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RLILI.tmp\928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp" /SL5="$A01D4,2148280,486912,C:\Users\Admin\AppData\Local\Temp\928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.exe"
  2⤵
  - Adds Run key to start application
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im lightshot.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /F /IM lightshot.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- - C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe
    "C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe
      "C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3940
- - C:\Users\Admin\AppData\Local\Temp\is-QRTIO.tmp\setupupdater.exe
    "C:\Users\Admin\AppData\Local\Temp\is-QRTIO.tmp\setupupdater.exe" /verysilent
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:360
  - - C:\Users\Admin\AppData\Local\Temp\is-B25TB.tmp\setupupdater.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-B25TB.tmp\setupupdater.tmp" /SL5="$90064,490430,120832,C:\Users\Admin\AppData\Local\Temp\is-QRTIO.tmp\setupupdater.exe" /verysilent
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" START SCHEDULE
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 START SCHEDULE
        6⤵
        
        PID:3156
    - - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addsystask
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        
        PID:4552
    - - C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:660
      - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"
        6⤵
        Drops file in Program Files directory
        Executes dropped EXE
        
        PID:196
    - - C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
      - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
        6⤵
        Executes dropped EXE
        
        PID:4292
- - C:\Program Files (x86)\Skillbrains\Updater\updater.exe
    "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addtask
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe
      "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addtask
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      PID:1072
- - C:\Program Files (x86)\Skillbrains\Updater\updater.exe
    "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe
      "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
      4⤵
      Executes dropped EXE
      PID:3068

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:784

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3012

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe

Filesize
854KB

MD5
fbe0664e1c333e36e3ce73d8bd5cc8a1

SHA1
d7f284e9a8d3a3b5a832c37b58382000b583fbc1

SHA256
c4ce15b1bc8adecbf20a655256aab267c1d72e7a33947598af48ea287cca5670

SHA512
7b7e34aa69e2e92590b79d2b9c9fd095d15fc5a2943335d0f59cdee15083a8bb1a66b669615ce716bb714a59a1be54e8fea88a5889bfa8e0371e7eb8902fa555

Download Submit
C:\Program Files (x86)\Skillbrains\Updater\Updater.exe

Filesize
405KB

MD5
3ec8f4bd54ef439a8fab6467122da0c4

SHA1
ee2e65cbbaa22db70d89b85db28ee955d4db12f9

SHA256
a5e3bdc3b0b0bd6455892e23008161b5478b24f4fe1801f43a8a01cfff1bcba7

SHA512
0f50ce35241d5d55f0f3bae6fb38de39213a48d356478efac76c0292b286b58ddb855e130fd03bdf3cd63e141aa14ffd5318671e9885b2c17411f8ba3aba6189

Download Submit
C:\Program Files (x86)\Skillbrains\Updater\info.xml

Filesize
276B

MD5
466b19bc0b21fe6667778a0c114a9d25

SHA1
3b930a9a836f39467b7bfce4a35499fef7803c36

SHA256
efce940e2e2504326dce91e1112dc19c31a9de49f0fc34886389d36997594ef0

SHA512
1d995818bed8c356aa691ef19a6ce3df54c2fa08c086304f32b0f963934ca6402f1890bdd376d2cb411c58561e3740b73125a4cf0187ff49172d57b3b712028a

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\DXGIODScreenshot.dll

Filesize
93KB

MD5
25c632cd2f529ba142fa706205ac00c9

SHA1
495b777348d26e5fa75dfbf6b50498428fe7748b

SHA256
6acdcd817cc5df637aa4cd101c25c9e0a69c778347a7a40ce7511eeea26fd6f0

SHA512
606e9856eb8153f9dab7f4c23ff967b2d9ce9fcf1902823a424ca4b4ee0a4f1a95bfdd316356dd65831c494f7e74ec4562bf684ab6a20c3376abef8ff10f6c7a

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe

Filesize
487KB

MD5
1e1c83b9680029ad4a9f8d3b3ac93197

SHA1
fa7b69793454131a5b21b32867533305651e2dd4

SHA256
0b899508777d7ed5159e2a99a5eff60c54d0724493df3d630525b837fa43aa51

SHA512
fe6f8df3dbbcc7535ead60028ec3e45801a33ccc81c9137b2288bc0d18be42379564c907eb406ce9491f46930690efa9a86a9f6506414992b5dba75adb3d1136

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\EN.txt

Filesize
10KB

MD5
4d195562c84403dd347bd2c45403efc5

SHA1
4203bd1c9f0c0a2133ba7dc5ff1f9c86c942d131

SHA256
4a57246bd4ce9d387ec10f0ab2084c3d91e8463d03c1412f3665aee3885a85a5

SHA512
3de1ba358834c7d238e35f533a192c6e6e41fdf276a29b6714cf02636cad123eff571614a1185025757bec3e9f9f351d612598496600684e4ac676e576e8c601

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\uploader.dll

Filesize
215KB

MD5
08cf9e363d79c9379cabd75382131315

SHA1
22ce1f3506fc46976f2d5dcc5a5735ce8ede63bf

SHA256
037ee2f3243918fffa71b9e3fe0541245f75f89abcac0ccf2ea6a57020ddaad7

SHA512
cab0c8a5b8596054315c69f1ff858da1fad89ea1e3c28d4c90411c293b6b40438e2be67e029a51279637f2704e30903d0d4751e31fa1d1b2af0393af90c8907b

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe

Filesize
221KB

MD5
62eb961457df016fa3949e9601a1a845

SHA1
0c0a5fa4f6cb9e18c0e3431d5e1bf45fd2e05352

SHA256
8d4c4bcf7d7aedf0480e3eaac52138e63724ae83c419de8a98d6ab32d1c93645

SHA512
fb4fcb6a3f5b7a3eb35a1689a0d15e3d8f9f520180d6cc57857b90b8af3d576da179c30c18019da5500f58d6f86c07645090e0c75accbd87257e1b73d291ae81

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\info.xml

Filesize
362B

MD5
105b94bb4070848b67cc3c23ab32afbf

SHA1
4ff607984309dd4b9c0ebc03a610d0022fd565c2

SHA256
f2cbf4e10f5f71841842c75ab97d2dc59a902a095e4ab54a25ad692c1d3aa1f0

SHA512
9007822bb83f56518570a8acb3b42a1ec79be26fc0dabc22ec40f569a725cbb4bff9b0801ec5e51af8753bce54474107582b72fc8f37e8e305e22255a0793041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_7DAD5545724AA2C98C55095F428499FB

Filesize
1KB

MD5
17ec0b64467079870e7a26a6d512ab4f

SHA1
1390d4b8287639e04e5480fd953805c6f882c986

SHA256
d5567a313cc1ec29e9a0dde3eb4994594f89d6e8b58bbc2671f37e3b4877ea69

SHA512
3ad8a8107af002b6dce842c5c5490461ed8294738257d24f853b057299be5a0f5d146338fbcf578210f2a5a79a345438337a7d40c821b551ffcefcb8bfbc3ed2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_7DAD5545724AA2C98C55095F428499FB

Filesize
1KB

MD5
15d1677d993e94470db3f85c72391eda

SHA1
613bb8fba42cc750e1afc2ea25831f1f59c0100b

SHA256
7b61ab5b1447f7324cfc796ef51ae1d7631ff0e8d5bba16d04f55e6539840814

SHA512
282a52b8844b31225f8359f7be47db7d9def84146bd82814dcd5a856dddcd2bb3ff66243ec45f18046e2dd21ca8197214f694286ecc93e6e69b74b47e2aee90f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
54cb01b97ac3b60f60323c9e5e229679

SHA1
19b3464ce47460c13add4c9096ab19f45717f164

SHA256
3dafff16748df1896b14130ba53d4ca0541194bd5fab1be46bfd03f002580686

SHA512
bf24638e4714193d112704c4a4677c5ba7be42486bc1a2cb94016e5f1f5e154ced4b09793c98c5f892c1cd88b93609542ae0e7faee97cfcbdfb0472ff0b0604b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_5ABD7D01BC4734045B6B5D27402C000C

Filesize
940B

MD5
0e1b2d2bdd6f6e35e7520e34250b4bab

SHA1
0135c04b26eb84ed2caefb09aa95417fa0ec8ba3

SHA256
ed84c9f8370f791573102104d58f5644990354924c4316913980e349c3128091

SHA512
ce30c90e618433e037715548cdd728d94e90368ea23663bbeaceb0c10e6844e3e5c919ad714dbcddbd172516dbe781e9cdf8a222d288c08b13220f67b76f90a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_7DAD5545724AA2C98C55095F428499FB

Filesize
512B

MD5
c3c34c72a436fec72b9b6ca87433432a

SHA1
a672fad3e757e9800bf4c4dc8e5788f68b07fdff

SHA256
73ecf04bbfca7b77337482308b48980578ed45d441191bf22004b56d55e0ea42

SHA512
76c5b193a4f69d78f6e281562dfbb36eb4f3c528466bcc698045fc3cb090f871a8f5f3f3fdc8348cd792e8619acbe457a9f98dd38d24ddb81443ebc01c25d5c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_7DAD5545724AA2C98C55095F428499FB

Filesize
512B

MD5
34b204d860b7d663c853ea09d576d8ed

SHA1
41d3ffc92f6cdae76cf730808d8ea1c0b9b7af9c

SHA256
276b8acfa23de76ea92be3f6e61e9d060fd15684cfeb1a2b22650d2c0bf07456

SHA512
9c0451390e5b7c8e1cc8ada8206f779e570ad56d37c4a114c50662fdd63ce848b6c2f64880cb100a6a6e744159177eee80eb9a7e334ac3cad140205d7699aac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
0b2a102a5663eb1460c75451972acc4f

SHA1
2866beece0c56eae8a085618af47a4b19096fa6a

SHA256
6611e41f1234e5f321700b8fc6feef04c818798a264f0b164ce9e088ae2b861d

SHA512
e4c9a2eb875b693cab0459f8c65a71953beff9d507593da3e6bb49298b8079abf2b1c6c86a4774999abaff71ce23eb3b5ec853bda882cb82238dc227c4e75288

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
42225b3583432546ef780396cbf228b5

SHA1
7767e529175adad776beade0bb374d46085cddbe

SHA256
7c8548db90a8444b1d170c441d77144dfe9f314a4ed3e335400227086bdd54a6

SHA512
c421607fa49351785de153f534db03a4f5882cb29cd8a6523751aac64b6c6a463810d48ffa8e3d2ee750f1c947cfa5551554be1d69e4d4fd3f534a0bb72c5168

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
5fa85e16eeb62edc623b29ae5eb0859d

SHA1
92c1c4ef448dc74ddd09e065a7c05e1eb2a08ef0

SHA256
ed75a5c26e67ccd0d4c20e5f228bfd786e6235573840314035a9ed39b535bc5f

SHA512
6e8de016f68477f4858adf820c3619e0b2255e950b9adcfa515e8dd7506e10a77f0820f85db158781b46e1ced03c03ae6f2324305b3842c9a9f5b1ad218bd08e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_5ABD7D01BC4734045B6B5D27402C000C

Filesize
520B

MD5
897f8d44845d470ba84aab8d0e3635a5

SHA1
7c90e417a589b018bf0dcc01877805df29befaec

SHA256
6bc1020526ff6f4847535c9d37bb6ea7e8ee71b7b8e6b3bd1c4edf4f7f46a691

SHA512
265b826bbdafe1658652cd623e0e0de1a1003380049a19eaeab7a99d9b5865660cc46d7d095400a9fcb83754bd821ba94600bdd2ea965cf68bf335f819107aa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_5ABD7D01BC4734045B6B5D27402C000C

Filesize
520B

MD5
6cf4b26a2654af3f48415f459f4e3ea2

SHA1
76b5080b62aa88bf0bf719e55a8138f4b8060800

SHA256
0f7eafc9c43338a8f555810319cf7dc168e93b99d7b6162615721fad78cfe60a

SHA512
58a91313716146445722d8907afe7366ef0214793cf189f3bffa4f4f2a1679bc86886bf0b1fcb57e32e150fb87e91dbb311794c7c84af05327ad8c21f84b9a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CRDFDX20\1[2].gif

Filesize
43B

MD5
df3e567d6f16d040326c7a0ea29a4f41

SHA1
ea7df583983133b62712b5e73bffbcd45cc53736

SHA256
548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87

SHA512
b2ca25a3311dc42942e046eb1a27038b71d689925b7d6b3ebb4d7cd2c7b9a0c7de3d10175790ac060dc3f8acf3c1708c336626be06879097f4d0ecaa7f567041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CRDFDX20\__utm[1].gif

Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\3PBLHFVB.cookie

Filesize
359B

MD5
f351807efc399a8c4389ea93ce91bd57

SHA1
2253f4b13a7345b4c4ab99fde6f589de9f330828

SHA256
c40c26f6aece20f447bc40d6cb9dcedc6a3ab09c02da7d78d7f8be1eca58a4a1

SHA512
87bb4b0e02bcda5997d1fe9d2b5e70eb1c0a77b3d8b649052473c0ec7398de0c12178ff8659a71da188547ce692d8f7ea675161204b5ed845ff86f69550b62f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\L2NA992G.cookie

Filesize
359B

MD5
aad0fbe223d00a8b986236e9248aa42d

SHA1
8425e02dcb42b58fde7f54123ffb9fa50a3775de

SHA256
bb0df9d4194f58fb4f758eb436f608a4a9f655b0a3346bf4fcfc4ec05f9b04bc

SHA512
a0195c4ea05dd0a9f49b6df18af2b79e647ccc07bca4516781f0fba7933f077ccea51181da368fd1e94179f704e08ceee4c7649a5ec4c2cb5a68e5b18690be17

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WT1A27X4\js[1].js

Filesize
256KB

MD5
ab04b68c718934f6569d16c37ff20f9d

SHA1
ff73dc2bb4726b9ac2bc3e1228e638e559558d18

SHA256
42baf9c76a8ef78f1168156313170f444ec50ff9562fd549b04ee9be73a4a827

SHA512
24be0804cb221b6bf93ec25a57509114a72199854bb2809a8310f014c26cf4040eeeff4b50c95477f0f74f8d8dc0f88740003af8f560ddcb2e3a209956a8dccc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\DO1Z1BGH\favicon[1].ico

Filesize
5KB

MD5
feb7ca0515d4660fc15fc4f42c8904ef

SHA1
4cf8b8a1bff5df3e74a7461913b502eaee0a4937

SHA256
b50109bb17a40d032cb6ee83163e10d220e0d19a19192cb71950063070888570

SHA512
a6d02aef62f841795a1f7ee6567072f625c31f6bf61dd73d2ffbd022ce429864b5c94e9c1b7a1d20110adccb0fa496898c186cebbf529c69dd9e6cc5d1a4a036

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B25TB.tmp\setupupdater.tmp

Filesize
1.1MB

MD5
3613e29d2a7b90c1012ec676819cc1cd

SHA1
a18f7ab9710eefa0678981b0be9a429dc6f98d28

SHA256
fb5761640bb6d375345b780df0f1811f6ae6a1ddeae7c948299379f8bca822c8

SHA512
837f3aedcfd81cfc0fcebc9e135f72a55c0cac10860ca78d57cd910d6f039afd500bbbff1481637f21912e5eacbdbebfdc3a3bb8133db2cb37f444ef87e6347b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QRTIO.tmp\setupupdater.exe

Filesize
865KB

MD5
843d23f6aab075a3c032b06d30ce9c5d

SHA1
8e9f98e609db50ee6167a76b6ae1ca7886e6c866

SHA256
088f048ee972ef80bd527e301431c1ad7e46d0c994ad8a2b586c4fa6d86ac399

SHA512
101cc5a0a5c927adac497cf901ebfcb73bd92eec0b8855c8fa0aab0bb0411dcb5cc3271b6f73c0fdf6238a21df30871afcddf5bd8f0164ddaf8acd72d14a7db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RLILI.tmp\928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1.tmp

Filesize
1.5MB

MD5
c6bffd4da620b07cb214f1bd8e7f21d2

SHA1
054221dc0c8a686e0d17edd6e02c06458b1395c3

SHA256
55dbb288d5df6df375487bae50661dbf530fd43a7e96017b7183a54db8fc376a

SHA512
91e50df87a6e42b01e24accead25726047a641c3960fa3336f560168ed68356e6992d289a0a71b629d74ad7b00bbdbf7e6e909a4c8b5b1616fbf3b0cc63210ab

Download Submit
C:\Users\Admin\AppData\Local\updater.log

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.dll

Filesize
490KB

MD5
f256a9c7e68a249fe760019d19c022ce

SHA1
5a6279ef4f82270b756053cd34bba96d7fe0ce05

SHA256
04a27f0d1e89341722461119e00a10e00ec2a52f5e305961161ec4378e610e93

SHA512
a97f1cd4554d59ee0d69df6ebfc234e025c5e6e64c057f28c62f3743c8ccf8b502ce3eafc437a34a492b6b590fe62591293e551d0e7db5b6036890a64e6d8de9

Download Submit
memory/360-215-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/360-180-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/368-357-0x000001F4C3200000-0x000001F4C3300000-memory.dmp

Filesize
1024KB

Download
memory/368-358-0x000001F4C3200000-0x000001F4C3300000-memory.dmp

Filesize
1024KB

Download
memory/368-356-0x000001F4C3200000-0x000001F4C3300000-memory.dmp

Filesize
1024KB

Download
memory/428-213-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/784-292-0x00000261B9ED0000-0x00000261B9ED2000-memory.dmp

Filesize
8KB

Download
memory/784-249-0x00000261BC920000-0x00000261BC930000-memory.dmp

Filesize
64KB

Download
memory/784-265-0x00000261BCA20000-0x00000261BCA30000-memory.dmp

Filesize
64KB

Download
memory/3012-445-0x00000191EEA70000-0x00000191EEA72000-memory.dmp

Filesize
8KB

Download
memory/3012-443-0x00000191EEA50000-0x00000191EEA52000-memory.dmp

Filesize
8KB

Download
memory/3012-468-0x00000191EF0C0000-0x00000191EF0C2000-memory.dmp

Filesize
8KB

Download
memory/3012-375-0x00000191DB8C0000-0x00000191DB8C2000-memory.dmp

Filesize
8KB

Download
memory/3012-372-0x00000191DB890000-0x00000191DB892000-memory.dmp

Filesize
8KB

Download
memory/3012-377-0x00000191DB8E0000-0x00000191DB8E2000-memory.dmp

Filesize
8KB

Download
memory/3012-437-0x00000191EE750000-0x00000191EE752000-memory.dmp

Filesize
8KB

Download
memory/3012-456-0x00000191EED20000-0x00000191EED22000-memory.dmp

Filesize
8KB

Download
memory/3012-458-0x00000191EEDE0000-0x00000191EEDE2000-memory.dmp

Filesize
8KB

Download
memory/3012-441-0x00000191EE7F0000-0x00000191EE7F2000-memory.dmp

Filesize
8KB

Download
memory/3012-447-0x00000191EEA90000-0x00000191EEA92000-memory.dmp

Filesize
8KB

Download
memory/3012-449-0x00000191EEBA0000-0x00000191EEBA2000-memory.dmp

Filesize
8KB

Download
memory/3012-452-0x00000191EECE0000-0x00000191EECE2000-memory.dmp

Filesize
8KB

Download
memory/3012-439-0x00000191EE700000-0x00000191EE702000-memory.dmp

Filesize
8KB

Download
memory/3012-435-0x00000191EE6D0000-0x00000191EE6D2000-memory.dmp

Filesize
8KB

Download
memory/3320-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/3320-8-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3320-0-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5080-9-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/5080-6-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/5080-609-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/5080-782-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download