f0373b3cbc73dc7e196bdd0d823722f899e9a2e2671106c34a0bc90276122b3a

Analysis

max time kernel
142s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-12-2023 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

entry_1_0/clipgrab-3.9.7-dotinstaller.exe
Size

2.8MB
MD5

0f29445baa824f6729cbda3d90b15cec
SHA1

572195b4193529d842653e678eeec7dc3544ee2f
SHA256

f980e92af3341650819ca6c985294ebe0aa78d38bdfe249536d7ec7f2efc6ecf
SHA512

a05bb0cb18d3c7e0ce5795397beeaee90078c272afccf5211d911eae4bc39078bed7da22c528e77ed4daea1c1b4e736c2f361cdb6e525e4132ba4793e433cc81
SSDEEP

49152:9qe3f6PUk/4g+H98AHaCfu6rtWBu1SSmqOIzDamifOL9T9vEXv:MSiPUk/XE9vBugtL1SNaRLh9vEXv

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2412	clipgrab-3.9.7-dotinstaller.tmp
2340	clipgrab-3.9.7-portable.exe
692	clipgrab-3.9.7-portable.tmp
2964	vc_redist.x86.exe
2832	vc_redist.x86.exe

Loads dropped DLL 11 IoCs

pid	Process
780	clipgrab-3.9.7-dotinstaller.exe
2412	clipgrab-3.9.7-dotinstaller.tmp
2412	clipgrab-3.9.7-dotinstaller.tmp
2412	clipgrab-3.9.7-dotinstaller.tmp
2340	clipgrab-3.9.7-portable.exe
692	clipgrab-3.9.7-portable.tmp
692	clipgrab-3.9.7-portable.tmp
692	clipgrab-3.9.7-portable.tmp
692	clipgrab-3.9.7-portable.tmp
2964	vc_redist.x86.exe
2832	vc_redist.x86.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	clipgrab-3.9.7-dotinstaller.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	clipgrab-3.9.7-dotinstaller.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\AVG\AV\Dir	clipgrab-3.9.7-dotinstaller.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	clipgrab-3.9.7-dotinstaller.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	clipgrab-3.9.7-dotinstaller.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\AVAST Software\Avast	clipgrab-3.9.7-dotinstaller.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ClipGrab\imageformats\is-HNRP9.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\imageformats\is-C2E0R.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-06UDS.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-KJ6RH.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5PrintSupport.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\imageformats\is-9R2MM.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-E98D2.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-CEVCP.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\python\libcrypto-1_1.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-5FGER.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\bearer\is-7SQUU.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\resources\is-IJP16.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-3JHD7.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\bearer\qgenericbearer.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-C0N4Q.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\position\qtposition_serialnmea.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-CMGCK.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\imageformats\is-15490.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\libEGL.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\position\qtposition_positionpoll.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\imageformats\qico.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\position\is-LNKSA.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-UDGMO.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-L3IQO.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-GV4TA.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-P4JOA.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-6K2FH.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\resources\is-5F45T.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-2Q5EG.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-QVBCO.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5WebChannel.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\imageformats\qwebp.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5Positioning.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-3R5AK.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-0NLT6.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-H51M6.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5Core.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-T3L47.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5Svg.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5Qml.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-53A3Q.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\python\vcruntime140.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\libcrypto-1_1.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\platforms\qwindows.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-84LNH.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-NO9O3.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-8HUP0.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\D3Dcompiler_47.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\imageformats\qjpeg.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-0D90B.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-8GOBA.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\iconengines\qsvgicon.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-EP81H.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\python\python3.dll	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5SerialPort.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-4GU9G.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\libssl-1_1.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\python\is-VSSPT.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5WebEngineWidgets.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\iconengines\is-AAC9C.tmp	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\imageformats\is-867H4.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\Qt5Xml.dll	clipgrab-3.9.7-portable.tmp
File created	C:\Program Files (x86)\ClipGrab\is-Q3UNL.tmp	clipgrab-3.9.7-portable.tmp
File opened for modification	C:\Program Files (x86)\ClipGrab\position\qtposition_winrt.dll	clipgrab-3.9.7-portable.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	clipgrab-3.9.7-dotinstaller.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	clipgrab-3.9.7-dotinstaller.tmp

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	clipgrab-3.9.7-dotinstaller.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	clipgrab-3.9.7-dotinstaller.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	clipgrab-3.9.7-dotinstaller.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	clipgrab-3.9.7-dotinstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	clipgrab-3.9.7-dotinstaller.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	clipgrab-3.9.7-dotinstaller.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	clipgrab-3.9.7-dotinstaller.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	clipgrab-3.9.7-dotinstaller.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2412	clipgrab-3.9.7-dotinstaller.tmp
2412	clipgrab-3.9.7-dotinstaller.tmp
2412	clipgrab-3.9.7-dotinstaller.tmp
2412	clipgrab-3.9.7-dotinstaller.tmp
2412	clipgrab-3.9.7-dotinstaller.tmp
2412	clipgrab-3.9.7-dotinstaller.tmp
2412	clipgrab-3.9.7-dotinstaller.tmp
692	clipgrab-3.9.7-portable.tmp
692	clipgrab-3.9.7-portable.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2412	clipgrab-3.9.7-dotinstaller.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2412	clipgrab-3.9.7-dotinstaller.tmp
692	clipgrab-3.9.7-portable.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2412	clipgrab-3.9.7-dotinstaller.tmp

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2412	780	clipgrab-3.9.7-dotinstaller.exe	28
PID 780 wrote to memory of 2412	780	clipgrab-3.9.7-dotinstaller.exe	28
PID 780 wrote to memory of 2412	780	clipgrab-3.9.7-dotinstaller.exe	28
PID 780 wrote to memory of 2412	780	clipgrab-3.9.7-dotinstaller.exe	28
PID 780 wrote to memory of 2412	780	clipgrab-3.9.7-dotinstaller.exe	28
PID 780 wrote to memory of 2412	780	clipgrab-3.9.7-dotinstaller.exe	28
PID 780 wrote to memory of 2412	780	clipgrab-3.9.7-dotinstaller.exe	28
PID 2412 wrote to memory of 2340	2412	clipgrab-3.9.7-dotinstaller.tmp	29
PID 2412 wrote to memory of 2340	2412	clipgrab-3.9.7-dotinstaller.tmp	29
PID 2412 wrote to memory of 2340	2412	clipgrab-3.9.7-dotinstaller.tmp	29
PID 2412 wrote to memory of 2340	2412	clipgrab-3.9.7-dotinstaller.tmp	29
PID 2412 wrote to memory of 2340	2412	clipgrab-3.9.7-dotinstaller.tmp	29
PID 2412 wrote to memory of 2340	2412	clipgrab-3.9.7-dotinstaller.tmp	29
PID 2412 wrote to memory of 2340	2412	clipgrab-3.9.7-dotinstaller.tmp	29
PID 2340 wrote to memory of 692	2340	clipgrab-3.9.7-portable.exe	30
PID 2340 wrote to memory of 692	2340	clipgrab-3.9.7-portable.exe	30
PID 2340 wrote to memory of 692	2340	clipgrab-3.9.7-portable.exe	30
PID 2340 wrote to memory of 692	2340	clipgrab-3.9.7-portable.exe	30
PID 2340 wrote to memory of 692	2340	clipgrab-3.9.7-portable.exe	30
PID 2340 wrote to memory of 692	2340	clipgrab-3.9.7-portable.exe	30
PID 2340 wrote to memory of 692	2340	clipgrab-3.9.7-portable.exe	30
PID 692 wrote to memory of 2964	692	clipgrab-3.9.7-portable.tmp	32
PID 692 wrote to memory of 2964	692	clipgrab-3.9.7-portable.tmp	32
PID 692 wrote to memory of 2964	692	clipgrab-3.9.7-portable.tmp	32
PID 692 wrote to memory of 2964	692	clipgrab-3.9.7-portable.tmp	32
PID 692 wrote to memory of 2964	692	clipgrab-3.9.7-portable.tmp	32
PID 692 wrote to memory of 2964	692	clipgrab-3.9.7-portable.tmp	32
PID 692 wrote to memory of 2964	692	clipgrab-3.9.7-portable.tmp	32
PID 2964 wrote to memory of 2832	2964	vc_redist.x86.exe	33
PID 2964 wrote to memory of 2832	2964	vc_redist.x86.exe	33
PID 2964 wrote to memory of 2832	2964	vc_redist.x86.exe	33
PID 2964 wrote to memory of 2832	2964	vc_redist.x86.exe	33
PID 2964 wrote to memory of 2832	2964	vc_redist.x86.exe	33
PID 2964 wrote to memory of 2832	2964	vc_redist.x86.exe	33
PID 2964 wrote to memory of 2832	2964	vc_redist.x86.exe	33

C:\Users\Admin\AppData\Local\Temp\entry_1_0\clipgrab-3.9.7-dotinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\entry_1_0\clipgrab-3.9.7-dotinstaller.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\is-JE1E3.tmp\clipgrab-3.9.7-dotinstaller.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JE1E3.tmp\clipgrab-3.9.7-dotinstaller.tmp" /SL5="$30150,1907617,1111552,C:\Users\Admin\AppData\Local\Temp\entry_1_0\clipgrab-3.9.7-dotinstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\clipgrab-3.9.7-portable.exe
    "C:\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\clipgrab-3.9.7-portable.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\is-SL5OD.tmp\clipgrab-3.9.7-portable.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SL5OD.tmp\clipgrab-3.9.7-portable.tmp" /SL5="$5015A,72952445,791040,C:\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\clipgrab-3.9.7-portable.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Users\Admin\AppData\Local\Temp\is-VJEBK.tmp\vc_redist.x86.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-VJEBK.tmp\vc_redist.x86.exe" /install /passive /silent /norestart
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\Temp\{008F1837-C741-466E-B304-42A2A1270384}\.cr\vc_redist.x86.exe
        
        "C:\Windows\Temp\{008F1837-C741-466E-B304-42A2A1270384}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-VJEBK.tmp\vc_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /passive /silent /norestart
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ClipGrab\clipgrab.exe

Filesize
113KB

MD5
a50ed0dab22768932c2a546d960345f7

SHA1
c6147cff0a3275a736c5188dba9e2027fd05ce32

SHA256
a504fc903a922b9c966423854e086657777cf718c6646773e40a1822adce82f1

SHA512
0c70e0bfcf441d2b6c0bc336e479f014e4324fc756fcc4a98d558be869b1ba0ec79a22bd175cfb102555cdaf10f7278cd3d557918882be58915a8246d2c349a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c7b64ba2815d6c065f552cc6ef1fd8d2

SHA1
54aa6c52feab999d1643f0e7ca94a2833368f49c

SHA256
24e159c0c07fb42a90d45db39f5f7e977c97155dbf6022d5287b1848baccbc32

SHA512
9a191ed8c8d3ab98bd0d3aad4b224bd6725accd2cf76e31dd05ebe8b432be58c1241ea580daebf659a76b0acc5c24850c39c99b1f73dc07f9265c8f9ef66d273

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
36f25b4dc67ee31baf971507e0883447

SHA1
bfca7429a21ef3f334e8549fe0959bc2da197643

SHA256
08e7b0e171c72829a2096f416083ad92e20c95435feb16d813a9230c0b4f9ecb

SHA512
809c0e3286b31ae62a868454a103e41f61df9faa5a7808cc244ee0fd70ad92ba8023f63581007a373c62ee87961f5ec7d3cccd05c25de9c03a41e7ffa01c23b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1673.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\AVG_AV.png

Filesize
114KB

MD5
5ef5291810c454a35f76d976105f37cc

SHA1
8ce0cc65ae1786cef1c545d40d081eda13239fa6

SHA256
03e69e8c87732c625df2f628ac63bd145268f9dea9c5f3dd3670b1cf349a995c

SHA512
3bec461bb3cbbbdb3c05171fcc5ab7e648b2b60d7b811261662f14d35c3836148b14cda1a3f2be127c89cc732de8cf1644d2e55e049eeeb2da8e397c58cc919e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\WebAdvisor.png

Filesize
33KB

MD5
db6c259cd7b58f2f7a3cca0c38834d0e

SHA1
046fd119fe163298324ddcd47df62fa8abcae169

SHA256
494169cdd9c79eb4668378f770bfa55d4b140f23a682ff424441427dfab0ced2

SHA512
a5e8bb6dc4cae51d4ebbe5454d1b11bc511c69031db64eff089fb2f8f68665f4004f0f215b503f7630a56c995bbe9cf72e8744177e92447901773cc7e2d9fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\clipgrab-3.9.7-portable.exe

Filesize
1.7MB

MD5
7e480db1eaec0e2371ab3ca53286052e

SHA1
75188bbb3aa88aad59cdc73af01d03b09c86c9a5

SHA256
7efaa65f8c8b92d93c162784f3d4c06c639f4d269e973268abf2c9b59c3f3e43

SHA512
8487621224a3d92dfa0627022f1128be103d4d5f89a39dd1f18bcdbbec3824167056a71c38796c30df93461117726d7a597cfa926fe9f1ddbac74ce79c72baa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\clipgrab-3.9.7-portable.exe

Filesize
1.3MB

MD5
8cef710958aa258c28b46c3817ba97c5

SHA1
296270a6439d2bd056c363970b0835c80af5fa36

SHA256
263d6814be3a6fae8536c851344d03dd735c78e77228c6c98840c6c590bfe6d4

SHA512
eadf6d28b1873f1668ce091945ace4c40f21470c840b6b6a7151754bcdf4951718058b2bc1c262b28486bc22074894df3a0a2ec47faf24d3e33f5f8464790250

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\clipgrab-3.9.7-portable.exe

Filesize
1.3MB

MD5
d2b266e23437336ec142c0b7332fe793

SHA1
8f938f7375c867b3a0b2b0df66fdd43368c19deb

SHA256
f3ea8404867f4a8fd315167a104e79133d9fde311d015393ba09ce2d85f89f40

SHA512
88fa14a64759de2568892ec0c9891163d0588e283d07ebddef8bb012f0bad8dbb657ac339a044f53a29632e043b5f24b3b242d486515f7fbe49a17f0ef724b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\finish.png

Filesize
2KB

MD5
7afaf9e0e99fd80fa1023a77524f5587

SHA1
e20c9c27691810b388c73d2ca3e67e109c2b69b6

SHA256
760b70612bb9bd967c2d15a5133a50ccce8c0bd46a6464d76875298dcc45dea0

SHA512
a090626e7b7f67fb5aa207aae0cf65c3a27e1b85e22c9728eee7475bd9bb7375ca93baaecc662473f9a427b4f505d55f2c61ba36bda460e4e6947fe22eedb044

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\loader.gif

Filesize
10KB

MD5
f23a523b82ad9103a9ac1dcc33eca72f

SHA1
5363bb6b51923441ef56638576307cc252f05a71

SHA256
59853c413b0813ded6f1e557959768d6662f010f49884d36b62c13038fac739c

SHA512
514ec63f7ed80d0708f7e2355fad8a558b4dcf2d0122ff98fe7c3ca1f40e7cd04e8869ca7a3b95622c0848c0d99306d7e791b86ca69b9e240beae959ca6285be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\logo.png

Filesize
9KB

MD5
2c050a55ade91ca10c94c41fdceaa8cb

SHA1
178fd0ee1c184fe681d89bff0ff8b89392723a67

SHA256
43262c9cc6328d67007b97a8eb36c924d05d45a383349e61b067f35677e1ad6e

SHA512
425825cbe2a417f10832c37fc0e571ca3e3f9b940f93f9f8ec8fcff2df896a52ff753386c30e03836d588b6bf355323dbea2e3a0cbf756f8f3c7065335cbfeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SL5OD.tmp\clipgrab-3.9.7-portable.tmp

Filesize
1.3MB

MD5
28fb2cbef1e3bd4a6ba898022837f530

SHA1
0c2b10b96bb89da50f7e628da9429f0804eb5e58

SHA256
6f135a5da1425917d69171ef07119f9a255ae53273b41b9042679b985d399330

SHA512
20eb882226895325f85ab26f60538132af6e281cfc0ece0675b3e043e6aa86bedfd5eed14c723bfbb4a6c0c443f2ed20935484fcce2a6283fadda8422e67d07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SL5OD.tmp\clipgrab-3.9.7-portable.tmp

Filesize
1.5MB

MD5
6136de0958d870f432d76dadd9031a62

SHA1
de85ca5d1b79a2addbdb7cf1f4f977c368abd658

SHA256
da2d29175f9ab34f22d15824ae239a154684eface3caa65045772023b2855e77

SHA512
bafcddd1729246004153b07192f5a4cacea70d3aadfdfab936dcd271b5f96adcbd537a06da7aba477eb0b5f63def2854a992ddd501c0566baca9e11622258bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VJEBK.tmp\vc_redist.x86.exe

Filesize
247KB

MD5
0ae4caa40023ebd58dbcbcc24887eb77

SHA1
583bbb84c1d1bd6e695bbd239f3c46588e89fde8

SHA256
57df803c2039a47ff5a363412ea4d1fd21286ce227e68c5e30ba1762a6629765

SHA512
0bbe80db178ffa319199f68a4c0877cadd0e07e579d01cdc2b07c191580769e7abdc33212132cc1088ae1058ce0f457bc35db378b256ee546256e64be614e7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VJEBK.tmp\vc_redist.x86.exe

Filesize
183KB

MD5
31d32a97b517e77d725b308b867cd715

SHA1
73c85060e4021f6c4cd312c86db2ef29449822d1

SHA256
dcb9ea7c905dea7cbc80a82187432b332395590d23b24e17da8c1af88161b3fb

SHA512
b88c4e04cc766f5b8524c3226cf17cd9f60b24d9700939c46bb75f2ea040475470db25102c89135b776ccaff8202c762e50cbd7e27b274e972c5a938f9dc3cb3

Download Submit
C:\Windows\Temp\{008F1837-C741-466E-B304-42A2A1270384}\.cr\vc_redist.x86.exe

Filesize
97KB

MD5
1852b654e8bf7f9f9706b0dcd9510a90

SHA1
961a7143a4756cf2b3da37a4842a10a895a59ad5

SHA256
408f9ef7d7b4ba3f9df4b0a30241d5df014823805fdf2794be99c835effce339

SHA512
ea71909eef4643dcdd9f5d01776b4c608aa502f18a056737d93c63090abe13f4e01cabb590f108cf6e540c42e63da4106a0736c0582280a59165c9c82d466000

Download Submit
C:\Windows\Temp\{008F1837-C741-466E-B304-42A2A1270384}\.cr\vc_redist.x86.exe

Filesize
93KB

MD5
9ef7a3f928636896988e3d85a4b33ae9

SHA1
2670ce7653979a9efa651461ebe583e3fecfae42

SHA256
9359b7b9ed8895b527d8f905edb9bd87649bdce8bb80373f3fc2047927d6d94e

SHA512
31869187bdc51410460ae620fda9ee642f3ba11b5d326109846b474e891e36fb730b754f7186b738e6a4838237aad37c0033a1436542c93f180a9d3444d0b2c3

Download Submit
C:\Windows\Temp\{7D2B4644-7A7D-4BA7-BD4B-FBC5D26D5E4D}\.ba\1055\license.rtf

Filesize
177KB

MD5
f1a281f74d3e91d16dd26d1f313cd8a9

SHA1
ddb2ca9032c5a9c091eac53b679f6ba428077b00

SHA256
f79108a254f876e0f6bbcb05a9effbe25dc252e7ea256bfe3fd28ceb79737f25

SHA512
484c5ca26275427e1fb74d3217a22a0e4aac409aba973e78d7ad68834e7ad1d86c7855d34b227925200f941d288dfc09477b2d7dfe0856810c6c847297b8d625

Download Submit
C:\Windows\Temp\{7D2B4644-7A7D-4BA7-BD4B-FBC5D26D5E4D}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
\Program Files (x86)\ClipGrab\clipgrab.exe

Filesize
231KB

MD5
81991fc04e89e1ca1b31c33beea181e9

SHA1
a6b08d0f8818e2491d9768efdccf07a2176c592a

SHA256
6adff56c4a02e2ac2fc07bedcbb76dfb79805fe54ea98f539ad22d812c93487d

SHA512
8d56a6a0fc23862f8822172e569b51fe24ed0f9c9adcc4132cbf2ce32181debc7d2206699510e9b057d6478dc14121505213f7eff4f81cdbb19d4c312457c807

Download Submit
\Program Files (x86)\ClipGrab\clipgrab.exe

Filesize
134KB

MD5
e78376b0fd8fcaf22e7da03558033f8e

SHA1
d6cb81e20a86f4bab7aae49a9f5a6d84effcec9e

SHA256
455fd57aa59985a6c4fe7d69c3d05d8962cb571c043dc0540456ac2a2b413428

SHA512
de5e1729fb9719a7863968a8232ff8622c9ed8fd26c49b956e3b8b57cbaba1aa031b663f8e5b4367d1cbbe7ab1f808057a22eaf563569e642a20414e0306aa63

Download Submit
\Program Files (x86)\ClipGrab\unins000.exe

Filesize
254KB

MD5
3deb3baedf329ccf213da831ce5518a6

SHA1
99051026110a76ceecdceeef8f3fc067ccfe1287

SHA256
3d3a66d243445e0cddf8aa2b2ec81a0812f8855fa211854ae766e9879f60634d

SHA512
513a2f5c7081e5f63883e37620578967c68ce7128fedc48c3a760a213cc40a0540792638e90f6be6f063ed94a4f242a2cc3fa0df3a05ce561188c0dc6db2c515

Download Submit
\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\clipgrab-3.9.7-portable.exe

Filesize
1.4MB

MD5
b263545c65f9fed11f71c7683de2ab18

SHA1
2b86f46f500ccb8401ac0a5213a9f58d6f890dfb

SHA256
cee84df64c7b90b2d535a5f6da840aa35e131d4d491261915f1c10db83abb809

SHA512
b9fa9f04ec2fa7e5f976a5c087c03152edcb88b5db1417102851014482d5703ec68d43e56d089ed331b9cf7079bc298b96a9f0376662848028f3c259009eb946

Download Submit
\Users\Admin\AppData\Local\Temp\is-1K1S3.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
e1f18a22199c6f6aa5d87b24e5b39ef1

SHA1
0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

SHA256
62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

SHA512
5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

Download Submit
\Users\Admin\AppData\Local\Temp\is-JE1E3.tmp\clipgrab-3.9.7-dotinstaller.tmp

Filesize
3.2MB

MD5
aadc16c8ad4312196df3aa1d9f6386d3

SHA1
ff4d78923e0d957e6a66b3c06efecc435c396c7a

SHA256
04fade43204ecbbb378114a023b3db4a3aebe8258ff3b3846156e80a9c5cf4a3

SHA512
51621ec71d530d75e4a537381edf03bc48b234dd861547c950573febf5709a1716ee797368854512edf1950a4e1f4f8bbe292417a0dd238600338a39e2454e04

Download Submit
\Users\Admin\AppData\Local\Temp\is-SL5OD.tmp\clipgrab-3.9.7-portable.tmp

Filesize
1.3MB

MD5
f55a6e245fd6a0b4bb48d7d21e41cfe8

SHA1
6f798e7b2ae584acdd32932cd02135b1f0ea0816

SHA256
35e613f02c09ea8b1f69ad264e383c7fc8ebcdaed28fa75cfdfc9e485de26cd4

SHA512
e214ac8e8a750b6ebd766e6a0d1b9e69e078caf133814cb3effc6bd15f3bc79b034fe23af6b4899596d1e6d155bfd3d3a52008e70d4681e60b27861312db9320

Download Submit
\Users\Admin\AppData\Local\Temp\is-VJEBK.tmp\vc_redist.x86.exe

Filesize
309KB

MD5
cc79518473ea9bbb8a2d1e9af37ef071

SHA1
f6d143249c61c9d9e8b38a8ca2b812ee019f0e1c

SHA256
95e7f08cb42ae41af55acebe0ca872b69f51109d1592a7b6f9294bd8232cd9e7

SHA512
c0fcda429e85c30e437ffe9cab08cf76e7f2f68a5afcbf81cea244a014a2091f7c195aa3bc4ef9c346e8c5d231591337a349ea5282d75d17030384a5a629aa06

Download Submit
\Windows\Temp\{008F1837-C741-466E-B304-42A2A1270384}\.cr\vc_redist.x86.exe

Filesize
86KB

MD5
8b34714dffd44e71a810cf68e3688b6f

SHA1
ffdf8d8fdfedefaf1262a6fae5d3146b2a43bb7e

SHA256
0a93d5e878c4d51b24835430b669f7a662579cf1c6a68618fa569ebc616e7eae

SHA512
128dc0e8359905cb93e07eb8f9ba90d5fc7b502642e30070ffdd3f22990ad16b2e62624700eb13b6b70d54160d1df5356bf7bfcc3cf5fdd95a714cc7328371de

Download Submit
\Windows\Temp\{7D2B4644-7A7D-4BA7-BD4B-FBC5D26D5E4D}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/692-207-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/692-460-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/780-1-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/780-172-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2340-199-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2340-461-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2412-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2412-182-0x0000000003AA0000-0x0000000003AAF000-memory.dmp

Filesize
60KB

Download
memory/2412-382-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/2412-181-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/2412-183-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2412-174-0x0000000003AA0000-0x0000000003AAF000-memory.dmp

Filesize
60KB

Download
memory/2412-190-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/2412-191-0x0000000003AA0000-0x0000000003AAF000-memory.dmp

Filesize
60KB

Download
memory/2412-173-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download
memory/2412-165-0x0000000003AA0000-0x0000000003AAF000-memory.dmp

Filesize
60KB

Download
memory/2412-468-0x0000000003AA0000-0x0000000003AAF000-memory.dmp

Filesize
60KB

Download
memory/2412-467-0x0000000000400000-0x000000000073F000-memory.dmp

Filesize
3.2MB

Download