File name:	clippy_1.3.0_x64_en-US.msi
Full analysis:	https://app.any.run/tasks/7c66b42c-7e63-4538-b677-4b287ae8f1ca
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	December 24, 2024, 05:58:34
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc loader
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: clippy, Author: clippy, Keywords: Installer, Comments: This installer database contains the logic and data required to install clippy., Template: x64;0, Revision Number: {B8746D0E-D851-4CC3-B64C-E95452190D5B}, Create Time/Date: Tue Dec 24 03:36:42 2024, Last Saved Time/Date: Tue Dec 24 03:36:42 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:	06D9C485E59F9AFF33FDDFB0F386279C
SHA1:	84CA517FD6D1752124E1029A2C142C74CF58FA32
SHA256:	349774E037FE63ED026387A700E5C2362E041473E6AA465B30A0B3D996786F1B
SSDEEP:	98304:dr3tGiN5yS7aQRg7Y9ZLJvjt2L7FYrsXTQP9s/Obf44wT4nyE8QWRwualeyQxRbx:uQLBc710bPMKXObeOlD49e0h+k3kmnu

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	clippy
Author:	clippy
Keywords:	Installer
Comments:	This installer database contains the logic and data required to install clippy.
Template:	x64;0
RevisionNumber:	{B8746D0E-D851-4CC3-B64C-E95452190D5B}
CreateDate:	2024:12:24 03:36:42
ModifyDate:	2024:12:24 03:36:42
Pages:	450
Words:	2
Software:	Windows Installer XML Toolset (3.14.1.8722)
Security:	Read-only recommended


(PID) Process:	(3732) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 480000000000000056622703C955DB01940E0000640D0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3732) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 480000000000000056622703C955DB01940E0000640D0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3732) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000AC957F03C955DB01940E0000640D0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3732) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 4800000000000000AC957F03C955DB01940E0000640D0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3732) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000D7C38603C955DB01940E0000640D0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3732) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000F9F98103C955DB01940E0000640D0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3732) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4800000000000000BE222404C955DB01940E0000640D0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(5156) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000CFF03B04C955DB0124140000E8100000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(5156) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000CFF03B04C955DB012414000084000000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(5156) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000CFF03B04C955DB0124140000D8150000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
3732	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
3732	msiexec.exe	C:\Windows\Installer\1482da.msi		—
		MD5:—	SHA256:—
3732	msiexec.exe	C:\Windows\Installer\1482dc.msi		—
		MD5:—	SHA256:—
3732	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{33ebbdea-3633-472f-a750-dd84087cab80}_OnDiskSnapshotProp		binary
		MD5:2650B777129E09687C0433FD905331EF	SHA256:49542F9BC182E8D7EF007AA37D5FAB0E43ECB5510A02E2831D50C7A20C08534E
3732	msiexec.exe	C:\Program Files\clippy\clippy.exe		executable
		MD5:8C844899D4C9810AAEC7AD021F20E164	SHA256:F38066B4E20659E64937F663DF0D8749E6DAC1F32699E429AE3FA54E1D51908E
3732	msiexec.exe	C:\Windows\Temp\~DFF10BFDB4372CA5F8.TMP		binary
		MD5:71B36D40B5C83E49A891BBC3E17949F7	SHA256:C061F5800E9B3540CF897D87D838683702554C2528A70D3AF171CCFCAACC2259
2976	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EUC33F.tmp\MicrosoftEdgeUpdate.exe		executable
		MD5:70CC35C7FB88D650902E7A5611219931	SHA256:7ECA199201273F0BCFF1E26778CB535E69C74A69064E7759FF8DAD86954D42B1
2976	MicrosoftEdgeWebview2Setup.exe	C:\Users\admin\AppData\Local\Temp\EUC33F.tmp\msedgeupdate.dll		executable
		MD5:40CD707DD3011A9845FF9C42256EA7E3	SHA256:9F4C7072716E0BE1BE08207A7024A5E41162E288E677D805BE8E5469A8BD4909
3732	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:2650B777129E09687C0433FD905331EF	SHA256:49542F9BC182E8D7EF007AA37D5FAB0E43ECB5510A02E2831D50C7A20C08534E
3732	msiexec.exe	C:\Windows\Temp\~DF84B119405DCAA476.TMP		binary
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2420	svchost.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5340	RUXIMICS.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2420	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4036	svchost.exe	HEAD	200	217.20.57.19:80	http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1735624820&P2=404&P3=2&P4=i4rhOUnxK%2fBjh3zQoNoRIi3EH5sS1g%2b1Kva0utAFFoYDBMNZHIDKnZPqVkN4XaUqz2BKLdPuFYxF1mbb%2bOW4LA%3d%3d	unknown	—	—	whitelisted
4036	svchost.exe	GET	—	217.20.57.19:80	http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/7d9cd93c-1d5e-449b-9ad7-f1e8d6b90509?P1=1735624820&P2=404&P3=2&P4=i4rhOUnxK%2fBjh3zQoNoRIi3EH5sS1g%2b1Kva0utAFFoYDBMNZHIDKnZPqVkN4XaUqz2BKLdPuFYxF1mbb%2bOW4LA%3d%3d	unknown	—	—	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.195.43?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.195.43&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=false&requestOmahaShellVersion=1.3.195.43&requestOmahaVersion=1.3.195.43	unknown	binary	484 b	whitelisted
—	—	GET	200	23.48.23.55:443	https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/c1336fd6-a2eb-4669-9b03-949fc70ace0e/MicrosoftEdgeWebview2Setup.exe	unknown	executable	1.58 Mb	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	4.175.87.113:443	https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates	unknown	ini	104 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5340	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
2420	svchost.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
5340	RUXIMICS.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
2420	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
3976	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.120	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
www.bing.com	2.23.209.181 2.23.209.158 2.23.209.150 2.23.209.177 2.23.209.182 2.23.209.149 2.23.209.179 2.23.209.140 2.23.209.176	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
msedge.sf.dl.delivery.mp.microsoft.com	2.16.168.116 2.16.168.117	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
msedge.api.cdp.microsoft.com	4.245.161.190	whitelisted
msedge.f.tlu.dl.delivery.mp.microsoft.com	217.20.57.19 217.20.57.35 217.20.57.36 84.201.210.23 217.20.57.20 217.20.57.18 84.201.210.39 217.20.57.34	whitelisted

General Info

clippy_1.3.0_x64_en-US.msi

06D9C485E59F9AFF33FDDFB0F386279C

84CA517FD6D1752124E1029A2C142C74CF58FA32

349774E037FE63ED026387A700E5C2362E041473E6AA465B30A0B3D996786F1B

98304:dr3tGiN5yS7aQRg7Y9ZLJvjt2L7FYrsXTQP9s/Obf44wT4nyE8QWRwualeyQxRbx:uQLBc710bPMKXObeOlD49e0h+k3kmnu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Changes the autorun value in the registry

SUSPICIOUS

Executes as Windows Service

Reads the Windows owner or organization settings

Starts POWERSHELL.EXE for commands execution

Downloads file from URI via Powershell

Manipulates environment variables

Starts process via Powershell

Gets or sets the security protocol (POWERSHELL)

The process bypasses the loading of PowerShell profile settings

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

Starts itself from another location

Creates/Modifies COM task schedule object

Reads security settings of Internet Explorer

Potential Corporate Privacy Violation

INFO

An automatically generated document

Checks supported languages

Executable content was dropped or overwritten

Reads the computer name

Manages system restore points

Checks proxy server information

Disables trace logs

The sample compiled with english language support

Create files in a temporary directory

Creates files or folders in the user directory

Creates a software uninstall entry

Process checks computer location settings

Reads Environment values

Reads the software policy settings

The executable file from the user directory is run by the Powershell process

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity