Malware Analysis Report

2024-09-22 16:35

Sample ID 240131-zwlb4sceb5
Target ClipPlusCommunitySetup_ns.zip
SHA256 1120c72e96423635515bd260a0d9b219a6a7d17eca7f21d2ab63e3a6d2319539
Tags
babadeda crypter loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1120c72e96423635515bd260a0d9b219a6a7d17eca7f21d2ab63e3a6d2319539

Threat Level: Known bad

The file ClipPlusCommunitySetup_ns.zip was found to be: Known bad.

Malicious Activity Summary

babadeda crypter loader

Babadeda Crypter

Babadeda

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-31 21:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 21:04

Reported

2024-01-31 21:07

Platform

win7-20231215-en

Max time kernel

148s

Max time network

126s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ClipPlusCommunitySetup_ns.msi

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f76f40f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF622.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f76f40f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76f410.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76f412.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76f410.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ClipPlusCommunitySetup_ns.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D0" "00000000000004F8"

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

"C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 524

Network

N/A

Files

C:\Config.Msi\f76f411.rbs

MD5 edbf91ba7993e36a4f581ef68933fa2f
SHA1 c7df128ce81bd0d13b80ee6b8f33b37d0450899a
SHA256 aed7d665ce7471cfa5ca416bcefcf07a89646a68f5bc00a8a386c6690300c4ae
SHA512 9c0cbebfd50060890d1488dc8abc0f1150a366f79745546f94dfb4aae7c6252fcee369ca6dbf5d71370984d58f7107a2d38c31f2b0e37768e398dc975775179a

C:\Windows\Installer\f76f40f.msi

MD5 c4db01b280dce9dcfd3f2fca22392f21
SHA1 3e6fd7bfb34232f052dcbe0fd3b0b9b302475843
SHA256 1f92488d68c9cee5119c13911f51301a0dfcfb960b6c3d1d1664a3bd57cdd7e7
SHA512 15bea61d0fa7165d706fd3a03522f52655070cfcddde547823a41c69ad9ae71da3647c66d951ad50d9b9e424fdc2538928d3705ecb7ef2bd53aec4ddaf0a4be1

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 91ef5bdd24d7a2b9e854e159c38aafde
SHA1 42436dce02c2ecd9a7b1d87815ec7f901d8a5e68
SHA256 2e7b7f2953bc4be906025c502b8107a89e0592d202a79b072421b0ad4dd73982
SHA512 1b11249c1f10b638016a0165d66e91cf2a4e7879cf88ea4d4bc096b685ce3382b56d7ba681c3d41b0e4e08fce672db2dc542d53b843f645e3cb90a00639acab8

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dll

MD5 5efb2702c0b3d8eeac563372a33a6ed0
SHA1 c7f969ea2e53b1bd5dbeba7dd56bff0cc4c9ea99
SHA256 40545a369fa7b72d23a58050d32dc524b6905e9b0229719022dbda0d2fa8765b
SHA512 8119526f8573ea6e5bed16a57d56084260afee511c9aad3d542388a783548e5b32ed8fb568d5b97deed791162bcd5577fcc3c76abf4d147ea13bea5c2a6ea794

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll

MD5 8e58fcc0672a66c827c6f90fa4b58538
SHA1 3e807dfd27259ae7548692a05af4fe54f8dd32ed
SHA256 6e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d
SHA512 0e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 70d69f6e9a22dcb80864984a86616fd6
SHA1 e5349d27624530afa7f5d5deebefaedb540d90cc
SHA256 f334ed846d67d2e7acf8d60ebaebb4beeee5dffc14dc46a74bddf69eddcfe9f5
SHA512 a476cad70852c2ed005208e1794f5f2a023f3c4f0f9d4c3fd35dcdbcb3b98981227d2bf9c4926543653d52e906d624cf23ea7bc400d6e77f6346ee968df3f121

memory/832-72-0x00000000010D0000-0x00000000013B3000-memory.dmp

\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 5573930fd04c6c18d7f1d4bbe68b8395
SHA1 b70d8ea89a3251686b2bcc978a13df02b71e9f16
SHA256 5b9aab466d42322ad4950ef11c6daaf7eec4000ab49948ed071b7d123e3afbfe
SHA512 ac70badde0ee6b8531469236642674c3793b99a92f5bd17712b1c7869a0a4a0ff37cfe8d371102136aefcc5522768335bb17b6e0e8f1e6279569ee983098e592

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 eeb2c9f79926c1074703c378fb27215c
SHA1 df632ea453d0986aebb5961a7874c25426e5885b
SHA256 ba71994c06091dfdc0f1c51eda9e41be888224d165fc0d62d7d882384569600c
SHA512 0ffb563a20b1bf6659ae78d79fe28379e9560c91e4a258dd12046c4659aaf30772b1dcbd426466fee513f42711bc55c70f3f8c8f9ebfc533173b5e9cc3b80406

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_flac.dll

MD5 5199d6173a6deb45c275ef32af377c3c
SHA1 e8989859b917cfa106b4519fefe4655c4325875b
SHA256 a36f06cbe60fc1a305bd16cd30b35b9c026fd514df89cd88c9c83d22aefbe8c3
SHA512 80b96196f1b3d6640035e8b8632a25ecdb3e4e823e1b64fc658b31aae6c6799aa1d9fd1acffbef6ff9082e0433ac9ab9426d5400d3644db9958940b8bb13f6d8

\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 9b8c5343215e02b39be62008fa51c414
SHA1 3521bf6faba70b0a28b3cdb80818780096155818
SHA256 5a3c5bab8e97ab0fa7bffcea9063842cb9842491999ace90956ca1521aee468b
SHA512 154e86aa3e0fabd66de98f2122c6b32c399b82feea99b3ef7c93c281f1ec964977285108dfa6ef33c211bbc81e7fdee21c8e12aeb6613564361f9c37daf3c97b

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll

MD5 b6022150de5aeab34849ade53a9ac397
SHA1 203d9458c92fc0628a84c483f17043ce468fa62f
SHA256 c53b12ebe8ea411d8215c1b81de09adc7f4cf1e84fd85a7afa13f1f4a41f8e9d
SHA512 2286399bd1f3576c6ce168e824f4d70c637485fae97d274597d045a894740519512f1865e20562656297072b5625bdd2a5ec4d4f5038176f764eb37e22451ade

\Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dll

MD5 cdfbe254cc64959fc0fc1200f41f34c0
SHA1 4e0919a8a5c4b23441e51965eaaa77f485584c01
SHA256 9513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9
SHA512 63704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dll

MD5 d8ccb4b8235f31a3c73485fde18b0187
SHA1 723bd0f39b32aff806a7651ebc0cdbcea494c57e
SHA256 7bc733acc1d2b89e5a6546f4ebc321b1c2370e42354ea415bc5fcc6807275eba
SHA512 8edafd699f9fbec0db334b9bc96a73a9196895120f3406fff28406fd0565415ac98665c9837a5b1e0c5027162ff26bf3a316ecda6a0b51d92eb5d7002b814713

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassmix.dll

MD5 d31da7583083c1370f3c6b9c15f363cc
SHA1 1ebe7b1faf94c4fe135f34006e7e7cbbc0d8476c
SHA256 cff3edc109bc0d186ba8ddf60bc99e48ff3467771e741c7168adbdbe03379506
SHA512 a80364384eca446a378e3ae3420a0e3545e1d24426a9e43f3e27381cb09bb4cd1121b66c576e5a981b2e5d661f82590eb0c0fe8d8243ef872f84809ec906e266

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_mp3.dll

MD5 46ede9ea58c0ac20baf444750311e3f8
SHA1 246c36050419602960fca4ec6d2079ea0d91f46e
SHA256 7ea1636182d7520e5d005f3f8c6c1818148824cee4f092e2d2fe4f47c1793236
SHA512 d9154430c72cbf78f4f49ec1eee888c0004f30a58a70cee49f5108ded0994ba299ba6bf552a55ffeedb2ab53107172324156e12e2fbae42f8f14f87ec37cc4e7

memory/832-75-0x00000000749A0000-0x00000000749ED000-memory.dmp

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_ogg.dll

MD5 89e794bbd022ae1cafbf1516541d6ba5
SHA1 a69f496680045e5f30b636e9f17429e0b3dd653e
SHA256 7d7eb0bc188fc3a8e7af7e5325d4f5e5eb918c4138aea3de60d6b1afac6863f9
SHA512 16455e29a1beece663878e84d91c8e75c34b483b6ff3b5853ced97670a75a9c29cc7a7aa78b0c158eb760cda5d3e44541aae2cc89b57d290e39b427d4c770000

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassasio.dll

MD5 ff3d92fe7a1bf86cba27bec4523c2665
SHA1 c2184ec182c4c9686c732d9b27928bddac493b90
SHA256 9754a64a411e6b1314ae0b364e5e21ccfe2c15df2ed2e2dce2dc06fa10aa41e8
SHA512 6e0f021eb7317e021dccb8325bc42f51a0bf2b482521c05a3ff3ca9857035191f8b4b19cbe0d7130d5736f41f8f2efb2568561e9063fa55aaab9f2575afe23db

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc.dll

MD5 a6f27196423a3d1c0caa4a0caf98893a
SHA1 58b97697fa349b40071df4272b4efbd1dd295595
SHA256 d3b9e4646f7b1cb9123914313cec23ec804bd81c4ff8b09b43c2cde5ee3e4222
SHA512 0a84cf847b80b0c2e6df9274a4199db8559757781faec508cd8999bea2c8fb5cd9bed1698144b82b86b2c6938fa8006c482a09c1b46d6bb8d2a2648a2011dea0

memory/832-76-0x00000000003D0000-0x00000000003ED000-memory.dmp

memory/832-81-0x0000000074720000-0x0000000074748000-memory.dmp

memory/832-79-0x00000000003D0000-0x00000000003D5000-memory.dmp

memory/832-80-0x0000000074750000-0x000000007475E000-memory.dmp

memory/832-86-0x0000000000D40000-0x0000000000D5E000-memory.dmp

memory/832-83-0x00000000003D0000-0x00000000003D5000-memory.dmp

memory/832-84-0x0000000074680000-0x000000007471E000-memory.dmp

memory/832-87-0x0000000074640000-0x0000000074673000-memory.dmp

memory/832-88-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/832-91-0x0000000074630000-0x000000007463E000-memory.dmp

memory/832-92-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/832-93-0x0000000074560000-0x0000000074596000-memory.dmp

memory/832-95-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/832-97-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/832-96-0x0000000074530000-0x0000000074554000-memory.dmp

memory/832-99-0x00000000003D0000-0x00000000003DD000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 c781b4f50b34ee43a37fe063696fca64
SHA1 fbdcf0d95a61cc3e23dba70fde3ec7d2e006e84e
SHA256 22673216f66f7d43c9c2124d4cd646a09b9c08013387772788480bb733a1352a
SHA512 ce8ac7b92187483513c54ab69a5811266e2731dbf07ae67f52fb8d956de3beccc7897689f485582ebf27b4d6115e3e0af9d76db0c58d1a475bb95163eb086e8f

\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 74003911b0d986d535a68d47c616b0a0
SHA1 18389d5ec1e54b3939a4fb8846deda1f315ecf1c
SHA256 f9e3726bbc270d6e4bb82358e51629bd7788e805bf2617436688f171ac51a7d2
SHA512 577d24c7dbdaf0b1eecf14fcf09e0f41bb9cbedf988792bfbcc1a367201fd3c746ff3d22cf9ac6a547685794cfb53103ee3b0ac0b29ac5fa435a8ee0f628dcbc

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dll

MD5 e98f595caa5ee23e8a3e46d83211da9d
SHA1 a7ef9e7c3eddaa7b82acb7eba7a2c88a70bac017
SHA256 df12ced54ee1dd73b230be239fb2ffce141bbf4ff979fb33ebb153a0bda88a1a
SHA512 e777a5ace5ecef10ae051df02a443279af5f28a1e996905774f574ef8679363ae78db064ef6eb7c3f77dd87284cc0d070b1fe54b422f9ae0a2240286a9541938

\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll

MD5 658276a6bf6c17511f54254d56cd9022
SHA1 b9af3a23d41aa2bc2bf1f269e0deb8749896c584
SHA256 19b5b1a7be78f20a509b6283d89498f038a74337b803369cb37077e1ebb5fa2a
SHA512 4de906a5637512b40f91d49c798d2c2cea429077b53a7ed6e8eceaa6f0a1f56dbea1085c1a5afeeb689fd0c049d9041064c3d262a43b513f2288967292222fae

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\tutorial.wav

MD5 3978c2550c1e450c0b817854b69b3b82
SHA1 e0db6cb3d7182d16374db7fe6ce15ae7db3346db
SHA256 05a61eb335bf99882924caa6bff364811fda63efb3b76d23665e09b50835f1f6
SHA512 164e3c8922fd8fe2b8be0313e89c17840130946c1d73c7ebf3c7267f944b1a0cbe1517baa0f0e9daf0cf5f802caab6a231c9c412ebcb3111da8fa7f540622a08

memory/832-107-0x0000000073F50000-0x0000000074075000-memory.dmp

memory/832-108-0x0000000003390000-0x000000000341B000-memory.dmp

\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 c270b14c624eb5f9e4f24f1f69b1109a
SHA1 af143c44a68023c9e5d600fa81420b7f9b3aa8d8
SHA256 883cc6c59ec2e9927465ecdf43bd2b99af6b13dfdbc95bef803b90a55f60c17b
SHA512 979a512391504681a7d4163563aaf1f3075f59acbdeb1c6633b5972513d8ec8e0dac94e2b26ecc78818a440ee7a8f5f514aef7dcb7cda7485e9614bf6b1bc8d7

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 302a3c1cbf977d75451912013b8f74fa
SHA1 be944ce782382caf13dc4beab721ec83aa6da5d7
SHA256 eff1d8a3514b14efa072cc053f5583229aef6762d424bb8e2e8b2d26547da819
SHA512 97a7144ae20547816e370dd86626571fd25fa361e007f638c1fd3d3354a56c7a6390b3461df906ce43247e02a628001f5711037005881b1bb6d2c6a0d29b1ad2

memory/832-113-0x0000000000D70000-0x0000000000D71000-memory.dmp

memory/832-117-0x0000000003250000-0x0000000003251000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 8d8fabe49a12f4a9abe75fc6c9215a96
SHA1 a87b9911066285e18a90ef1587d5d499b82b0cf2
SHA256 32b8d82cdb19aef179620ac0b1cb2c16ca97911216530537a495f7b7f7c43c81
SHA512 466ebbe8880530e14a6b2ef59727767419a26226deb44d98a6ca12ed0db77409e0bffbbc93595b3315a3e6cad6f8a3dc9380ff240e4d7e5c2a24045db49a336f

\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 0ca8f51ac6c783a553a3e13cf1828f88
SHA1 a642c69fde9c762d5243465b6a3463af83fef041
SHA256 f42d57f00f3ee187b89cb1735570f60f9a36e0194706f04984a941e203e7f417
SHA512 fbf5526bad0a9d63d68c1384b5c91854e98f8a210861c38d9746b7ee47d419c9b272700f213c3cdacb3f99aa934cefd75200421196fb7ef684f853c1708d28b8

memory/832-120-0x00000000003D0000-0x00000000003ED000-memory.dmp

\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 63c5b96b43e63c2fac1697fbe936e227
SHA1 898f30fc375882e977427cce521c88002146ddd9
SHA256 25051ff2c23b8efa5e2a9fc6226aca4975d7a6de165e1c0c04a7756469fc2c02
SHA512 b6495d6bebc3c73098826466786622fce587807dd3ea2978471db6aa2b05666c5bda5e9cc63686a2ace0def0e9f6115d05a79a28a27970ca9074fbffd7789416

memory/832-125-0x0000000000400000-0x0000000000BAB000-memory.dmp

memory/832-127-0x00000000010D0000-0x00000000013B3000-memory.dmp

memory/832-129-0x00000000003D0000-0x00000000003D5000-memory.dmp

memory/832-130-0x0000000000D40000-0x0000000000D5E000-memory.dmp

memory/832-128-0x00000000728F0000-0x0000000073613000-memory.dmp

memory/832-131-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/832-135-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/832-136-0x00000000003D0000-0x00000000003DD000-memory.dmp

memory/832-137-0x0000000000D70000-0x0000000000D71000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 21:04

Reported

2024-01-31 21:06

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

146s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ClipPlusCommunitySetup_ns.msi

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{E8907531-0946-43B7-A05C-D15D055BE638} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI789B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5777c2.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5777c0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5777c0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000da362e54a03ebf190000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000da362e540000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900da362e54000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dda362e54000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000da362e5400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ClipPlusCommunitySetup_ns.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

"C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f4

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 telldruggcommitetter.shop udp
US 104.21.5.9:443 telldruggcommitetter.shop tcp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
US 172.67.152.52:443 gemcreedarticulateod.shop tcp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 172.67.213.168:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 9.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 52.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 104.21.58.31:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 172.67.182.52:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 168.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 31.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 52.182.67.172.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

C:\Config.Msi\e5777c1.rbs

MD5 083cd0819801917565c6830b92d6b245
SHA1 6caab1ce223bc4e3de9c1eba5889ace591856e8d
SHA256 a00600b79233bd1c832202bbed07f12000d42de794fdc43c2163fc6791817f4c
SHA512 25b3dae8921f92c6f66643fcda1218c05340297e492f0de79d734adc7c55b2e34b6e6cc9f0c928a85a15789e369c7339589797e87790d90517299e17f72f19ce

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 8c34685e9782b007e086ef37beb52946
SHA1 b05707c57e474577196c336d02e274f51c223688
SHA256 9623f69b1921ba6e39eba32539cced1f65fb8c835d73e4ec5c0afd7eff884892
SHA512 1da7f7f94a6b1de4f2ba4edd62b14222175a62bd3006e57c0381b5cb1f7a5c927dd633ffb4bce2849d096e074a634bd9ce52367418749762e692c0ad9bd21250

C:\Windows\Installer\e5777c0.msi

MD5 8bb2902f98ceed7035a67b01a3825bd1
SHA1 30cf7d6c921969a65b68cc1d6ff67a869d239ede
SHA256 5cbfd8fe8c42e142b0d5902e1af711efe1c35a64a59d0ef972e268bc5aa95d5f
SHA512 154cd31a25aa0fb7c682fae91528e7c95e069ec7ad980607ec741bf4a0d7534ae5cf3336ad662a2d7d8608d6a7278f9b8351e7ff34d9a883648ca0be48779603

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll

MD5 e67116de5e161f9232e3c99c1cd53786
SHA1 81b068a9ab4fe51e0f09e559a201a55bbd196812
SHA256 1067033a7c25160024947edfe2d37f3bf172df65c70b793cdbbe78e6eb3ff797
SHA512 ab6515644ade105b946f4c436575e841c0c2bc6070b7f7eb4dcfbfa4778d243481389e373b9585846ba562201b922c0704d6d2a0a538836000ed90bb26eeb4a8

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 a89e40f60461351753b1cd6f62165bc7
SHA1 70dd1fbb31b67d1b963301fb49aa4cd1ac51bc93
SHA256 c45ec0eeaffad0d82d00cef43ffb9158886c3c64d18d94cb6a19591456e94fa5
SHA512 1e5b7e86693c531135196f2a9f43935c7629d6ed4306718c40d95c45bd48dd2022f7ac97a1e7131957be53fac4157939ebcfd9dd53e73f54daba4c5a97ffd370

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll

MD5 bfd2bb4af1509ffd946550db86dba334
SHA1 c12de3a6335d87297e70d3d0b0006fe292fc60a1
SHA256 5102a5bdd91ea0c65766e6e6f535d29f1c5700f1224c12782105262c0194d708
SHA512 bc46a06b197624ac9abb28aa8e3c340459bff13db195e2059d8ca0a45fdc028643b6e80156664a780242325df6765293d1e9bb057687cdb60db72260aaecfc5b

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 0daa950b6a36a8d35e2cdb0ed958ae35
SHA1 9ad07c1b19417c3e52b99c89cb0c1d1d6806de4f
SHA256 817815c72f5e51b8645608b85e435b5434551b8a6c02f9922f7e2e0c628a82ec
SHA512 cd8874ee97f5558a75782d55c48cd6c06bea40cbb84f00cd9dda780ebf548eadd450a93b5debfe2638c309b99a7f1d5f1f68d6febe49f7dc10ed98d87ba91448

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 9a3ab30d8197993493a5e3ae9b14e2f3
SHA1 d4ce1cf643ddf8e8edcfbb3fea66287325e09fc6
SHA256 a89ce3625a67d59ed9f2100f8644cebfb9ecfa4ec69024f8aad5d1dc23e86b60
SHA512 cd666bb4afb694fd310d8e7819f88339675dad79e607c1030ef0d6874ad78676e4bfa2bb530ea45604297706ddfe1380de62cd83a6fbe805f1af804319c2c6ae

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 7cca55f767532354ca21d105c8e1fedf
SHA1 94f8548e26ed41a3edea28b705b145a79e4a74ae
SHA256 bcb9fefb0ec484cce90ccb8ad3bee8694e5c003f59415ea906ab0e61a7306c37
SHA512 7c5fa2cf243c9d4c58b50371fe1a02fc03a201a445e60c21a6dd3433b66a552782a02419c1cb8dbecb15099ca063ab34525db774f0b7baedf00add0f19013a29

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_flac.dll

MD5 5199d6173a6deb45c275ef32af377c3c
SHA1 e8989859b917cfa106b4519fefe4655c4325875b
SHA256 a36f06cbe60fc1a305bd16cd30b35b9c026fd514df89cd88c9c83d22aefbe8c3
SHA512 80b96196f1b3d6640035e8b8632a25ecdb3e4e823e1b64fc658b31aae6c6799aa1d9fd1acffbef6ff9082e0433ac9ab9426d5400d3644db9958940b8bb13f6d8

memory/3228-78-0x0000000000CD0000-0x0000000000CED000-memory.dmp

memory/3228-76-0x0000000075230000-0x000000007527D000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 07ba154b29443bbeba7f32807c17820b
SHA1 65808f674dd114964a59191675e795f2404ae373
SHA256 6ebc360c8951a94ff4d4cf3afa572495a63ba37ae185612a9470164d649d4cc2
SHA512 047289e2a7b70b74084bae203779b4f40f87f42ff4662a1d67994a46bb4d7d422660b2a2bccd358e1afc35ef3e3e71ee38f6133f55e34d84e7496717f9e4ec6d

memory/3228-85-0x0000000000CD0000-0x0000000000CD5000-memory.dmp

memory/3228-83-0x0000000075110000-0x00000000751AE000-memory.dmp

memory/3228-81-0x0000000074D70000-0x0000000074D98000-memory.dmp

memory/3228-86-0x0000000000CD0000-0x0000000000CD4000-memory.dmp

memory/3228-80-0x00000000751B0000-0x00000000751BE000-memory.dmp

memory/3228-90-0x0000000000CD0000-0x0000000000CDE000-memory.dmp

memory/3228-93-0x0000000075100000-0x000000007510E000-memory.dmp

memory/3228-92-0x0000000000CD0000-0x0000000000CD5000-memory.dmp

memory/3228-89-0x0000000000D80000-0x0000000000D9E000-memory.dmp

memory/3228-87-0x00000000750C0000-0x00000000750F3000-memory.dmp

memory/3228-73-0x00000000011B0000-0x0000000001493000-memory.dmp

memory/3228-95-0x00000000014A0000-0x00000000014B7000-memory.dmp

memory/3228-99-0x0000000000CD0000-0x0000000000CDD000-memory.dmp

memory/3228-98-0x0000000074D40000-0x0000000074D64000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll

MD5 6fb3cd685a8df746a1aa872624d01245
SHA1 417c950437b0f6bccea7bce63a41303b8c797674
SHA256 47f5505a48b5afa765cddcb772966aaeaf5b2c29d60d4c09a7837448b34454fe
SHA512 fae8b2c35e1189902b220270b41856cbc321ffcc0bb1998b0ff7e5dc46b8e40ea788509ef4d791204072a152f28f227d7fe4f9903593b41ab72dccc20723c5d4

memory/3228-108-0x0000000074800000-0x0000000074925000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll

MD5 439decc1029b796a4da374b574fd2ec8
SHA1 c0b34cb1cd1bfdd62227a40bcb6f9c26d93189db
SHA256 96ec15d3063378e1816acf75cef7492908c918f83bf58349cad38c84a4842001
SHA512 ac3421b76cc5164f305710dc3dea44aa15cf25e9023309a609cd5e5f2bf272652cb5ad99722d808d1ab6f804b2e5234fc3d1f133b0e2bfdf4a32aafc763087ac

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 25e84e9d3e603009fdfaeeb4637fe769
SHA1 543d6cf97d8de469071542a23b02613f2680fd32
SHA256 991c61bbe262457c0acf5998c8eec2a1076aff5facabc2fe55b9b4f916ba3b62
SHA512 c92074ed7e3138ac8e6f670baa9ceb7f4113119d3d6d075a2caa45612101e0f246f884fc3e6d497e133a3eecfab0f02e37a0801d6fb87a6226692979a35a57bb

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 fb9c4d81546bf8d1b42f1f9dbe0f42b1
SHA1 7d8633b52dd9d9c9a84358a379ea057bba59d3a2
SHA256 691410f30fcb06131dc3d69a94152103e340a2cb9f248c5c35107b4a7da2934e
SHA512 3ba0bd4b4890b4c216a5a45b91f65d3a27786a5986e27934a7b68c3bd8f84620c2434fe9d8c323f9320a9a92f49da4e158bf678dc97ede5731d645bd3470125f

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\tutorial.wav

MD5 fe7d1b3dd312fc0e814d65ea7ba18f07
SHA1 fcca30787a933fb69f44903bca28ce1f0e878d3f
SHA256 12c98a36dc4077b11acac91e33decdbd47d15844c81804cecc573ea1ba2d04e4
SHA512 7fa63353f3e10b341e53f6e73219de67938ddb95509b8870939b90f05ae912d9bb097f9b108da5e270dd5dbd8fae5384f9d5009e5a91d1d9c6f97f372323f7de

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 18660d3d9b459fffe2b60d3fdb0c0429
SHA1 109056e4a93c6aa8dfa56ba8b262f650d53a38af
SHA256 6108f5b6a6866c928ec868916616c6018b6dd97c39dc2aae6d572ef665eec178
SHA512 73e25f1a038125cbb91dc3326fb489acd419907fe414f79e067a113ad416c3b4d62af2f63622c085056f0df70b49283491241b1e582ad7739424640e2285fa3e

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 b0dc7bc150d8b6dc46009f890188e629
SHA1 5b736325d75fdc4f41d59c6664ddbc7bd9aa9ab4
SHA256 af9e8d6c5dee7a4e704af612c3319ee79614db72f97b87689370ddbe6f0f630b
SHA512 585968c328c6d4a36cae9bbbb5c80b0ed04b6f2fe9762bd0f9e73555d339210aa4042f0aaec17d2e01ceeddc8544322883127da8c585280a781bb91834d10f25

memory/3228-111-0x0000000003140000-0x0000000003141000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dll

MD5 95f4cbc0cdaef94235b94f8a7d347877
SHA1 acc8ad8568861945a7fca123ade0ccc8819a72a4
SHA256 515abf1ef8a43e248481bf1e28a8832a8c0b29c89e86ce2bb200b1f0ff7b0d48
SHA512 cb86235c60b89bc5c92f7083f46f38c839420c9875180c0570da933a5308918044364c9378ebb3e3d3ca8f86863692fb0136eaf952ca255a8b87a5849c9ce264

memory/3228-114-0x0000000003F70000-0x0000000003FFB000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dll

MD5 b9d172e6b4d7c9c5111ee350ba9b6948
SHA1 4d714c0564574b4a86fdbba9c05e4d7082e96a2f
SHA256 83747ce1a9d7fc18b35fe5a1c9f40acc116c5003ec4a64bbd929660d1499eb93
SHA512 a64c0c519c57f86edb0745a8033c8970d065b2d069ff449c2c2127e65ce3cba2e4efe5c77743e54e203e6ef8b5c84948d043ce90376760724907132146172da9

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 e3763bae191249e45f8bcb089f50687f
SHA1 42266668f3e64fb9a548910a5b841c9e24df60a0
SHA256 021b383f4d98766e559d416a0343b7c9b66864046b4c4c1624c0108aef458c8d
SHA512 b4d5a72b1c84701d8c1646664950c58bb3947567aae4ff1257033eae6fb5f9d93bfc308208e75da24226c1bd4c42ed903a2459230062aae0e9a4a7e053a83ce4

memory/3228-119-0x0000000003E30000-0x0000000003E31000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 4f28193683c5eb1fea85be013b66a55a
SHA1 6cdb0171e6017a45927c42d4d6b785084e22059a
SHA256 6f4bd840d7b0a80017095bf7d1a13dbccecb62ca48238312aa0eca7895f4d508
SHA512 756cd701c4a8642bf79fcd95d8e82905f88b9ad6350870b922c0c304a7b33c28cd9fd49c887b1c8a374b5b661a24a3fbc4ff079825df12097619091926bd10ff

memory/3228-96-0x0000000000CD0000-0x0000000000CD3000-memory.dmp

memory/3228-121-0x0000000004010000-0x0000000004011000-memory.dmp

memory/3228-123-0x0000000004010000-0x0000000004011000-memory.dmp

memory/3228-122-0x0000000004010000-0x0000000004011000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 2be6d141002ec6432a7c7ba8987beb8e
SHA1 bc8eb7fa385aeece3aa177c2736f4d1ccd63efd5
SHA256 e339e1c72854ab7421b5f3dd832577997ef5fe8f16b87e66bd7f845efd24afda
SHA512 3f2b005601d5aa53046bf8f539d9740bf2b953b83520e4f485fa3456df676e5d5035df2055b5b20a49c810cd276073f5c05fc6d9c50e82d5422c88ffda1c304c

memory/3228-94-0x0000000074DC0000-0x0000000074DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassasio.dll

MD5 ff3d92fe7a1bf86cba27bec4523c2665
SHA1 c2184ec182c4c9686c732d9b27928bddac493b90
SHA256 9754a64a411e6b1314ae0b364e5e21ccfe2c15df2ed2e2dce2dc06fa10aa41e8
SHA512 6e0f021eb7317e021dccb8325bc42f51a0bf2b482521c05a3ff3ca9857035191f8b4b19cbe0d7130d5736f41f8f2efb2568561e9063fa55aaab9f2575afe23db

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll

MD5 b6022150de5aeab34849ade53a9ac397
SHA1 203d9458c92fc0628a84c483f17043ce468fa62f
SHA256 c53b12ebe8ea411d8215c1b81de09adc7f4cf1e84fd85a7afa13f1f4a41f8e9d
SHA512 2286399bd1f3576c6ce168e824f4d70c637485fae97d274597d045a894740519512f1865e20562656297072b5625bdd2a5ec4d4f5038176f764eb37e22451ade

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dll

MD5 cdfbe254cc64959fc0fc1200f41f34c0
SHA1 4e0919a8a5c4b23441e51965eaaa77f485584c01
SHA256 9513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9
SHA512 63704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dll

MD5 d8ccb4b8235f31a3c73485fde18b0187
SHA1 723bd0f39b32aff806a7651ebc0cdbcea494c57e
SHA256 7bc733acc1d2b89e5a6546f4ebc321b1c2370e42354ea415bc5fcc6807275eba
SHA512 8edafd699f9fbec0db334b9bc96a73a9196895120f3406fff28406fd0565415ac98665c9837a5b1e0c5027162ff26bf3a316ecda6a0b51d92eb5d7002b814713

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassmix.dll

MD5 d31da7583083c1370f3c6b9c15f363cc
SHA1 1ebe7b1faf94c4fe135f34006e7e7cbbc0d8476c
SHA256 cff3edc109bc0d186ba8ddf60bc99e48ff3467771e741c7168adbdbe03379506
SHA512 a80364384eca446a378e3ae3420a0e3545e1d24426a9e43f3e27381cb09bb4cd1121b66c576e5a981b2e5d661f82590eb0c0fe8d8243ef872f84809ec906e266

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_mp3.dll

MD5 46ede9ea58c0ac20baf444750311e3f8
SHA1 246c36050419602960fca4ec6d2079ea0d91f46e
SHA256 7ea1636182d7520e5d005f3f8c6c1818148824cee4f092e2d2fe4f47c1793236
SHA512 d9154430c72cbf78f4f49ec1eee888c0004f30a58a70cee49f5108ded0994ba299ba6bf552a55ffeedb2ab53107172324156e12e2fbae42f8f14f87ec37cc4e7

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_ogg.dll

MD5 89e794bbd022ae1cafbf1516541d6ba5
SHA1 a69f496680045e5f30b636e9f17429e0b3dd653e
SHA256 7d7eb0bc188fc3a8e7af7e5325d4f5e5eb918c4138aea3de60d6b1afac6863f9
SHA512 16455e29a1beece663878e84d91c8e75c34b483b6ff3b5853ced97670a75a9c29cc7a7aa78b0c158eb760cda5d3e44541aae2cc89b57d290e39b427d4c770000

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc.dll

MD5 a6f27196423a3d1c0caa4a0caf98893a
SHA1 58b97697fa349b40071df4272b4efbd1dd295595
SHA256 d3b9e4646f7b1cb9123914313cec23ec804bd81c4ff8b09b43c2cde5ee3e4222
SHA512 0a84cf847b80b0c2e6df9274a4199db8559757781faec508cd8999bea2c8fb5cd9bed1698144b82b86b2c6938fa8006c482a09c1b46d6bb8d2a2648a2011dea0

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll

MD5 8e58fcc0672a66c827c6f90fa4b58538
SHA1 3e807dfd27259ae7548692a05af4fe54f8dd32ed
SHA256 6e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d
SHA512 0e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dll

MD5 5efb2702c0b3d8eeac563372a33a6ed0
SHA1 c7f969ea2e53b1bd5dbeba7dd56bff0cc4c9ea99
SHA256 40545a369fa7b72d23a58050d32dc524b6905e9b0229719022dbda0d2fa8765b
SHA512 8119526f8573ea6e5bed16a57d56084260afee511c9aad3d542388a783548e5b32ed8fb568d5b97deed791162bcd5577fcc3c76abf4d147ea13bea5c2a6ea794

memory/3228-127-0x00000000014E0000-0x00000000014E1000-memory.dmp

memory/3228-126-0x00000000037D0000-0x00000000037D1000-memory.dmp

memory/3228-125-0x0000000000CD0000-0x0000000000CD4000-memory.dmp

memory/3228-124-0x0000000000CD0000-0x0000000000CED000-memory.dmp

memory/3228-129-0x00000000011B0000-0x0000000001493000-memory.dmp

memory/3228-131-0x0000000074800000-0x0000000074925000-memory.dmp

memory/3228-130-0x0000000073610000-0x0000000074333000-memory.dmp

memory/3228-128-0x0000000000400000-0x0000000000BAB000-memory.dmp

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 0e6a534b9aa0fbde772e5410fc4efc54
SHA1 37d47713278669c2fb6eefe5ce2ed22fab316546
SHA256 e6debbfcf347dd4644ca957fb7aa8a0b33cd6aeec46b78d8e367757be90c7e6c
SHA512 84fe736e8e617c65f522b820b47b3083e45021f0a44b4fc042af6d6dd9ffb2240117b127ce9c069e3f479dc9358b7e285e1f8201a6431e831cee81d7ec3200ff

\??\Volume{542e36da-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9a9b23ad-5d47-493c-987a-45d5327f0874}_OnDiskSnapshotProp

MD5 a5f7aaf4e0e08bccfec975a4e4e2f870
SHA1 1fb5c5cad148e5a435eeb91d4d744f44f99e12db
SHA256 7b31e2249ce8e1c25e65cfb7191f3185264498925aec39d268dd0d3a97776076
SHA512 c675b04ad274928b54c3e68d4553f9a62401e41dd541bad29acdca8f2f861d03fb89f9fb695e158a4319ddeefdb026f49703311281c6f45726ecaff821ead5ae