f980e92af3341650819ca6c985294ebe0aa78d38bdfe249536d7ec7f2efc6ecf

Analysis

max time kernel
83s
max time network
87s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-01-2023 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clipgrab-3.9.7-dotinstaller.exe
Size

2.8MB
MD5

0f29445baa824f6729cbda3d90b15cec
SHA1

572195b4193529d842653e678eeec7dc3544ee2f
SHA256

f980e92af3341650819ca6c985294ebe0aa78d38bdfe249536d7ec7f2efc6ecf
SHA512

a05bb0cb18d3c7e0ce5795397beeaee90078c272afccf5211d911eae4bc39078bed7da22c528e77ed4daea1c1b4e736c2f361cdb6e525e4132ba4793e433cc81
SSDEEP

49152:9qe3f6PUk/4g+H98AHaCfu6rtWBu1SSmqOIzDamifOL9T9vEXv:MSiPUk/XE9vBugtL1SNaRLh9vEXv

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1252	clipgrab-3.9.7-dotinstaller.tmp
108	clipgrab-3.9.7-portable.exe
1532	clipgrab-3.9.7-portable.tmp
1620	vc_redist.x86.exe
960	vc_redist.x86.exe

Loads dropped DLL 11 IoCs

pid	Process
1732	clipgrab-3.9.7-dotinstaller.exe
1252	clipgrab-3.9.7-dotinstaller.tmp
1252	clipgrab-3.9.7-dotinstaller.tmp
1252	clipgrab-3.9.7-dotinstaller.tmp
108	clipgrab-3.9.7-portable.exe
1532	clipgrab-3.9.7-portable.tmp
1532	clipgrab-3.9.7-portable.tmp
1532	clipgrab-3.9.7-portable.tmp
1532	clipgrab-3.9.7-portable.tmp
1620	vc_redist.x86.exe
960	vc_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5QuickWidgets.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\QtWebEngineProcess.exe	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5Quick.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-VHJQN.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-KCV7F.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-ARG70.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\bearer\qgenericbearer.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\python\pythonw.exe	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\clipgrab.exe	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-7SJ3G.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-CCD5U.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-SL9F6.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5Core.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5PrintSupport.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\python\libssl-1_1.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-LTH40.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-OGMEF.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\imageformats\is-4109L.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5Svg.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-M8IJ1.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-0I0CV.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-LFMP6.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\translations\qtwebengine_locales\is-PT4CU.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\unins000.dat	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-N8SUP.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-E6OB5.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\imageformats\qwbmp.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-J5SN4.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\bearer\is-CRIBO.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\imageformats\qwebp.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\imageformats\qgif.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-6RCOC.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\imageformats\is-0RRCR.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\libEGL.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\resources\is-8AQIH.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\python\libcrypto-1_1.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-HPTAI.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\platforms\is-AUR6S.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-LAIV8.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-18HJU.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\platforms\qwindows.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5Qml.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-FUFAQ.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\imageformats\is-46OP9.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-RM374.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-VMV0T.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\libcrypto-1_1.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-TMBF2.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\position\is-5P0HC.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-5I7E2.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-CPTOD.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-L2KOG.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-UJJ4S.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-VJHQ3.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5Xml.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5WebChannel.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-1001U.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\imageformats\qsvg.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\iconengines\is-8L1AC.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\imageformats\is-75ITP.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-NV8J6.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\position\qtposition_positionpoll.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\position\qtposition_winrt.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-03PQP.tmp	clipgrab-3.9.7-portable.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	clipgrab-3.9.7-dotinstaller.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	clipgrab-3.9.7-dotinstaller.tmp

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	clipgrab-3.9.7-dotinstaller.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	clipgrab-3.9.7-dotinstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	clipgrab-3.9.7-dotinstaller.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	clipgrab-3.9.7-dotinstaller.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	clipgrab-3.9.7-dotinstaller.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	clipgrab-3.9.7-dotinstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	clipgrab-3.9.7-dotinstaller.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	clipgrab-3.9.7-dotinstaller.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1532	clipgrab-3.9.7-portable.tmp
1532	clipgrab-3.9.7-portable.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1252	clipgrab-3.9.7-dotinstaller.tmp
1532	clipgrab-3.9.7-portable.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1252	clipgrab-3.9.7-dotinstaller.tmp

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1252	1732	clipgrab-3.9.7-dotinstaller.exe	27
PID 1732 wrote to memory of 1252	1732	clipgrab-3.9.7-dotinstaller.exe	27
PID 1732 wrote to memory of 1252	1732	clipgrab-3.9.7-dotinstaller.exe	27
PID 1732 wrote to memory of 1252	1732	clipgrab-3.9.7-dotinstaller.exe	27
PID 1732 wrote to memory of 1252	1732	clipgrab-3.9.7-dotinstaller.exe	27
PID 1732 wrote to memory of 1252	1732	clipgrab-3.9.7-dotinstaller.exe	27
PID 1732 wrote to memory of 1252	1732	clipgrab-3.9.7-dotinstaller.exe	27
PID 1252 wrote to memory of 108	1252	clipgrab-3.9.7-dotinstaller.tmp	28
PID 1252 wrote to memory of 108	1252	clipgrab-3.9.7-dotinstaller.tmp	28
PID 1252 wrote to memory of 108	1252	clipgrab-3.9.7-dotinstaller.tmp	28
PID 1252 wrote to memory of 108	1252	clipgrab-3.9.7-dotinstaller.tmp	28
PID 1252 wrote to memory of 108	1252	clipgrab-3.9.7-dotinstaller.tmp	28
PID 1252 wrote to memory of 108	1252	clipgrab-3.9.7-dotinstaller.tmp	28
PID 1252 wrote to memory of 108	1252	clipgrab-3.9.7-dotinstaller.tmp	28
PID 108 wrote to memory of 1532	108	clipgrab-3.9.7-portable.exe	29
PID 108 wrote to memory of 1532	108	clipgrab-3.9.7-portable.exe	29
PID 108 wrote to memory of 1532	108	clipgrab-3.9.7-portable.exe	29
PID 108 wrote to memory of 1532	108	clipgrab-3.9.7-portable.exe	29
PID 108 wrote to memory of 1532	108	clipgrab-3.9.7-portable.exe	29
PID 108 wrote to memory of 1532	108	clipgrab-3.9.7-portable.exe	29
PID 108 wrote to memory of 1532	108	clipgrab-3.9.7-portable.exe	29
PID 1532 wrote to memory of 1620	1532	clipgrab-3.9.7-portable.tmp	31
PID 1532 wrote to memory of 1620	1532	clipgrab-3.9.7-portable.tmp	31
PID 1532 wrote to memory of 1620	1532	clipgrab-3.9.7-portable.tmp	31
PID 1532 wrote to memory of 1620	1532	clipgrab-3.9.7-portable.tmp	31
PID 1532 wrote to memory of 1620	1532	clipgrab-3.9.7-portable.tmp	31
PID 1532 wrote to memory of 1620	1532	clipgrab-3.9.7-portable.tmp	31
PID 1532 wrote to memory of 1620	1532	clipgrab-3.9.7-portable.tmp	31
PID 1620 wrote to memory of 960	1620	vc_redist.x86.exe	32
PID 1620 wrote to memory of 960	1620	vc_redist.x86.exe	32
PID 1620 wrote to memory of 960	1620	vc_redist.x86.exe	32
PID 1620 wrote to memory of 960	1620	vc_redist.x86.exe	32
PID 1620 wrote to memory of 960	1620	vc_redist.x86.exe	32
PID 1620 wrote to memory of 960	1620	vc_redist.x86.exe	32
PID 1620 wrote to memory of 960	1620	vc_redist.x86.exe	32

C:\Users\Admin\AppData\Local\Temp\clipgrab-3.9.7-dotinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\clipgrab-3.9.7-dotinstaller.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\is-MTF9T.tmp\clipgrab-3.9.7-dotinstaller.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MTF9T.tmp\clipgrab-3.9.7-dotinstaller.tmp" /SL5="$A011C,1907617,1111552,C:\Users\Admin\AppData\Local\Temp\clipgrab-3.9.7-dotinstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\is-E0Q7A.tmp\clipgrab-3.9.7-portable.exe
    "C:\Users\Admin\AppData\Local\Temp\is-E0Q7A.tmp\clipgrab-3.9.7-portable.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Users\Admin\AppData\Local\Temp\is-G7N7E.tmp\clipgrab-3.9.7-portable.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-G7N7E.tmp\clipgrab-3.9.7-portable.tmp" /SL5="$101AA,72952445,791040,C:\Users\Admin\AppData\Local\Temp\is-E0Q7A.tmp\clipgrab-3.9.7-portable.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Users\Admin\AppData\Local\Temp\is-56A1R.tmp\vc_redist.x86.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-56A1R.tmp\vc_redist.x86.exe" /install /passive /silent /norestart
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\Temp\{46F89460-7F93-4FF5-98D5-58452FCDF2FD}\.cr\vc_redist.x86.exe
        
        "C:\Windows\Temp\{46F89460-7F93-4FF5-98D5-58452FCDF2FD}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-56A1R.tmp\vc_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /passive /silent /norestart
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-56A1R.tmp\vc_redist.x86.exe

Filesize
14.0MB

MD5
310f8aadd8055f8b8eba1a6528be7d10

SHA1
3ee9622151e4b50837fcdfac1b085430f0181f4e

SHA256
54ad46ae80984aa48cae6361213692c96b3639e322730d28c7fb93b183c761da

SHA512
2872a30939f7ee20b494806574cf5b8b5a0976f8fe69bdbd77dde2483ce2a9e5458ff3636147e49a449e941a44ca2d79239e3da62fddb69fc5bced8ee1004ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-56A1R.tmp\vc_redist.x86.exe

Filesize
14.0MB

MD5
310f8aadd8055f8b8eba1a6528be7d10

SHA1
3ee9622151e4b50837fcdfac1b085430f0181f4e

SHA256
54ad46ae80984aa48cae6361213692c96b3639e322730d28c7fb93b183c761da

SHA512
2872a30939f7ee20b494806574cf5b8b5a0976f8fe69bdbd77dde2483ce2a9e5458ff3636147e49a449e941a44ca2d79239e3da62fddb69fc5bced8ee1004ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E0Q7A.tmp\clipgrab-3.9.7-portable.exe

Filesize
70.3MB

MD5
962d6f9e7331b8f3eb2fa4acb15f5f61

SHA1
2e1a7e9ec7159e564814a599657d42dc01ef9858

SHA256
0ae8656f4c65673d75544cff54721cbfc586edd6e8b4b2a2070930684920411e

SHA512
f8721fc68703d6a6ab9188bce1d64774447f02f378dd4b4d267f7fb4b01d42c4520feede2855ab426d92dfc538a1d272d7a88e65871015a95654c3d8f321d3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E0Q7A.tmp\clipgrab-3.9.7-portable.exe

Filesize
70.3MB

MD5
962d6f9e7331b8f3eb2fa4acb15f5f61

SHA1
2e1a7e9ec7159e564814a599657d42dc01ef9858

SHA256
0ae8656f4c65673d75544cff54721cbfc586edd6e8b4b2a2070930684920411e

SHA512
f8721fc68703d6a6ab9188bce1d64774447f02f378dd4b4d267f7fb4b01d42c4520feede2855ab426d92dfc538a1d272d7a88e65871015a95654c3d8f321d3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G7N7E.tmp\clipgrab-3.9.7-portable.tmp

Filesize
2.5MB

MD5
ae7b203e80eaa5afb50768049bb3de50

SHA1
cc0b5d64c2af21a3b24e167352df8ae93acd30d3

SHA256
ffe5d85efc5b75b4c99b07f5819d1fb3b9b1b42e67c903ef86f013bdedad7112

SHA512
a94cc199a4fa8a67496169de972bef84dd0e411502c5f74438ec0e7d18626ef3278d9c3aae1b0d025776849dbed5ec8e06d714b4bd48a43e48e2a167f7d52748

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G7N7E.tmp\clipgrab-3.9.7-portable.tmp

Filesize
2.5MB

MD5
ae7b203e80eaa5afb50768049bb3de50

SHA1
cc0b5d64c2af21a3b24e167352df8ae93acd30d3

SHA256
ffe5d85efc5b75b4c99b07f5819d1fb3b9b1b42e67c903ef86f013bdedad7112

SHA512
a94cc199a4fa8a67496169de972bef84dd0e411502c5f74438ec0e7d18626ef3278d9c3aae1b0d025776849dbed5ec8e06d714b4bd48a43e48e2a167f7d52748

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MTF9T.tmp\clipgrab-3.9.7-dotinstaller.tmp

Filesize
3.2MB

MD5
aadc16c8ad4312196df3aa1d9f6386d3

SHA1
ff4d78923e0d957e6a66b3c06efecc435c396c7a

SHA256
04fade43204ecbbb378114a023b3db4a3aebe8258ff3b3846156e80a9c5cf4a3

SHA512
51621ec71d530d75e4a537381edf03bc48b234dd861547c950573febf5709a1716ee797368854512edf1950a4e1f4f8bbe292417a0dd238600338a39e2454e04

Download Submit
C:\Windows\Temp\{46F89460-7F93-4FF5-98D5-58452FCDF2FD}\.cr\vc_redist.x86.exe

Filesize
881KB

MD5
9df0848b2753e9255f1a6b4cdc9a5a3e

SHA1
051469cd9e786b720ef6b70c35a1e184a643f520

SHA256
59089badd61acb47a07748c9018d3a959cf58f07de9902b0c45dffae3e566090

SHA512
518a78e77515b2fb21c5f66a760473a1f8ab5050e9bc65a4715ab178e568079f11f65fc173db59dd021b69fe0b606c42e50bf5f09a34ba2009a7b71e88033452

Download Submit
C:\Windows\Temp\{46F89460-7F93-4FF5-98D5-58452FCDF2FD}\.cr\vc_redist.x86.exe

Filesize
881KB

MD5
9df0848b2753e9255f1a6b4cdc9a5a3e

SHA1
051469cd9e786b720ef6b70c35a1e184a643f520

SHA256
59089badd61acb47a07748c9018d3a959cf58f07de9902b0c45dffae3e566090

SHA512
518a78e77515b2fb21c5f66a760473a1f8ab5050e9bc65a4715ab178e568079f11f65fc173db59dd021b69fe0b606c42e50bf5f09a34ba2009a7b71e88033452

Download Submit
\Program Files (x86)\ClipGrab\clipgrab.exe

Filesize
1.1MB

MD5
57cdd2bc92aee7d3d213561188e565d4

SHA1
fb34ba0178b5764b6ccc9d228796196ee172980e

SHA256
10770da581cc85d55a286d42a0428accafe6c7910bc640cc4264da7fb26dafa4

SHA512
ac00f5021cbc34b7ca160364cdde0a404353d8fc9e6a46866884268880c7b753e91741c48b413d6f7a5ff28a4e3d98bd7485550b46009a7c5b42dd0a877f3856

Download Submit
\Program Files (x86)\ClipGrab\clipgrab.exe

Filesize
1.1MB

MD5
57cdd2bc92aee7d3d213561188e565d4

SHA1
fb34ba0178b5764b6ccc9d228796196ee172980e

SHA256
10770da581cc85d55a286d42a0428accafe6c7910bc640cc4264da7fb26dafa4

SHA512
ac00f5021cbc34b7ca160364cdde0a404353d8fc9e6a46866884268880c7b753e91741c48b413d6f7a5ff28a4e3d98bd7485550b46009a7c5b42dd0a877f3856

Download Submit
\Program Files (x86)\ClipGrab\unins000.exe

Filesize
2.5MB

MD5
713651dc6a72f22021036563f4bfb3b9

SHA1
a09bead30eaa159688bef41f86b5843e61b65f28

SHA256
69605ea2bb1301ab9dc8b17523a013de325d02f5b35d47ab6cc0fb9a3855ca07

SHA512
c66749b235273cb6872a7938ae55c4aaa809297aaa0e4c063b542690b4485e6f20fe5ac2da92068a926ec3beace10361c6868815e9fe0ac33fcfbf3b2138dc91

Download Submit
\Users\Admin\AppData\Local\Temp\is-56A1R.tmp\vc_redist.x86.exe

Filesize
14.0MB

MD5
310f8aadd8055f8b8eba1a6528be7d10

SHA1
3ee9622151e4b50837fcdfac1b085430f0181f4e

SHA256
54ad46ae80984aa48cae6361213692c96b3639e322730d28c7fb93b183c761da

SHA512
2872a30939f7ee20b494806574cf5b8b5a0976f8fe69bdbd77dde2483ce2a9e5458ff3636147e49a449e941a44ca2d79239e3da62fddb69fc5bced8ee1004ee5

Download Submit
\Users\Admin\AppData\Local\Temp\is-E0Q7A.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-E0Q7A.tmp\clipgrab-3.9.7-portable.exe

Filesize
70.3MB

MD5
962d6f9e7331b8f3eb2fa4acb15f5f61

SHA1
2e1a7e9ec7159e564814a599657d42dc01ef9858

SHA256
0ae8656f4c65673d75544cff54721cbfc586edd6e8b4b2a2070930684920411e

SHA512
f8721fc68703d6a6ab9188bce1d64774447f02f378dd4b4d267f7fb4b01d42c4520feede2855ab426d92dfc538a1d272d7a88e65871015a95654c3d8f321d3be

Download Submit
\Users\Admin\AppData\Local\Temp\is-E0Q7A.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
e1f18a22199c6f6aa5d87b24e5b39ef1

SHA1
0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

SHA256
62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

SHA512
5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

Download Submit
\Users\Admin\AppData\Local\Temp\is-G7N7E.tmp\clipgrab-3.9.7-portable.tmp

Filesize
2.5MB

MD5
ae7b203e80eaa5afb50768049bb3de50

SHA1
cc0b5d64c2af21a3b24e167352df8ae93acd30d3

SHA256
ffe5d85efc5b75b4c99b07f5819d1fb3b9b1b42e67c903ef86f013bdedad7112

SHA512
a94cc199a4fa8a67496169de972bef84dd0e411502c5f74438ec0e7d18626ef3278d9c3aae1b0d025776849dbed5ec8e06d714b4bd48a43e48e2a167f7d52748

Download Submit
\Users\Admin\AppData\Local\Temp\is-MTF9T.tmp\clipgrab-3.9.7-dotinstaller.tmp

Filesize
3.2MB

MD5
aadc16c8ad4312196df3aa1d9f6386d3

SHA1
ff4d78923e0d957e6a66b3c06efecc435c396c7a

SHA256
04fade43204ecbbb378114a023b3db4a3aebe8258ff3b3846156e80a9c5cf4a3

SHA512
51621ec71d530d75e4a537381edf03bc48b234dd861547c950573febf5709a1716ee797368854512edf1950a4e1f4f8bbe292417a0dd238600338a39e2454e04

Download Submit
\Windows\Temp\{3D895A1C-6320-47B4-A79E-D8FF290B1C27}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
\Windows\Temp\{46F89460-7F93-4FF5-98D5-58452FCDF2FD}\.cr\vc_redist.x86.exe

Filesize
881KB

MD5
9df0848b2753e9255f1a6b4cdc9a5a3e

SHA1
051469cd9e786b720ef6b70c35a1e184a643f520

SHA256
59089badd61acb47a07748c9018d3a959cf58f07de9902b0c45dffae3e566090

SHA512
518a78e77515b2fb21c5f66a760473a1f8ab5050e9bc65a4715ab178e568079f11f65fc173db59dd021b69fe0b606c42e50bf5f09a34ba2009a7b71e88033452

Download Submit
memory/108-77-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/108-70-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/108-88-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/108-96-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1252-65-0x00000000744F1000-0x00000000744F3000-memory.dmp

Filesize
8KB

Download
memory/1732-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1732-61-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1732-55-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1732-97-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download