clip.exe

  • File Path: C:\WINDOWS\SysWOW64\clip.exe
  • Description: Clip - copies the data into clipboard

Hashes

Type Hash
MD5 18AD682A1F96F3FAF44B4A92BBA4CEE8
SHA1 BAA12E51E501F52948E5321E5AD05A6C9E75067F
SHA256 E840540406079C00B18CAB60C62A95E5A884B762EF4C93E9A25AF2829EC6FF88
SHA384 6F6CD96D6F82476F910ED0AD50557B85BBB3A27EF44911C4650408D0344F18F71BE8981F197817AFC36B950C24A0172C
SHA512 F6B36B0DA36437B36065C26ABC8886DE2572B7CADA844137EB431E2F6266157AB7FA3FED0EFB6846D0CFEBE0F9A9C62A583DF8D02CD102F7A9E5AFA448C8FED6
SSDEEP 768:u8OPvealV8nsPrkUp7T/6VCnozWux/+Wvdhe:u8OPvem8oXyIAx2Wvfe
IMP 857C38B84347441A2A03A3FD32855E24
PESHA1 E5FAAB6CF25B14C3DC4DBC4CA07D6815DA8107B2
PE256 EAC50425AD89F006CA8DF5CA67CE3963D84A19D0EEAB9576B1079E2BE89AF9BC

Runtime Data

Usage (stdout):


CLIP

Description:
    Redirects output of command line tools to the Windows clipboard.
    This text output can then be pasted into other programs.

Parameter List:
    /?                  Displays this help message.

Examples:
    DIR | CLIP          Places a copy of the current directory
                        listing into the Windows clipboard.

    CLIP < README.TXT   Places a copy of the text from readme.txt
                        on to the Windows clipboard.

Usage (stderr):

ERROR: Invalid argument/option - '--help'.
Type "CLIP /?" for usage.

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\clip.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: clip.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/e840540406079c00b18cab60c62a95e5a884b762ef4c93e9a25af2829ec6ff88/detection

Possible Misuse

The following table contains possible examples of clip.exe being misused. While clip.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_invoke_obfuscation_clip_services_security.yml description: Detects Obfuscated use of Clip.exe to execute PowerShell DRL 1.0
sigma win_invoke_obfuscation_via_use_clip_services_security.yml description: Detects Obfuscated Powershell via use Clip.exe in Scripts DRL 1.0
sigma win_invoke_obfuscation_clip_services.yml description: Detects Obfuscated use of Clip.exe to execute PowerShell DRL 1.0
sigma win_invoke_obfuscation_via_use_clip_services.yml description: Detects Obfuscated Powershell via use Clip.exe in Scripts DRL 1.0
sigma posh_pm_invoke_obfuscation_clip.yml description: Detects Obfuscated use of Clip.exe to execute PowerShell DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_clip.yml description: Detects Obfuscated Powershell via use Clip.exe in Scripts DRL 1.0
sigma posh_ps_invoke_obfuscation_clip.yml description: Detects Obfuscated use of Clip.exe to execute PowerShell DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_clip.yml description: Detects Obfuscated Powershell via use Clip.exe in Scripts DRL 1.0
sigma proc_creation_win_clip.yml OriginalFileName: clip.exe DRL 1.0
sigma proc_creation_win_invoke_obfuscation_clip.yml description: Detects Obfuscated use of Clip.exe to execute PowerShell DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_clip.yml description: Detects Obfuscated Powershell via use Clip.exe in Scripts DRL 1.0
sigma driver_load_invoke_obfuscation_clip+_services.yml description: Detects Obfuscated use of Clip.exe to execute PowerShell DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_clip_services.yml description: Detects Obfuscated Powershell via use Clip.exe in Scripts DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


clip

Redirects the command output from the command line to the Windows clipboard. You can use this command to copy data directly into any application that can receive text from the Clipboard. You can also paste this text output into other programs.

Syntax

<command> | clip
clip < <filename>

Parameters

Parameter Description
<command> Specifies a command whose output you want to send to the Windows clipboard.
<filename> Specifies a file whose contents you want to send to the Windows clipboard.
/? Displays help at the command prompt.

Examples

To copy the current directory listing to the Windows clipboard, type:

dir | clip

To copy the output of a program called generic.awk to the Windows clipboard, type:

awk -f generic.awk input.txt | clip

To copy the contents of a file called readme.txt to the Windows clipboard, type:

clip < readme.txt

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.