Malware analysis clipgrab-3.9.10-dotinstaller.exe Malicious activity

Add for printing

File name:	clipgrab-3.9.10-dotinstaller.exe
Full analysis:	https://app.any.run/tasks/c9d40c3e-3d10-454d-b486-d9038e6ea5a5
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 12, 2024, 14:34:56
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer python netreactor miner
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	D5351A9AFA0356B886F609FF7F53603D
SHA1:	7368DE3DB110E4398BE3EDD3AFDD6BC48F7BB9FD
SHA256:	E92C5CF7509DD9792FAC8202FB08295DFC9E5F18663DB81BF07990DE1BC85893
SSDEEP:	98304:d+cD4dnQIRP3sBI6IauBPDZONh4DkLmDYfuXqGQoHbHL7WdaRCJ7HIf+UJfxlbqK:NA2NE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - UnifiedStub-installer.exe (PID: 5400)
  - rsEngineSvc.exe (PID: 6948)
- Changes the autorun value in the registry
  - rundll32.exe (PID: 2460)
SUSPICIOUS
- Executable content was dropped or overwritten
  - clipgrab-3.9.10-dotinstaller.exe (PID: 6492)
  - clipgrab-3.9.10-dotinstaller.exe (PID: 780)
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 488)
  - clipgrab-3.9.10-portable.exe (PID: 6840)
  - clipgrab-3.9.10-portable.tmp (PID: 5712)
  - vc_redist.x86.exe (PID: 4440)
  - vc_redist.x86.exe (PID: 4668)
  - prod0.exe (PID: 1920)
  - 2pzfvsa0.exe (PID: 6520)
  - UnifiedStub-installer.exe (PID: 5400)
- Reads the Windows owner or organization settings
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 488)
  - clipgrab-3.9.10-portable.tmp (PID: 5712)
- Reads security settings of Internet Explorer
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 6764)
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 488)
  - prod0.exe (PID: 1920)
  - ShellExperienceHost.exe (PID: 4444)
  - UnifiedStub-installer.exe (PID: 5400)
  - rsWSC.exe (PID: 4544)
  - rsEngineSvc.exe (PID: 5720)
  - rsEDRSvc.exe (PID: 6200)
  - rsEngineSvc.exe (PID: 6948)
- Process drops legitimate windows executable
  - clipgrab-3.9.10-portable.tmp (PID: 5712)
  - vc_redist.x86.exe (PID: 4440)
  - 2pzfvsa0.exe (PID: 6520)
  - UnifiedStub-installer.exe (PID: 5400)
- Process drops python dynamic module
  - clipgrab-3.9.10-portable.tmp (PID: 5712)
- The process drops C-runtime libraries
  - clipgrab-3.9.10-portable.tmp (PID: 5712)
  - UnifiedStub-installer.exe (PID: 5400)
- Starts a Microsoft application from unusual location
  - vc_redist.x86.exe (PID: 4440)
  - vc_redist.x86.exe (PID: 4668)
- Searches for installed software
  - vc_redist.x86.exe (PID: 4668)
  - UnifiedStub-installer.exe (PID: 5400)
- Reads the date of Windows installation
  - prod0.exe (PID: 1920)
  - rsEDRSvc.exe (PID: 5772)
  - rsEngineSvc.exe (PID: 6948)
- Creates a software uninstall entry
  - UnifiedStub-installer.exe (PID: 5400)
- Executes as Windows Service
  - rsSyncSvc.exe (PID: 6176)
  - rsWSC.exe (PID: 1568)
  - rsClientSvc.exe (PID: 6800)
  - rsEngineSvc.exe (PID: 6948)
  - rsEDRSvc.exe (PID: 5772)
  - WmiApSrv.exe (PID: 7580)
- Executes application which crashes
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 488)
- Loads Python modules
  - python.exe (PID: 3208)
  - python.exe (PID: 6836)
  - python.exe (PID: 6056)
  - python.exe (PID: 1060)
  - python.exe (PID: 5712)
  - python.exe (PID: 5220)
  - python.exe (PID: 6996)
  - python.exe (PID: 4316)
  - python.exe (PID: 3684)
  - python.exe (PID: 1124)
  - python.exe (PID: 4060)
  - python.exe (PID: 5172)
  - python.exe (PID: 1636)
  - python.exe (PID: 4160)
  - python.exe (PID: 6908)
  - python.exe (PID: 300)
  - python.exe (PID: 4024)
  - python.exe (PID: 2572)
  - python.exe (PID: 6004)
  - python.exe (PID: 3184)
  - python.exe (PID: 1280)
  - python.exe (PID: 6320)
  - python.exe (PID: 508)
  - python.exe (PID: 2524)
  - python.exe (PID: 568)
- Drops 7-zip archiver for unpacking
  - UnifiedStub-installer.exe (PID: 5400)
- Drops a system driver (possible attempt to evade defenses)
  - UnifiedStub-installer.exe (PID: 5400)
- The process creates files with name similar to system file names
  - UnifiedStub-installer.exe (PID: 5400)
- Checks Windows Trust Settings
  - UnifiedStub-installer.exe (PID: 5400)
  - rsWSC.exe (PID: 4544)
  - rsEngineSvc.exe (PID: 5720)
  - rsWSC.exe (PID: 1568)
  - rsEDRSvc.exe (PID: 6200)
  - rsEDRSvc.exe (PID: 5772)
  - rsEngineSvc.exe (PID: 6948)
- Adds/modifies Windows certificates
  - UnifiedStub-installer.exe (PID: 5400)
  - rsWSC.exe (PID: 4544)
- Creates or modifies Windows services
  - UnifiedStub-installer.exe (PID: 5400)
  - rundll32.exe (PID: 2460)
- Creates files in the driver directory
  - UnifiedStub-installer.exe (PID: 5400)
- Uses RUNDLL32.EXE to load library
  - UnifiedStub-installer.exe (PID: 5400)
- Uses WEVTUTIL.EXE to install publishers and event logs from the manifest
  - UnifiedStub-installer.exe (PID: 5400)
- Reads the BIOS version
  - rsEDRSvc.exe (PID: 5772)
  - rsEngineSvc.exe (PID: 6948)
- Dropped object may contain URLs of mainers pools
  - rsEngineSvc.exe (PID: 6948)
- Process checks is Powershell's Script Block Logging on
  - rsEDRSvc.exe (PID: 5772)
- Application launched itself
  - rsAppUI.exe (PID: 3352)
- The process checks if it is being run in the virtual environment
  - rsEngineSvc.exe (PID: 6948)
INFO
- Create files in a temporary directory
  - clipgrab-3.9.10-dotinstaller.exe (PID: 6492)
  - clipgrab-3.9.10-portable.exe (PID: 6840)
  - clipgrab-3.9.10-dotinstaller.exe (PID: 780)
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 488)
  - clipgrab-3.9.10-portable.tmp (PID: 5712)
  - vc_redist.x86.exe (PID: 4668)
  - prod0.exe (PID: 1920)
  - 2pzfvsa0.exe (PID: 6520)
  - UnifiedStub-installer.exe (PID: 5400)
  - rsAppUI.exe (PID: 3352)
- Checks supported languages
  - clipgrab-3.9.10-dotinstaller.exe (PID: 6492)
  - clipgrab-3.9.10-dotinstaller.exe (PID: 780)
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 6764)
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 488)
  - clipgrab-3.9.10-portable.exe (PID: 6840)
  - clipgrab-3.9.10-portable.tmp (PID: 5712)
  - vc_redist.x86.exe (PID: 4440)
  - vc_redist.x86.exe (PID: 4668)
  - prod0.exe (PID: 1920)
  - 2pzfvsa0.exe (PID: 6520)
  - UnifiedStub-installer.exe (PID: 5400)
  - ffmpeg.exe (PID: 2360)
  - rsSyncSvc.exe (PID: 6176)
  - clipgrab.exe (PID: 5644)
  - ffmpeg.exe (PID: 5172)
  - python.exe (PID: 3208)
  - rsSyncSvc.exe (PID: 6372)
  - python.exe (PID: 6056)
  - python.exe (PID: 6836)
  - python.exe (PID: 5220)
  - python.exe (PID: 1060)
  - python.exe (PID: 5712)
  - python.exe (PID: 4316)
  - python.exe (PID: 6996)
  - python.exe (PID: 1124)
  - python.exe (PID: 3684)
  - python.exe (PID: 4060)
  - python.exe (PID: 5172)
  - python.exe (PID: 1636)
  - QtWebEngineProcess.exe (PID: 5984)
  - python.exe (PID: 4160)
  - python.exe (PID: 6908)
  - python.exe (PID: 300)
  - python.exe (PID: 2572)
  - QtWebEngineProcess.exe (PID: 1748)
  - python.exe (PID: 6004)
  - python.exe (PID: 4024)
  - ShellExperienceHost.exe (PID: 4444)
  - QtWebEngineProcess.exe (PID: 2456)
  - python.exe (PID: 3184)
  - ffmpeg.exe (PID: 6016)
  - rsWSC.exe (PID: 4544)
  - rsWSC.exe (PID: 1568)
  - rsClientSvc.exe (PID: 1496)
  - rsEngineSvc.exe (PID: 5720)
  - rsClientSvc.exe (PID: 6800)
  - rsEngineSvc.exe (PID: 6948)
  - ffmpeg.exe (PID: 5772)
  - clipgrab.exe (PID: 608)
  - ffmpeg.exe (PID: 1780)
  - python.exe (PID: 1280)
  - python.exe (PID: 508)
  - python.exe (PID: 6320)
  - python.exe (PID: 568)
  - python.exe (PID: 2524)
  - rsHelper.exe (PID: 1752)
  - rsEDRSvc.exe (PID: 6200)
  - rsEDRSvc.exe (PID: 5772)
  - EPP.exe (PID: 1280)
  - rsAppUI.exe (PID: 3352)
  - rsAppUI.exe (PID: 3104)
  - rsAppUI.exe (PID: 6732)
  - rsAppUI.exe (PID: 7176)
  - rsAppUI.exe (PID: 7376)
  - rsLitmus.A.exe (PID: 7636)
  - QtWebEngineProcess.exe (PID: 892)
- Reads the computer name
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 6764)
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 488)
  - clipgrab-3.9.10-portable.tmp (PID: 5712)
  - vc_redist.x86.exe (PID: 4668)
  - prod0.exe (PID: 1920)
  - UnifiedStub-installer.exe (PID: 5400)
  - rsSyncSvc.exe (PID: 6176)
  - clipgrab.exe (PID: 5644)
  - rsSyncSvc.exe (PID: 6372)
  - ShellExperienceHost.exe (PID: 4444)
  - python.exe (PID: 4024)
  - python.exe (PID: 3184)
  - rsWSC.exe (PID: 4544)
  - rsWSC.exe (PID: 1568)
  - rsClientSvc.exe (PID: 6800)
  - rsClientSvc.exe (PID: 1496)
  - rsEngineSvc.exe (PID: 5720)
  - rsEngineSvc.exe (PID: 6948)
  - clipgrab.exe (PID: 608)
  - python.exe (PID: 6320)
  - rsHelper.exe (PID: 1752)
  - rsEDRSvc.exe (PID: 6200)
  - rsEDRSvc.exe (PID: 5772)
  - rsAppUI.exe (PID: 3352)
  - rsAppUI.exe (PID: 3104)
  - rsAppUI.exe (PID: 6732)
- Checks proxy server information
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 488)
  - prod0.exe (PID: 1920)
  - UnifiedStub-installer.exe (PID: 5400)
  - WerFault.exe (PID: 3184)
  - WerFault.exe (PID: 1076)
  - python.exe (PID: 4024)
  - python.exe (PID: 3184)
  - rsWSC.exe (PID: 4544)
  - python.exe (PID: 6320)
  - rsAppUI.exe (PID: 3352)
  - slui.exe (PID: 4692)
- Reads the software policy settings
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 488)
  - prod0.exe (PID: 1920)
  - UnifiedStub-installer.exe (PID: 5400)
  - WerFault.exe (PID: 3184)
  - WerFault.exe (PID: 1076)
  - clipgrab.exe (PID: 5644)
  - slui.exe (PID: 6868)
  - rsWSC.exe (PID: 4544)
  - rsEngineSvc.exe (PID: 5720)
  - clipgrab.exe (PID: 608)
  - rsEngineSvc.exe (PID: 6948)
  - rsWSC.exe (PID: 1568)
  - rsEDRSvc.exe (PID: 6200)
  - rsEDRSvc.exe (PID: 5772)
  - slui.exe (PID: 4692)
- Process checks computer location settings
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 6764)
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 488)
  - prod0.exe (PID: 1920)
  - rsAppUI.exe (PID: 3352)
  - rsAppUI.exe (PID: 7176)
  - rsAppUI.exe (PID: 7376)
- Reads the machine GUID from the registry
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 488)
  - prod0.exe (PID: 1920)
  - UnifiedStub-installer.exe (PID: 5400)
  - ffmpeg.exe (PID: 5172)
  - clipgrab.exe (PID: 5644)
  - ffmpeg.exe (PID: 2360)
  - python.exe (PID: 1060)
  - python.exe (PID: 3208)
  - python.exe (PID: 6836)
  - python.exe (PID: 6056)
  - python.exe (PID: 5712)
  - python.exe (PID: 5220)
  - python.exe (PID: 4316)
  - python.exe (PID: 6996)
  - python.exe (PID: 1124)
  - python.exe (PID: 4060)
  - python.exe (PID: 5172)
  - python.exe (PID: 1636)
  - python.exe (PID: 4160)
  - python.exe (PID: 6908)
  - python.exe (PID: 300)
  - python.exe (PID: 6004)
  - python.exe (PID: 4024)
  - python.exe (PID: 3184)
  - ffmpeg.exe (PID: 6016)
  - rsWSC.exe (PID: 4544)
  - rsWSC.exe (PID: 1568)
  - rsEngineSvc.exe (PID: 5720)
  - ffmpeg.exe (PID: 5772)
  - clipgrab.exe (PID: 608)
  - python.exe (PID: 1280)
  - ffmpeg.exe (PID: 1780)
  - rsEngineSvc.exe (PID: 6948)
  - python.exe (PID: 6320)
  - python.exe (PID: 508)
  - python.exe (PID: 568)
  - rsEDRSvc.exe (PID: 6200)
  - rsHelper.exe (PID: 1752)
  - rsEDRSvc.exe (PID: 5772)
  - rsAppUI.exe (PID: 3352)
- Creates files in the program directory
  - clipgrab-3.9.10-portable.tmp (PID: 5712)
  - UnifiedStub-installer.exe (PID: 5400)
  - rsWSC.exe (PID: 4544)
  - rsEngineSvc.exe (PID: 5720)
  - rsEngineSvc.exe (PID: 6948)
  - rsEDRSvc.exe (PID: 6200)
  - rsEDRSvc.exe (PID: 5772)
- Creates a software uninstall entry
  - clipgrab-3.9.10-portable.tmp (PID: 5712)
- The process uses the downloaded file
  - clipgrab-3.9.10-dotinstaller.tmp (PID: 488)
  - prod0.exe (PID: 1920)
  - UnifiedStub-installer.exe (PID: 5400)
  - runonce.exe (PID: 6316)
  - rsWSC.exe (PID: 4544)
  - rsEngineSvc.exe (PID: 5720)
  - rsEDRSvc.exe (PID: 6200)
  - rsEngineSvc.exe (PID: 6948)
- Reads Environment values
  - prod0.exe (PID: 1920)
  - UnifiedStub-installer.exe (PID: 5400)
  - rsEngineSvc.exe (PID: 6948)
  - rsEDRSvc.exe (PID: 5772)
  - rsAppUI.exe (PID: 3352)
- Disables trace logs
  - prod0.exe (PID: 1920)
  - UnifiedStub-installer.exe (PID: 5400)
  - rsEngineSvc.exe (PID: 6948)
  - rsEDRSvc.exe (PID: 5772)
- Sends debugging messages
  - clipgrab.exe (PID: 5644)
  - ShellExperienceHost.exe (PID: 4444)
  - clipgrab.exe (PID: 608)
  - rsEngineSvc.exe (PID: 6948)
  - rsEDRSvc.exe (PID: 5772)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 3184)
  - clipgrab.exe (PID: 5644)
  - WerFault.exe (PID: 1076)
  - UnifiedStub-installer.exe (PID: 5400)
  - rsWSC.exe (PID: 4544)
  - rsAppUI.exe (PID: 3352)
  - rsAppUI.exe (PID: 6732)
  - rsEngineSvc.exe (PID: 6948)
- .NET Reactor protector has been detected
  - UnifiedStub-installer.exe (PID: 5400)
- Reads the time zone
  - runonce.exe (PID: 6316)
  - rsEDRSvc.exe (PID: 5772)
  - rsEngineSvc.exe (PID: 6948)
- Reads security settings of Internet Explorer
  - runonce.exe (PID: 6316)
- Manual execution by a user
  - clipgrab.exe (PID: 608)
- Reads product name
  - rsEDRSvc.exe (PID: 5772)
  - rsAppUI.exe (PID: 3352)
  - rsEngineSvc.exe (PID: 6948)
- Reads CPU info
  - rsEDRSvc.exe (PID: 5772)
  - rsEngineSvc.exe (PID: 6948)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (67.7)
.exe	\|	Win32 EXE PECompact compressed (generic) (25.6)
.exe	\|	Win32 Executable (generic) (2.7)
.exe	\|	Win16/32 Executable Delphi generic (1.2)
.exe	\|	Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:02:15 14:54:16+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	741888
InitializedDataSize:	369152
UninitializedDataSize:	-
EntryPoint:	0xb5eec
OSVersion:	6.1
ImageVersion:	6
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	3.9.10.0
ProductVersionNumber:	3.9.10.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	ClipGrab Installer
FileVersion:	3.9.10
LegalCopyright:	© ClipGrab
OriginalFileName:
ProductName:	ClipGrab
ProductVersion:	3.9.10

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

252

Monitored processes

113

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

300

"C:\Program Files (x86)\ClipGrab\python\python.exe" C:/Users/admin/AppData/Roaming/ClipGrab/ClipGrab/yt-dlp --version

C:\Program Files (x86)\ClipGrab\python\python.exe

—

clipgrab.exe

User:

admin

Company:

Python Software Foundation

Integrity Level:

HIGH

Description:

Python

Exit code:

Version:

3.8.9

Modules

Images
c:\program files (x86)\clipgrab\python\python.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll

488

"C:\Users\admin\AppData\Local\Temp\is-JDLO7.tmp\clipgrab-3.9.10-dotinstaller.tmp" /SL5="$150050,1870827,1112064,C:\Users\admin\AppData\Local\Temp\clipgrab-3.9.10-dotinstaller.exe" /SPAWNWND=$604DA /NOTIFYWND=$E02E0

C:\Users\admin\AppData\Local\Temp\is-JDLO7.tmp\clipgrab-3.9.10-dotinstaller.tmp

clipgrab-3.9.10-dotinstaller.exe

User:

admin

Company:

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

3221226525

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-jdlo7.tmp\clipgrab-3.9.10-dotinstaller.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll

508

"C:\Program Files (x86)\ClipGrab\python\python.exe" C:/Users/admin/AppData/Roaming/ClipGrab/ClipGrab/yt-dlp --version

C:\Program Files (x86)\ClipGrab\python\python.exe

—

clipgrab.exe

User:

admin

Company:

Python Software Foundation

Integrity Level:

MEDIUM

Description:

Python

Exit code:

Version:

3.8.9

Modules

Images
c:\program files (x86)\clipgrab\python\python.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll

568

"C:\Program Files (x86)\ClipGrab\python\python.exe" C:/Users/admin/AppData/Roaming/ClipGrab/ClipGrab/yt-dlp --version

C:\Program Files (x86)\ClipGrab\python\python.exe

—

clipgrab.exe

User:

admin

Company:

Python Software Foundation

Integrity Level:

MEDIUM

Description:

Python

Exit code:

Version:

3.8.9

Modules

Images
c:\program files (x86)\clipgrab\python\python.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll

608

"C:\Program Files (x86)\ClipGrab\clipgrab.exe"

C:\Program Files (x86)\ClipGrab\clipgrab.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\program files (x86)\clipgrab\clipgrab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll

780

"C:\Users\admin\AppData\Local\Temp\clipgrab-3.9.10-dotinstaller.exe" /SPAWNWND=$604DA /NOTIFYWND=$E02E0

C:\Users\admin\AppData\Local\Temp\clipgrab-3.9.10-dotinstaller.exe

clipgrab-3.9.10-dotinstaller.tmp

User:

admin

Company:

Integrity Level:

HIGH

Description:

ClipGrab Installer

Exit code:

3221226525

Version:

3.9.10

Modules

Images
c:\users\admin\appdata\local\temp\clipgrab-3.9.10-dotinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll

892

"C:\Program Files (x86)\ClipGrab\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-databases --disable-gpu-compositing --service-pipe-token=7720244379084028290 --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7720244379084028290 --renderer-client-id=2 --mojo-platform-channel-handle=2644 /prefetch:1

C:\Program Files (x86)\ClipGrab\QtWebEngineProcess.exe

—

clipgrab.exe

User:

admin

Company:

The Qt Company Ltd.

Integrity Level:

MEDIUM

Description:

Qt Qtwebengineprocess

Exit code:

Version:

5.12.6.0

Modules

Images
c:\program files (x86)\clipgrab\qtwebengineprocess.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll

1060

"C:\Program Files (x86)\ClipGrab\python\python.exe" "" --version

C:\Program Files (x86)\ClipGrab\python\python.exe

—

clipgrab.exe

User:

admin

Company:

Python Software Foundation

Integrity Level:

HIGH

Description:

Python

Exit code:

Version:

3.8.9

Modules

Images
c:\program files (x86)\clipgrab\python\python.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll

1076

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 488 -s 1008

C:\Windows\SysWOW64\WerFault.exe

clipgrab-3.9.10-dotinstaller.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

1124

"C:\Program Files (x86)\ClipGrab\python\python.exe" "" --version

C:\Program Files (x86)\ClipGrab\python\python.exe

—

clipgrab.exe

User:

admin

Company:

Python Software Foundation

Integrity Level:

HIGH

Description:

Python

Exit code:

Version:

3.8.9

Modules

Images
c:\program files (x86)\clipgrab\python\python.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll

Add for printing

Total events

72 504

Read events

72 199

Write events

230

Delete events

Modification events


(PID) Process:	(5712) clipgrab-3.9.10-portable.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	Owner
Value: 50160000EFC8AD192105DB01
(PID) Process:	(5712) clipgrab-3.9.10-portable.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	SessionHash
Value: 85268E212C1DFB7F7A7E5129873732C0D64F645F89DD142DB7B1186525F0E713
(PID) Process:	(5712) clipgrab-3.9.10-portable.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(5712) clipgrab-3.9.10-portable.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	RegFiles0000
Value: C:\Users\admin\AppData\Local\Temp\is-PDHJ0.tmp\vc_redist.x86.exe
(PID) Process:	(5712) clipgrab-3.9.10-portable.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	RegFilesHash
Value: FB775D2F1566FF0A59A32BED54F41D2CD88CA64450A0B87607F01ED849BF3419
(PID) Process:	(5712) clipgrab-3.9.10-portable.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8A1033B0-EF33-4FB5-97A1-C47A7DCDD7E6}_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 6.0.5 (u)
(PID) Process:	(5712) clipgrab-3.9.10-portable.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8A1033B0-EF33-4FB5-97A1-C47A7DCDD7E6}_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Program Files (x86)\ClipGrab
(PID) Process:	(5712) clipgrab-3.9.10-portable.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8A1033B0-EF33-4FB5-97A1-C47A7DCDD7E6}_is1
Operation:	write	Name:	InstallLocation
Value: C:\Program Files (x86)\ClipGrab\
(PID) Process:	(5712) clipgrab-3.9.10-portable.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8A1033B0-EF33-4FB5-97A1-C47A7DCDD7E6}_is1
Operation:	write	Name:	Inno Setup: Icon Group
Value: ClipGrab
(PID) Process:	(5712) clipgrab-3.9.10-portable.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8A1033B0-EF33-4FB5-97A1-C47A7DCDD7E6}_is1
Operation:	write	Name:	Inno Setup: User
Value: admin

Add for printing

Executable files

649

Suspicious files

177

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
488	clipgrab-3.9.10-dotinstaller.tmp	C:\Users\admin\AppData\Local\Temp\is-9BN5U.tmp\is-JECM5.tmp		—
		MD5:—	SHA256:—
488	clipgrab-3.9.10-dotinstaller.tmp	C:\Users\admin\AppData\Local\Temp\is-9BN5U.tmp\clipgrab-3.9.10-portable.exe		—
		MD5:—	SHA256:—
488	clipgrab-3.9.10-dotinstaller.tmp	C:\Users\admin\AppData\Local\Temp\is-9BN5U.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
780	clipgrab-3.9.10-dotinstaller.exe	C:\Users\admin\AppData\Local\Temp\is-JDLO7.tmp\clipgrab-3.9.10-dotinstaller.tmp		executable
		MD5:DFB84F0B32159220A4A1465628B5A751	SHA256:527B0D6950701702B71588D925210BFA0ABD545D64F4522771A0F6C57D90DBFE
6492	clipgrab-3.9.10-dotinstaller.exe	C:\Users\admin\AppData\Local\Temp\is-309GH.tmp\clipgrab-3.9.10-dotinstaller.tmp		executable
		MD5:DFB84F0B32159220A4A1465628B5A751	SHA256:527B0D6950701702B71588D925210BFA0ABD545D64F4522771A0F6C57D90DBFE
488	clipgrab-3.9.10-dotinstaller.tmp	C:\Users\admin\AppData\Local\Temp\is-9BN5U.tmp\is-1TBJE.tmp		image
		MD5:CD09F361286D1AD2622BA8A57B7613BD	SHA256:B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
488	clipgrab-3.9.10-dotinstaller.tmp	C:\Users\admin\AppData\Local\Temp\is-9BN5U.tmp\zbShieldUtils.dll		executable
		MD5:B83F5833E96C2EB13F14DCCA805D51A1	SHA256:00E667B838A4125C8CF847936168BB77BB54580BC05669330CB32C0377C4A401
488	clipgrab-3.9.10-dotinstaller.tmp	C:\Users\admin\AppData\Local\Temp\is-9BN5U.tmp\loader.gif		image
		MD5:F23A523B82AD9103A9AC1DCC33ECA72F	SHA256:59853C413B0813DED6F1E557959768D6662F010F49884D36B62C13038FAC739C
488	clipgrab-3.9.10-dotinstaller.tmp	C:\Users\admin\AppData\Local\Temp\is-9BN5U.tmp\finish.png		image
		MD5:251D2D4FE20ED5D109C1164B4E296634	SHA256:3F01866E78099BADDAB8CB9E0606664880BD459296760B63F0F98C4F6909FE00
488	clipgrab-3.9.10-dotinstaller.tmp	C:\Users\admin\AppData\Local\Temp\is-9BN5U.tmp\prod0		executable
		MD5:57A6D0F40EBA38813FB7211949E35F45	SHA256:43ECD4597B2DFE169F3696C72E6AC5665391FD44B21D9B4222A72030427E09D4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

121

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5772	rsEDRSvc.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTDHsfuqfubd3pihvq4mgQVWgHWNwQUyH7SaoUqG8oZmAQHJ89QEE9oqKICEzMAAAAHh6M0o3uljhwAAAAAAAc%3D	unknown	—	—	whitelisted
6320	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5772	rsEDRSvc.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRBq81UG1MnDOVNKqff0SSEz6JuZwQU6IPEM9fcnwycdpoKptTfh6ZeWO4CEzMAAWTujc16eayoCZIAAAABZO4%3D	unknown	—	—	whitelisted
3708	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
3784	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3784	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
3184	WerFault.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5400	UnifiedStub-installer.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTDHsfuqfubd3pihvq4mgQVWgHWNwQUyH7SaoUqG8oZmAQHJ89QEE9oqKICEzMAAAAHh6M0o3uljhwAAAAAAAc%3D	unknown	—	—	whitelisted
5400	UnifiedStub-installer.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRBq81UG1MnDOVNKqff0SSEz6JuZwQU6IPEM9fcnwycdpoKptTfh6ZeWO4CEzMAAWTujc16eayoCZIAAAABZO4%3D	unknown	—	—	whitelisted
5400	UnifiedStub-installer.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTOQYLFSE5GO%2FpaRVfYu7d9gZEbQAQU2UEpsA8PY2zvadf1zSmepEhqMOYCEzMAAAAHN4xbodlbjNQAAAAAAAc%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
1148	RUXIMICS.exe	52.167.17.97:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2120	MoUsoCoreWorker.exe	52.167.17.97:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
6320	svchost.exe	52.167.17.97:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
6320	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6320	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
488	clipgrab-3.9.10-dotinstaller.tmp	65.9.94.230:443	d1g2dvgwts5bro.cloudfront.net	AMAZON-02	US	whitelisted
3260	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3708	svchost.exe	20.190.160.22:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
google.com	172.217.16.206	whitelisted
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
d1g2dvgwts5bro.cloudfront.net	65.9.94.230 65.9.94.228 65.9.94.143 65.9.94.73	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
login.live.com	20.190.160.22 40.126.32.134 40.126.32.136 40.126.32.68 40.126.32.72 40.126.32.133 40.126.32.74 20.190.160.17 40.126.32.138 40.126.32.140	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
shield.reasonsecurity.com	65.9.95.85 65.9.95.119 65.9.95.89 65.9.95.77	unknown

Threats

No threats detected

Add for printing

Process	Message
clipgrab.exe	QObject::connect: signal not found in QTreeView
clipgrab.exe	"C:\\Program Files (x86)\\ClipGrab\\python\\python.exe: can't find '__main__' module in ''\r\n"
clipgrab.exe	Could not reach update server.
clipgrab.exe	"WARNING: [youtube:tab] Incomplete data received. Retrying (1/3)...\nWARNING: [youtube:tab] Incomplete data received. Retrying (2/3)...\nWARNING: [youtube:tab] Incomplete data received. Retrying (3/3)...\nWARNING: [youtube:tab] Incomplete data received. Giving up after 3 retries\n"
clipgrab.exe	""
clipgrab.exe	Discovered video: "Coffee Run - Blender Open Movie"
clipgrab.exe	QObject::connect: signal not found in QTreeView
rsEngineSvc.exe	Native library pre-loader is trying to load native SQLite library "C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll"...
clipgrab.exe	Could not reach update server.
clipgrab.exe	Found youtube-dlp "2024.08.06\r"

General Info

clipgrab-3.9.10-dotinstaller.exe

D5351A9AFA0356B886F609FF7F53603D

7368DE3DB110E4398BE3EDD3AFDD6BC48F7BB9FD

E92C5CF7509DD9792FAC8202FB08295DFC9E5F18663DB81BF07990DE1BC85893

98304:d+cD4dnQIRP3sBI6IauBPDZONh4DkLmDYfuXqGQoHbHL7WdaRCJ7HIf+UJfxlbqK:NA2NE

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Process drops python dynamic module

The process drops C-runtime libraries

Starts a Microsoft application from unusual location

Searches for installed software

Reads the date of Windows installation

Creates a software uninstall entry

Executes as Windows Service

Executes application which crashes

Loads Python modules

Drops 7-zip archiver for unpacking

Drops a system driver (possible attempt to evade defenses)

The process creates files with name similar to system file names

Checks Windows Trust Settings

Adds/modifies Windows certificates

Creates or modifies Windows services

Creates files in the driver directory

Uses RUNDLL32.EXE to load library

Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

Reads the BIOS version

Dropped object may contain URLs of mainers pools

Process checks is Powershell's Script Block Logging on

Application launched itself

The process checks if it is being run in the virtual environment

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Checks proxy server information

Reads the software policy settings

Process checks computer location settings

Reads the machine GUID from the registry

Creates files in the program directory

Creates a software uninstall entry

The process uses the downloaded file

Reads Environment values

Disables trace logs

Sends debugging messages

Creates files or folders in the user directory

.NET Reactor protector has been detected

Reads the time zone

Reads security settings of Internet Explorer

Manual execution by a user

Reads product name

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information