Malware Analysis Report

2024-09-22 16:38

Sample ID 240131-q9myesfecr
Target 31012024_2156_CommunitySetup.msi
SHA256 cf5d6c68811f37d9ae1a9cc62abc1987fdd8900d271fdaa01d4a84853d7db10d
Tags
babadeda crypter loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf5d6c68811f37d9ae1a9cc62abc1987fdd8900d271fdaa01d4a84853d7db10d

Threat Level: Known bad

The file 31012024_2156_CommunitySetup.msi was found to be: Known bad.

Malicious Activity Summary

babadeda crypter loader

Babadeda Crypter

Babadeda

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-31 13:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 13:57

Reported

2024-01-31 14:00

Platform

win7-20231129-en

Max time kernel

9s

Max time network

10s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\31012024_2156_CommunitySetup.msi

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f762462.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f762462.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2698.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f762465.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f762463.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f762463.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\31012024_2156_CommunitySetup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003CC" "00000000000003D0"

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

"C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar89D.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7642e3b2d93d60f1eaaef398fa3dd931
SHA1 257c2906ba47618a22e20e8964b53ee1b798774c
SHA256 2a1ae7b53589789148f6bae0616c768c681fd0fc410a8b57c0d17ec6f3c7a615
SHA512 c578176d8605ceb98d862595bc1fc9c940bec96a24774e963496ca5cc172e049b1b3aeccb799c46bd1dc26666973bcb65b134c598b46f7a02291d466ce04185c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 7000bcd356168ce0bf37cebc6c1ba867
SHA1 9164c8e178cab3ca6a5d20132326ddb543210bba
SHA256 e2a9361df3df83ebae0c301b9c4e370289ba25038fd0d50cec9173ebb033d35e
SHA512 b0d99a354f596cca4fde71a05ee3aafb3f563b5e2e3ba12d9ae8fb17c72e5003e26f590530cc1e90653cf497be8b6c0209d8347d9bf5bbbf92d0cca5afa1529d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Config.Msi\f762464.rbs

MD5 6428065bb837570b91fa59efa7c81d3f
SHA1 47826c706498fa95a90e5fad9d09edb75356b99e
SHA256 88a129d7088989010edf45627420d3d9c075acce1c99a46c05ead7bb52c37831
SHA512 7bd93940286aaff480a90ba252998f8f3473d365be758fe8e7b2841b8aa90ee23e3006bb861f238117c3c57d538fa8c55b11e8df9a6ea0d22f48124348bd9bde

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll

MD5 8e58fcc0672a66c827c6f90fa4b58538
SHA1 3e807dfd27259ae7548692a05af4fe54f8dd32ed
SHA256 6e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d
SHA512 0e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dll

MD5 cdfbe254cc64959fc0fc1200f41f34c0
SHA1 4e0919a8a5c4b23441e51965eaaa77f485584c01
SHA256 9513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9
SHA512 63704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 8b38bcca2d9c9a02dd8ce668427fde51
SHA1 46864e89e2f744e31086e3cc276394aebe3be920
SHA256 58d06980017a62c030ecbe32a090ac90ae10583ede4f55491bac5b4fcb30f200
SHA512 33ffaae24634b5c3eb3732ef43942d9a8b3f9d5018d26a72f306924f8a5481012dce0350527022fbe748e93fced6dfcd6d1f68473559713f40dd6b5fd1fe7050

\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 1cd2a0ab1997fee4c12032159aeed369
SHA1 2bf5767053a9eed277df0ceb848381cb7518e6e6
SHA256 a5aaa514c5f3d27385ad043f31e9775bc3406e0fc8f534bd30ade32028942854
SHA512 9d45aa67a40950e23fe7f114212c1b22dd43cf809730eca5f4655b9edd180e37b6febffe804dbbe77b50e9b4c0a996fee3815434f93410915f75241efa30de62

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 13:57

Reported

2024-01-31 14:00

Platform

win10v2004-20231215-en

Max time kernel

138s

Max time network

144s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\31012024_2156_CommunitySetup.msi

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI696E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e596356.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e596354.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e596354.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{E8907531-0946-43B7-A05C-D15D055BE638} C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003462af5746133e160000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003462af570000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003462af57000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3462af57000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003462af5700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\31012024_2156_CommunitySetup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

"C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 telldruggcommitetter.shop udp
US 172.67.132.181:443 telldruggcommitetter.shop tcp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
US 188.114.97.2:443 gemcreedarticulateod.shop tcp
US 8.8.8.8:53 181.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 188.114.96.2:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 172.67.199.120:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 104.21.83.220:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 120.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

\??\Volume{57af6234-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d8035913-6d9e-40ed-9713-152d8276bd23}_OnDiskSnapshotProp

MD5 f7b402e820a1f94c75e88983a921326a
SHA1 1c1fa971646a8f020e85b37746874af57298f475
SHA256 2f393f1921e1b8e8bf49081e82b53d0131c4caa3ab6f306e773caa477a79227e
SHA512 e53fafc41c1421fae82861def3638a7a6f8a452159b08f53ad9caf8a62eb775565c19f4b4c3a293ce497ecb6fb9c8e472f243a72948b55df26318e9d9dda879c

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 ec39ee484108996713578eb3f3d438fb
SHA1 b9f52ed16e207fa3845d05bd609a5a21da518c33
SHA256 483158242fdb96115e2d9e442d3768db8fe97ca77e2a915c887b15beeb75c643
SHA512 1945393e1c25a5ccadd4f5acaeef71b06662cbe8b0ffaa7d9da04bb7dfe8c523e23c1c2ac1b699afcf79eb25854ea123c09148bd74c18f1b8b75148630204d16

C:\Config.Msi\e596355.rbs

MD5 0bdba05c4da4fa53e7f31e888944727b
SHA1 e234d1ae8593f6c41a228b5fc3a2f586469b10c3
SHA256 c75ebea54a225c4df2770d33c0fca707705c0b31a19fb619af29f53c00369d16
SHA512 9d1b826fd3df933454706d620a2f598ec5939cbbfeb065085d832941ebc6b3a57bce7f0103b65942abd503531b9cb7199c51f9f693f4c986b2bd9b1fd3d7294b

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 63c5b96b43e63c2fac1697fbe936e227
SHA1 898f30fc375882e977427cce521c88002146ddd9
SHA256 25051ff2c23b8efa5e2a9fc6226aca4975d7a6de165e1c0c04a7756469fc2c02
SHA512 b6495d6bebc3c73098826466786622fce587807dd3ea2978471db6aa2b05666c5bda5e9cc63686a2ace0def0e9f6115d05a79a28a27970ca9074fbffd7789416

C:\Windows\Installer\e596354.msi

MD5 608d584486e4b1ae0947e8afa3c7d684
SHA1 eecbd18b488c6ffa2e811c53f93e835348289b4e
SHA256 20cbb426257be79c84d691d88f1affce684f0c936a729992032b03948bb301ab
SHA512 112f5637e211b14082e3613aa7f99191b1151059f5bcb304d954349fb4f5522ef08978cdb274d4f99c4887ac4a219179b73548cf7593ce18b66dd314df3bcd5c

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dll

MD5 5efb2702c0b3d8eeac563372a33a6ed0
SHA1 c7f969ea2e53b1bd5dbeba7dd56bff0cc4c9ea99
SHA256 40545a369fa7b72d23a58050d32dc524b6905e9b0229719022dbda0d2fa8765b
SHA512 8119526f8573ea6e5bed16a57d56084260afee511c9aad3d542388a783548e5b32ed8fb568d5b97deed791162bcd5577fcc3c76abf4d147ea13bea5c2a6ea794

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll

MD5 8e58fcc0672a66c827c6f90fa4b58538
SHA1 3e807dfd27259ae7548692a05af4fe54f8dd32ed
SHA256 6e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d
SHA512 0e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_mp3.dll

MD5 46ede9ea58c0ac20baf444750311e3f8
SHA1 246c36050419602960fca4ec6d2079ea0d91f46e
SHA256 7ea1636182d7520e5d005f3f8c6c1818148824cee4f092e2d2fe4f47c1793236
SHA512 d9154430c72cbf78f4f49ec1eee888c0004f30a58a70cee49f5108ded0994ba299ba6bf552a55ffeedb2ab53107172324156e12e2fbae42f8f14f87ec37cc4e7

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dll

MD5 d8ccb4b8235f31a3c73485fde18b0187
SHA1 723bd0f39b32aff806a7651ebc0cdbcea494c57e
SHA256 7bc733acc1d2b89e5a6546f4ebc321b1c2370e42354ea415bc5fcc6807275eba
SHA512 8edafd699f9fbec0db334b9bc96a73a9196895120f3406fff28406fd0565415ac98665c9837a5b1e0c5027162ff26bf3a316ecda6a0b51d92eb5d7002b814713

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassasio.dll

MD5 ff3d92fe7a1bf86cba27bec4523c2665
SHA1 c2184ec182c4c9686c732d9b27928bddac493b90
SHA256 9754a64a411e6b1314ae0b364e5e21ccfe2c15df2ed2e2dce2dc06fa10aa41e8
SHA512 6e0f021eb7317e021dccb8325bc42f51a0bf2b482521c05a3ff3ca9857035191f8b4b19cbe0d7130d5736f41f8f2efb2568561e9063fa55aaab9f2575afe23db

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dll

MD5 cdfbe254cc64959fc0fc1200f41f34c0
SHA1 4e0919a8a5c4b23441e51965eaaa77f485584c01
SHA256 9513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9
SHA512 63704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassmix.dll

MD5 d31da7583083c1370f3c6b9c15f363cc
SHA1 1ebe7b1faf94c4fe135f34006e7e7cbbc0d8476c
SHA256 cff3edc109bc0d186ba8ddf60bc99e48ff3467771e741c7168adbdbe03379506
SHA512 a80364384eca446a378e3ae3420a0e3545e1d24426a9e43f3e27381cb09bb4cd1121b66c576e5a981b2e5d661f82590eb0c0fe8d8243ef872f84809ec906e266

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc.dll

MD5 a6f27196423a3d1c0caa4a0caf98893a
SHA1 58b97697fa349b40071df4272b4efbd1dd295595
SHA256 d3b9e4646f7b1cb9123914313cec23ec804bd81c4ff8b09b43c2cde5ee3e4222
SHA512 0a84cf847b80b0c2e6df9274a4199db8559757781faec508cd8999bea2c8fb5cd9bed1698144b82b86b2c6938fa8006c482a09c1b46d6bb8d2a2648a2011dea0

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll

MD5 b6022150de5aeab34849ade53a9ac397
SHA1 203d9458c92fc0628a84c483f17043ce468fa62f
SHA256 c53b12ebe8ea411d8215c1b81de09adc7f4cf1e84fd85a7afa13f1f4a41f8e9d
SHA512 2286399bd1f3576c6ce168e824f4d70c637485fae97d274597d045a894740519512f1865e20562656297072b5625bdd2a5ec4d4f5038176f764eb37e22451ade

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 13142bb6f925a719b4b72e7bd4cfc14a
SHA1 a77f5ee0bf6eb2b3ef380b15cf3e0f2ff3b689da
SHA256 057b57a6f08e1334de783dfda243373aa7f58f81d00f4ffd05b9569c1fcca471
SHA512 939d2f0adc9c26395f89f1ffb1511bffbc79242817f91eb41e0965233e875b603a9133eaccef592f23f334c3243a27c3d5650c57848bab65c20927cf29ea318b

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_ogg.dll

MD5 89e794bbd022ae1cafbf1516541d6ba5
SHA1 a69f496680045e5f30b636e9f17429e0b3dd653e
SHA256 7d7eb0bc188fc3a8e7af7e5325d4f5e5eb918c4138aea3de60d6b1afac6863f9
SHA512 16455e29a1beece663878e84d91c8e75c34b483b6ff3b5853ced97670a75a9c29cc7a7aa78b0c158eb760cda5d3e44541aae2cc89b57d290e39b427d4c770000

memory/812-83-0x00000000011D0000-0x00000000014B3000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_flac.dll

MD5 5199d6173a6deb45c275ef32af377c3c
SHA1 e8989859b917cfa106b4519fefe4655c4325875b
SHA256 a36f06cbe60fc1a305bd16cd30b35b9c026fd514df89cd88c9c83d22aefbe8c3
SHA512 80b96196f1b3d6640035e8b8632a25ecdb3e4e823e1b64fc658b31aae6c6799aa1d9fd1acffbef6ff9082e0433ac9ab9426d5400d3644db9958940b8bb13f6d8

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 eeb2c9f79926c1074703c378fb27215c
SHA1 df632ea453d0986aebb5961a7874c25426e5885b
SHA256 ba71994c06091dfdc0f1c51eda9e41be888224d165fc0d62d7d882384569600c
SHA512 0ffb563a20b1bf6659ae78d79fe28379e9560c91e4a258dd12046c4659aaf30772b1dcbd426466fee513f42711bc55c70f3f8c8f9ebfc533173b5e9cc3b80406

memory/812-86-0x0000000074EF0000-0x0000000074F3D000-memory.dmp

memory/812-87-0x0000000000D60000-0x0000000000D7D000-memory.dmp

memory/812-90-0x0000000074DB0000-0x0000000074DBE000-memory.dmp

memory/812-92-0x0000000074D60000-0x0000000074D88000-memory.dmp

memory/812-91-0x0000000000D60000-0x0000000000D64000-memory.dmp

memory/812-95-0x0000000074E00000-0x0000000074E9E000-memory.dmp

memory/812-96-0x0000000000D80000-0x0000000000D9E000-memory.dmp

memory/812-94-0x0000000000D60000-0x0000000000D64000-memory.dmp

memory/812-98-0x0000000074DC0000-0x0000000074DF3000-memory.dmp

memory/812-99-0x0000000000D60000-0x0000000000D6E000-memory.dmp

memory/812-102-0x0000000074B10000-0x0000000074B1E000-memory.dmp

memory/812-103-0x0000000000D60000-0x0000000000D65000-memory.dmp

memory/812-107-0x0000000000D60000-0x0000000000D63000-memory.dmp

memory/812-109-0x0000000000D60000-0x0000000000D6D000-memory.dmp

memory/812-108-0x0000000074A00000-0x0000000074A24000-memory.dmp

memory/812-105-0x0000000002D90000-0x0000000002DA7000-memory.dmp

memory/812-104-0x0000000074A50000-0x0000000074A86000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 b278fda5d580f8f7ca448567354e8737
SHA1 1761e7feec004f967b2d3e8b0efe97d622dc56e3
SHA256 f58f37417258a79f7f0485e903563e61fe2761594a51c2b9ab8b05a4f4cc1871
SHA512 ea871f5a64434ce788427565a014c32d00ff96a0e4d9870618190ade37f066e89f1db0d279972a9f3208952318fa6c0386d98b3d108af808b1c7c7bdca5f8f2c

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 ddb07869ab419e25929751e89f5742af
SHA1 76573afadbe102f2fe1514ae92216b4a88e2f3f5
SHA256 508a24c3ed4a0332db91113205f459bd7333f5656f223b7fc9ba205c7647ca43
SHA512 ff66ee2c2651d77c2f38ac35cd213d02fb7c39d5bbab6a0fa3d10cf7bbc24cb747f6875182aeabc36e9329015e1a00c3df8790935a14b74c463484389f323858

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll

MD5 658276a6bf6c17511f54254d56cd9022
SHA1 b9af3a23d41aa2bc2bf1f269e0deb8749896c584
SHA256 19b5b1a7be78f20a509b6283d89498f038a74337b803369cb37077e1ebb5fa2a
SHA512 4de906a5637512b40f91d49c798d2c2cea429077b53a7ed6e8eceaa6f0a1f56dbea1085c1a5afeeb689fd0c049d9041064c3d262a43b513f2288967292222fae

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\tutorial.wav

MD5 3978c2550c1e450c0b817854b69b3b82
SHA1 e0db6cb3d7182d16374db7fe6ce15ae7db3346db
SHA256 05a61eb335bf99882924caa6bff364811fda63efb3b76d23665e09b50835f1f6
SHA512 164e3c8922fd8fe2b8be0313e89c17840130946c1d73c7ebf3c7267f944b1a0cbe1517baa0f0e9daf0cf5f802caab6a231c9c412ebcb3111da8fa7f540622a08

memory/812-118-0x00000000744C0000-0x00000000745E5000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dll

MD5 e98f595caa5ee23e8a3e46d83211da9d
SHA1 a7ef9e7c3eddaa7b82acb7eba7a2c88a70bac017
SHA256 df12ced54ee1dd73b230be239fb2ffce141bbf4ff979fb33ebb153a0bda88a1a
SHA512 e777a5ace5ecef10ae051df02a443279af5f28a1e996905774f574ef8679363ae78db064ef6eb7c3f77dd87284cc0d070b1fe54b422f9ae0a2240286a9541938

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 a277c69bc722f41a3c65a7b44776ab64
SHA1 e8c21db7ea987c1e4394e5c97a1058f201b259f1
SHA256 9f33619e4e536071cba74d3d4ff4be83c7775497d014cd9202a9217881c9abb0
SHA512 0bbd018d6a6cc65ce15d33e920ec9e916f1aea9c1e64ac6d477bd1aa1f7272fb05e5e6dff96bb28505cf5e01efb2ad8725eef99ec4e075c778fbd6298d35075e

memory/812-120-0x00000000032C0000-0x00000000032C1000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 438e94a331161185f536b61659d139dc
SHA1 440dde2a6b12019187e49e7d5af4daa8d3b5fa47
SHA256 12696df60e4252ae4d44c546ac709acb28341813c35125d2c66f1895c9e78539
SHA512 599ee201e6e1718d66074a99e50bbc0c95b8ce012d143da971ee8fd90fa03be5b739e690e3eb8148d98bedd7776d138409acfeb99601286500251fab4537aa4a

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 b38c9b2b76254fdf958769db2b9242a8
SHA1 b6374308a0338aac7509fc547e07908b98800625
SHA256 4dc4b7fcab02e7c53f69e5ec59eeff60be22bc1a7ccc7f0ef9828c9e3090fc91
SHA512 40d7bcc8f13a8a5f98843d10a92518e54279ed56ca010dddf5efe1a75c49703bc0bcdfa575e856adc0853cbd03b0ecf1ee0ff245671c0eed555ccc31ab6d2ef9

memory/812-124-0x0000000005680000-0x000000000570B000-memory.dmp

memory/812-130-0x0000000003F00000-0x0000000003F01000-memory.dmp

memory/812-131-0x0000000003F00000-0x0000000003F40000-memory.dmp

memory/812-132-0x0000000003F00000-0x0000000003F40000-memory.dmp

memory/812-133-0x0000000003F00000-0x0000000003F40000-memory.dmp

memory/812-134-0x0000000000D60000-0x0000000000D64000-memory.dmp

memory/812-135-0x0000000000D60000-0x0000000000D7D000-memory.dmp

memory/812-136-0x0000000003F00000-0x0000000003F40000-memory.dmp

memory/812-137-0x0000000000400000-0x0000000000BAB000-memory.dmp

memory/812-138-0x00000000011D0000-0x00000000014B3000-memory.dmp

memory/812-139-0x00000000732D0000-0x0000000073FF3000-memory.dmp

memory/812-140-0x00000000744C0000-0x00000000745E5000-memory.dmp