Malware Analysis Report

2024-09-22 16:41

Sample ID 240131-rl82esdha7
Target CommunitySetup.msi
SHA256 cf5d6c68811f37d9ae1a9cc62abc1987fdd8900d271fdaa01d4a84853d7db10d
Tags
babadeda crypter loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf5d6c68811f37d9ae1a9cc62abc1987fdd8900d271fdaa01d4a84853d7db10d

Threat Level: Known bad

The file CommunitySetup.msi was found to be: Known bad.

Malicious Activity Summary

babadeda crypter loader

Babadeda Crypter

Babadeda

Loads dropped DLL

Executes dropped EXE

Blocklisted process makes network request

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-31 14:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 14:18

Reported

2024-01-31 14:20

Platform

win10v2004-20231222-en

Max time kernel

146s

Max time network

151s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CommunitySetup.msi

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{E8907531-0946-43B7-A05C-D15D055BE638} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7BA8.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e577a04.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e577a02.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e577a02.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b201ae15c8733f580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b201ae150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b201ae15000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db201ae15000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b201ae1500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CommunitySetup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

"C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x508 0x504

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 telldruggcommitetter.shop udp
US 172.67.132.181:443 telldruggcommitetter.shop tcp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
US 104.21.80.171:443 gemcreedarticulateod.shop tcp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 104.21.16.152:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 181.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 171.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 152.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 172.67.199.120:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 188.114.97.2:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 120.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

C:\Config.Msi\e577a03.rbs

MD5 72c9cb89142f243053c83dc3b2c3fd33
SHA1 e90a2bcdbc634b0e7e15d6d56e38d958471794af
SHA256 dbdf6b1b5958388be5fbd2382d9b93d7211876f68baa25918ebaf212af26af79
SHA512 f8e785e4111cc5a52bf7bdd9e652b1efffb82d28823cd0bf3ff57b308965950dd09157bd1e43e0e9cff986a4a4138dc29a93ae3e4292740cbec5da062200cc1a

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 a6514adeed9676bad4c2b8a205047e0e
SHA1 ccfe35b92cf3d20dee442d985b0beadabf0b5c18
SHA256 8c050af42784ecefc72cb5999ee849f028bb634601525d69b88074e5fa67cdc5
SHA512 c10f0e27241a07ae083db09aedc31f95ecd61d6e2ee0227ab394365455ea63d7cebd216a29d5e3d2292bd7203b1a9763ddf1fc7f1409ffb395e24aa3789a8ed5

C:\Windows\Installer\e577a02.msi

MD5 f464d92e830f80a65493e184b579cb02
SHA1 813eb77d566db307c98f6564706a50fd5d46444f
SHA256 e912bfecc22e002ec9e90af1c9130f3dcb0ae94937f2f9e81c01c9e1a356c5de
SHA512 71644ae297fadc1a4c8a10dd35340d8dc743f70245a45f39a3c2ecba93e0f40bad27683c36181c1785997f79f6a385056cc0796f38a17489512800cb94790687

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll

MD5 8e58fcc0672a66c827c6f90fa4b58538
SHA1 3e807dfd27259ae7548692a05af4fe54f8dd32ed
SHA256 6e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d
SHA512 0e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dll

MD5 5efb2702c0b3d8eeac563372a33a6ed0
SHA1 c7f969ea2e53b1bd5dbeba7dd56bff0cc4c9ea99
SHA256 40545a369fa7b72d23a58050d32dc524b6905e9b0229719022dbda0d2fa8765b
SHA512 8119526f8573ea6e5bed16a57d56084260afee511c9aad3d542388a783548e5b32ed8fb568d5b97deed791162bcd5577fcc3c76abf4d147ea13bea5c2a6ea794

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_mp3.dll

MD5 a62a72e0afd7efb02e0fa531bdfba858
SHA1 f892168837a7dc6ca03f580345ca5483a73c703d
SHA256 d02b02de78e20cf0af7d351e8b806913c71e13b834b576c57ddce31613d0a090
SHA512 00eef0da10f949d4045ccde4baad59cdf5c824d34237e4b8c4d202896fc21126b7aa46c9e7dfe0cd8562dc050a44edf46c78096168e48731925b346baca79789

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 d909b650776ce29d7ad41f1dac99dd86
SHA1 c662ba50b1d128c91f6bdc76a279a07c62f1d96a
SHA256 d3a1ee7fe7a925799252b2bbf51d4e142960cca39ed85f7944b7c2b4aaaba622
SHA512 8b6c2c881812ac1ddfafb73faf01db1a60d704874706b528b05fb9f992f044dca1b5b599d86b409e5eb76d46d53ab16b2dc63ddc78d31a261958f0646cc1be6c

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_flac.dll

MD5 6bbbd2e95a44c93571d1842ff8defb72
SHA1 1f0edbe02b2f2419b1e5c27b410ef400cfb866e7
SHA256 111e31171b3178eb223b73dc039c6c92847c3259d20de59843212d983a9498fc
SHA512 058b6d6808845250364e0bd015acddce9b882c4b34a5bfb50988943120cbcad09684da3b5e9752b16d2e51068e8fb0940ca7a9e98d0dd196a29e26f7ca350f1f

memory/4916-77-0x0000000001190000-0x0000000001473000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 f3f66f348a258c88e2d0cd9aaadf1d6a
SHA1 55aded5e67e96783828ea2b4ea1f36d19137b46f
SHA256 08bc7bcd21657966bb2dc1da104146a57ef7ba184483c9c2316da241527d0328
SHA512 92eb183f7ba5ca5d34d8e8adbde0bda3e8ffb89db8ea50109b560af9ae328a548d2a78242dc425928f4ee4707485d3d1bca5e1992794b33ef60676d489f89eea

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 e1d3dc6b034c7efab828136be076cf4f
SHA1 79485302ad3b5d3d90f348aef5fa0ef4518cec5c
SHA256 0497371c949081c026a92bffa55f4325d513a90af428199eafc53fdec9c59ff4
SHA512 06685073027420a51d14ab3e4537dca44c4e31c3826bd5f3447ee4bb67403ec4d33270514edd0a1f41897b1dc73a37bec18bddf0d8fe3b2515636c9a0144a878

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 3d01a794a692680f97e1ab1ba7e980c3
SHA1 e3216c0484b3e1398a51e8289db1a56b00dfbf54
SHA256 f179ac5e40c27c7394a3d551b3479e8f0d0963041c8e1eb9369b641b635ade7d
SHA512 198c0e8d5177f06c08c8f25371ba92f033f722c57ff26778169e349122aa760ba75fb2b7de63cb95d35d72bccdff2c599433b51bf54207607b7d462f93eae8d6

memory/4916-83-0x0000000000D60000-0x0000000000D7D000-memory.dmp

memory/4916-85-0x0000000075410000-0x0000000075438000-memory.dmp

memory/4916-88-0x00000000752F0000-0x000000007538E000-memory.dmp

memory/4916-87-0x0000000000D60000-0x0000000000D65000-memory.dmp

memory/4916-91-0x00000000753D0000-0x0000000075403000-memory.dmp

memory/4916-92-0x0000000001480000-0x000000000149E000-memory.dmp

memory/4916-90-0x0000000000D60000-0x0000000000D64000-memory.dmp

memory/4916-84-0x00000000753C0000-0x00000000753CE000-memory.dmp

memory/4916-94-0x0000000000D60000-0x0000000000D6E000-memory.dmp

memory/4916-96-0x0000000075390000-0x000000007539E000-memory.dmp

memory/4916-97-0x0000000000D60000-0x0000000000D65000-memory.dmp

memory/4916-98-0x0000000075000000-0x0000000075036000-memory.dmp

memory/4916-99-0x00000000014A0000-0x00000000014B7000-memory.dmp

memory/4916-80-0x0000000075480000-0x00000000754CD000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 1491b81bdddbb52d27ee0de276cde1b5
SHA1 dea05c238eed173b93640b7db24dcd7dc61423e8
SHA256 2a1450bdfb924d08dcd013790b5e143666600ebf19a67295de18f48d800a3a0f
SHA512 86868391e7921e181072e1e24b886682b706f00d55286fc67f54583a1e3fc77f47d618a9f6fbda1009de6638dc56d424f870f81e478295917e75568c5f77bdc6

memory/4916-111-0x0000000074A80000-0x0000000074BA5000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll

MD5 316f0cb70050cef11d2d0ce9611dad3a
SHA1 548e47ccc7c79b8efd03d1c58aa0625de45e867e
SHA256 a53c3ae7c74390b7ed7ab7f4c56f44fdc6be54a8807ce7bad13731f91f9178f2
SHA512 08310324d3aa3a3b911330220a60915f97d7903c5cfe4518cde5b458080af09b4cfe4dfb22a5941779b953b65b37b6fcd747d3b1600cfb3912f1b29a6d04119d

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll

MD5 5cad12666767ac36ad79eef6478ef0ca
SHA1 11334d4294ffa04511dbc43a6b0ab9f8a5bf3812
SHA256 8715050a7098ed798c51b9acc702ec4c4fc349cc930ba17b05cb7dda3e4cadf8
SHA512 87983c4fdcf0cfcabc097e3dd6e9b0c822f129ede4c2c7512aeac70d08650a61f1e10a4bb8ef8a9e829b5d4120375aa0d5f285b837e3cc2ed93538569534004f

memory/4916-113-0x0000000003810000-0x000000000389B000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 52cabf42e56e5e847fb5eb789081c2b7
SHA1 62451b5885f029586158a09c3d4db85477f487da
SHA256 ce84cf696a731c6eda9ce028715df9367d26d2d9b539d1e5ecc6c19debc078d3
SHA512 4e39088876929fc20f82e4a88c3312da1a2ca96cbcac400c14df4f28a39222a98937bc729d5e445824ce475aea1134e22ec3e773f562f20b551079a392670215

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 cf36f83492f6faccf425cb50522647de
SHA1 9fea2fddac97c8c99e930b6d78d9148a128f29a6
SHA256 334d28f89f747eba066b2604b82b441ee9fafc3276e9cf85b2736af1b4328ce3
SHA512 50a32fd07fad34ed8b4602f6cb6e8b87cd64ab819bf860112ff218a70bb6abbad260e8b53ee3769eeaf25eb6575ca50aa4a59fa4d01b9b88922ea0e5390b29b6

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 4caf4f86f2e8abb3142a7a6ce24e3a96
SHA1 ed1247b5b5e5cb2805891a1f0136071d878db134
SHA256 c78f828e6eb3f82a0e744ea001094724d37ae6a32ad16d80b92355a7dbc68487
SHA512 b09153a8d45786d1bf3cf3be07510205e950c113735b2161c2e59921cfac7c0e3a771f824e474c1150cdcd9c5135bde80e191fc1f4ca42f187bcc8f8ff7f78bb

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 78653f04446386cbd2f306be518a417d
SHA1 32c089214b3279b7b257d0a537628c1e9cf633ff
SHA256 966364b720503fc23e85903e9d725e8482e499c252d5b14b1fc3567369964e68
SHA512 48d18ea2543b7feef215b6dc3b03232905f44f58c54a3cd019ee1f3b669d375fd8f5a9f9af9604e7df903980bb85b3ae0cfeb81afbcf3afaa41f7c14a5f859ca

memory/4916-114-0x0000000001560000-0x0000000001561000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\tutorial.wav

MD5 9929fa8e80e073112e6df702f6e56468
SHA1 3f8e1ef93f9b0cb2f846ab10902b69d090b6f876
SHA256 98fcb7c28891f96afbbca1d894623c83007ae9527549e3c427b3f8a597698fd2
SHA512 1907f743343eb4df29883094b23c9bccd345312fd88e519c4002800df86c69eaa57ec48c67baeff6730d2168bb406bce7bab2118c017eada98cb4789f825c28f

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dll

MD5 e98f595caa5ee23e8a3e46d83211da9d
SHA1 a7ef9e7c3eddaa7b82acb7eba7a2c88a70bac017
SHA256 df12ced54ee1dd73b230be239fb2ffce141bbf4ff979fb33ebb153a0bda88a1a
SHA512 e777a5ace5ecef10ae051df02a443279af5f28a1e996905774f574ef8679363ae78db064ef6eb7c3f77dd87284cc0d070b1fe54b422f9ae0a2240286a9541938

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dll

MD5 b5120304467c5909f99a2955ed2a925c
SHA1 a37c5a64be6f3ea1c3577cbd1a112eee686b9277
SHA256 6ce564a1c5cddea5cd9eca2c4c4d0b761c07a067b24fd6bc78e125c5622b0fc7
SHA512 918ac6cbe8009a6f0913e67bccfbbcc5dbb50e4d05a063702ad2302f58ed3419518d834dcbb943bc97139c5313ae0443db11c86d83ec10201c296deaa25bbe3b

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 97d2c90b577e22ce151b01453d9bb859
SHA1 b7aa18a4e7caa714411cf8131092a1751701ddbe
SHA256 876d1372eee9207207e377702047c525e801e7b7b7f1b2ae16f9ea6f5d881f69
SHA512 89b5dfb2c74bca31618d09e2caa084f8c112acfedb6b6796ea1257dbda6c218678d79e3708ccae278e34010685306a74ec515075a3e7e1b57c2f38d93281e66c

memory/4916-103-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/4916-101-0x0000000074FC0000-0x0000000074FE4000-memory.dmp

memory/4916-124-0x0000000003A20000-0x0000000003B60000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 fc2cdeade23bcf37975720de88b5c633
SHA1 2bf97c59da64ec120c461a3348371a2b9dcb14bc
SHA256 2b138dba25c4d9352486a3852a3d971431325f33f6c3107e8c7073bfea40a6e9
SHA512 96d6ddc4c96ec6fec698dfa2ccee5ec5f8526e5057821c6af34d01bf13b14135318289ed91b6a8fd01c8883f47dbdfbfa66b65373cd3f213759f4720092edcc4

memory/4916-122-0x0000000003D40000-0x0000000003E80000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 fa229d16826bf6f4633c7c9f85d452dc
SHA1 ab87c4eb2fca1bb7d6970fc899c929da690cb28b
SHA256 796ee81498ab16a87c677a713367a67f2e648ebb7990fef7885cef612c1be595
SHA512 f57dc888ed675d132c1880716f0db7f6ed7cce4b485591c067663ed5828fc3f75ab7f8e88bf85b763ea0500a9e5377ff98951d4f9a09399a9039bbaf01f2cd61

memory/4916-125-0x0000000003B60000-0x0000000003BA0000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dll

MD5 cdfbe254cc64959fc0fc1200f41f34c0
SHA1 4e0919a8a5c4b23441e51965eaaa77f485584c01
SHA256 9513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9
SHA512 63704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_flac.dll

MD5 5199d6173a6deb45c275ef32af377c3c
SHA1 e8989859b917cfa106b4519fefe4655c4325875b
SHA256 a36f06cbe60fc1a305bd16cd30b35b9c026fd514df89cd88c9c83d22aefbe8c3
SHA512 80b96196f1b3d6640035e8b8632a25ecdb3e4e823e1b64fc658b31aae6c6799aa1d9fd1acffbef6ff9082e0433ac9ab9426d5400d3644db9958940b8bb13f6d8

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll

MD5 b6022150de5aeab34849ade53a9ac397
SHA1 203d9458c92fc0628a84c483f17043ce468fa62f
SHA256 c53b12ebe8ea411d8215c1b81de09adc7f4cf1e84fd85a7afa13f1f4a41f8e9d
SHA512 2286399bd1f3576c6ce168e824f4d70c637485fae97d274597d045a894740519512f1865e20562656297072b5625bdd2a5ec4d4f5038176f764eb37e22451ade

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_ogg.dll

MD5 89e794bbd022ae1cafbf1516541d6ba5
SHA1 a69f496680045e5f30b636e9f17429e0b3dd653e
SHA256 7d7eb0bc188fc3a8e7af7e5325d4f5e5eb918c4138aea3de60d6b1afac6863f9
SHA512 16455e29a1beece663878e84d91c8e75c34b483b6ff3b5853ced97670a75a9c29cc7a7aa78b0c158eb760cda5d3e44541aae2cc89b57d290e39b427d4c770000

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassmix.dll

MD5 d31da7583083c1370f3c6b9c15f363cc
SHA1 1ebe7b1faf94c4fe135f34006e7e7cbbc0d8476c
SHA256 cff3edc109bc0d186ba8ddf60bc99e48ff3467771e741c7168adbdbe03379506
SHA512 a80364384eca446a378e3ae3420a0e3545e1d24426a9e43f3e27381cb09bb4cd1121b66c576e5a981b2e5d661f82590eb0c0fe8d8243ef872f84809ec906e266

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dll

MD5 d8ccb4b8235f31a3c73485fde18b0187
SHA1 723bd0f39b32aff806a7651ebc0cdbcea494c57e
SHA256 7bc733acc1d2b89e5a6546f4ebc321b1c2370e42354ea415bc5fcc6807275eba
SHA512 8edafd699f9fbec0db334b9bc96a73a9196895120f3406fff28406fd0565415ac98665c9837a5b1e0c5027162ff26bf3a316ecda6a0b51d92eb5d7002b814713

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc.dll

MD5 a6f27196423a3d1c0caa4a0caf98893a
SHA1 58b97697fa349b40071df4272b4efbd1dd295595
SHA256 d3b9e4646f7b1cb9123914313cec23ec804bd81c4ff8b09b43c2cde5ee3e4222
SHA512 0a84cf847b80b0c2e6df9274a4199db8559757781faec508cd8999bea2c8fb5cd9bed1698144b82b86b2c6938fa8006c482a09c1b46d6bb8d2a2648a2011dea0

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassasio.dll

MD5 ff3d92fe7a1bf86cba27bec4523c2665
SHA1 c2184ec182c4c9686c732d9b27928bddac493b90
SHA256 9754a64a411e6b1314ae0b364e5e21ccfe2c15df2ed2e2dce2dc06fa10aa41e8
SHA512 6e0f021eb7317e021dccb8325bc42f51a0bf2b482521c05a3ff3ca9857035191f8b4b19cbe0d7130d5736f41f8f2efb2568561e9063fa55aaab9f2575afe23db

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_mp3.dll

MD5 46ede9ea58c0ac20baf444750311e3f8
SHA1 246c36050419602960fca4ec6d2079ea0d91f46e
SHA256 7ea1636182d7520e5d005f3f8c6c1818148824cee4f092e2d2fe4f47c1793236
SHA512 d9154430c72cbf78f4f49ec1eee888c0004f30a58a70cee49f5108ded0994ba299ba6bf552a55ffeedb2ab53107172324156e12e2fbae42f8f14f87ec37cc4e7

memory/4916-129-0x00000000014E0000-0x00000000014E1000-memory.dmp

memory/4916-128-0x00000000030B0000-0x00000000030B1000-memory.dmp

memory/4916-127-0x0000000000D60000-0x0000000000D64000-memory.dmp

memory/4916-126-0x0000000000D60000-0x0000000000D7D000-memory.dmp

memory/4916-130-0x0000000000400000-0x0000000000BAB000-memory.dmp

memory/4916-131-0x0000000001190000-0x0000000001473000-memory.dmp

memory/4916-132-0x0000000073890000-0x00000000745B3000-memory.dmp

memory/4916-133-0x0000000074A80000-0x0000000074BA5000-memory.dmp

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 820aeb121b9099ab9950bcfdeb991209
SHA1 8b9f0055755af9c90074382aa995896cd1d23f98
SHA256 cb7a268a814a90ef39ee7b2d9e1ba58ffe07958259a6734d6f30743b3c4a1e01
SHA512 5c4a45511650d3eef1eacadd5cb1e38461c2f15a75aeced44ffe3384e17b7abde786aceb8d8afea1ff2bac30157a3d264a68222e6617b594f4c1e4a63c2c949a

\??\Volume{15ae01b2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bb68b8e3-46ef-404c-a2d5-15ed87cb89b7}_OnDiskSnapshotProp

MD5 c1d9a339c933ab5effb8bcf5da92c289
SHA1 e370a7a3f44412716a6d2de2fdc1bf03e27f91b1
SHA256 9c71297f6c9018d36f75bf3c4f9f27fa1a90a6a320c5e0f914e54e3e2b468148
SHA512 0a3538e9156c65af421a49ea2294fdef400087d18f652828803768c1dcc06bcaf9e2155dea8bca13568dce9f56d04c1b2f7a60894b35553e04cc3a74577efdb7