Malware Analysis Report

2024-09-22 16:38

Sample ID 240201-dset9scahp
Target d97886f33e4198fa5d3d5e3f0b58f998.bin
SHA256 03ab69f48bc2dbe9eed9c025444c98fd25ddc947c4b93c50ce19421e331a4d65
Tags
babadeda crypter loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03ab69f48bc2dbe9eed9c025444c98fd25ddc947c4b93c50ce19421e331a4d65

Threat Level: Known bad

The file d97886f33e4198fa5d3d5e3f0b58f998.bin was found to be: Known bad.

Malicious Activity Summary

babadeda crypter loader

Babadeda

Babadeda Crypter

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Blocklisted process makes network request

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-01 03:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 03:15

Reported

2024-02-01 03:18

Platform

win7-20231215-en

Max time kernel

9s

Max time network

10s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ClipPlusCommunitySetup.msi

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f762f8a.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f762f8a.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI31ED.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f762f8c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f762f89.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f762f89.msi C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ClipPlusCommunitySetup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A4" "00000000000005B4"

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

"C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab1335.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar13E3.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 762e389f1d67ca38d7c3aafdd25af6aa
SHA1 7f9cec8349d6651e8971fdb41f7fa2fa3699d24e
SHA256 5524b8c15e07488ed79954acb87559fac8effccfadb095a251de26e71a8328ed
SHA512 43dc6aeb09f1941aa0124c078b521eee95456d8d18b25cc551a09b217109e2d59139395c352e7696055d732bda3f719ce83d3e21da8562e6dd1f39fd44dde933

C:\Config.Msi\f762f8b.rbs

MD5 887d72d4d8c100149f9289c1409634d3
SHA1 133b55db661cd47e2ac96172208797554e6e795d
SHA256 719471bd38fded54efe7f234d8bc7fecf19753ea7e7d56c9d1df8de4802de509
SHA512 fc9da272485b9b078b69914bb0d3758073e09aa0a43cb2b73df27260405bb65a6349ea7928c7b2fda0a19e458830ae2e192ff651efb5c4af67595e8f41ca6734

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 490ffe88b9b87b90f50e41c8fa72f68d
SHA1 2e9d2f448db6593bf27b4a71cccb156a4758f683
SHA256 a783de929d2442aeabce2d6ca55d0a14b7e72200502826080307937b1d218ce4
SHA512 1a07103aff0da5fb3e91e93921bcfeaae264be5de859fc0f7a4eabe31c9f49b35b759eb78bd6bdcba3596f849587a15f376301b623f88481ecd19ad86f0dc10e

C:\Windows\Installer\f762f89.msi

MD5 289098e37d2bd3d1ec3a89eb4967fe49
SHA1 99a58b3fad8889582177379e7c657ef1d48965ea
SHA256 8fd8406fd678a8bc3c22c10bb6d51a6b599c9a57090c3fcdc071c32a8a60c544
SHA512 ede816228a73681903bdf8ef3a1437ac56c80795d559a62336094877748a63027ed797d7c4b9ddf67f4abe433b7ee1de5f93e31dc467f610416449a0d1b48eb5

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dll

MD5 5efb2702c0b3d8eeac563372a33a6ed0
SHA1 c7f969ea2e53b1bd5dbeba7dd56bff0cc4c9ea99
SHA256 40545a369fa7b72d23a58050d32dc524b6905e9b0229719022dbda0d2fa8765b
SHA512 8119526f8573ea6e5bed16a57d56084260afee511c9aad3d542388a783548e5b32ed8fb568d5b97deed791162bcd5577fcc3c76abf4d147ea13bea5c2a6ea794

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll

MD5 8e58fcc0672a66c827c6f90fa4b58538
SHA1 3e807dfd27259ae7548692a05af4fe54f8dd32ed
SHA256 6e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d
SHA512 0e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll

MD5 861e5ce2570714f160bd7a1c589ce76b
SHA1 32abb50bca2afe681ec37a1e11692e6c81c6f8ed
SHA256 ce51320f7fd9c31ced6c791800937bb261f1e1995a348dc3120781ddd96c623f
SHA512 6edcb4367342377cd56c1ea13cd184fd03795462dd8f1bc050162b58fdc22f04bf1b54985c1a7cd7562ca286ed21c0530a3007ea2d7134b4d98bc67b52d77503

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc.dll

MD5 a6f27196423a3d1c0caa4a0caf98893a
SHA1 58b97697fa349b40071df4272b4efbd1dd295595
SHA256 d3b9e4646f7b1cb9123914313cec23ec804bd81c4ff8b09b43c2cde5ee3e4222
SHA512 0a84cf847b80b0c2e6df9274a4199db8559757781faec508cd8999bea2c8fb5cd9bed1698144b82b86b2c6938fa8006c482a09c1b46d6bb8d2a2648a2011dea0

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dll

MD5 d8ccb4b8235f31a3c73485fde18b0187
SHA1 723bd0f39b32aff806a7651ebc0cdbcea494c57e
SHA256 7bc733acc1d2b89e5a6546f4ebc321b1c2370e42354ea415bc5fcc6807275eba
SHA512 8edafd699f9fbec0db334b9bc96a73a9196895120f3406fff28406fd0565415ac98665c9837a5b1e0c5027162ff26bf3a316ecda6a0b51d92eb5d7002b814713

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll

MD5 0bace2cd6cf0710216276a20e6ba3227
SHA1 b2174c6deff11dbe833e7d7e0980006fdfadd03d
SHA256 fd71c3a4650d2227ce4e07619fb812e4e0213c33284ac081750767ed0a9b644a
SHA512 8a6f207326b82bbd1d002e58e485932f0128f6f196e8ae21308296aa65d7c49c85dc4658509747a396677ba1e0c57abead5d326ecd3e74e67e860473970dac56

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll

MD5 26f75c4dd4a8a7c98f0d76aa6b2522af
SHA1 4e45cd0e91334b56fb0a1e29e2b5922b828b9127
SHA256 587492c53f4b61403f39996d5676092feb4cc340b6455fd947484398bed8a02f
SHA512 e3e19781ceafa2aeea8bfe9aa8eb5b764557b583cbc9ae38e7639e65c7889c642af356e7e6c26f72f4fe4282858f770d99af04e1aa953e1fcc07379f81b1fac6

\Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dll

MD5 cdfbe254cc64959fc0fc1200f41f34c0
SHA1 4e0919a8a5c4b23441e51965eaaa77f485584c01
SHA256 9513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9
SHA512 63704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610

\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 34cce64d0c4656a98af9aa032f435dda
SHA1 60ce5f40533e156c715c5ae25c276a81304ee50d
SHA256 23fd95fcd2e6c9f4fbbf2a800516d432fb101f2a084dc018486b926dbfef8629
SHA512 cbdb3497b5d4dcf3709005c523ec1b7605ed0c835e4faade4e5de34efb849b0b43d2408b47b7000e20ef06982959b69efd0f5d905e4bed2ddfeabf7a1ca15986

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 03:15

Reported

2024-02-01 03:18

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

148s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ClipPlusCommunitySetup.msi

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{E8907531-0946-43B7-A05C-D15D055BE638} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7EE4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e577d8e.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e577d8c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e577d8c.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005cf4f6141e81f6580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005cf4f6140000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005cf4f614000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5cf4f614000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cf4f61400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ClipPlusCommunitySetup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

"C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x498 0x150

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 telldruggcommitetter.shop udp
US 172.67.132.181:443 telldruggcommitetter.shop tcp
US 8.8.8.8:53 181.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
US 104.21.80.171:443 gemcreedarticulateod.shop tcp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 104.21.16.152:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 171.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 152.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 104.21.58.31:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 104.21.83.220:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 31.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Config.Msi\e577d8d.rbs

MD5 ec28e55c7f53214d698d9ca1ca65a392
SHA1 36a665d45539582898e8af521dd593b3158b16a4
SHA256 ead726ea904ff86c5fbb24ad1c6b595c77441964ad232890a883ac63a664d0ac
SHA512 16c972f0136c32359ceb41993336e31bdd21c15c0e5e8e34e9f57846c4750e20f2a1569f83ba580a03d6e0bd8c2432268640df7489bac7692ea9568b7399751c

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 dd8e1f32da7049dd78ee3a951ab8ac61
SHA1 ead456ab231b05aa83c0583362a4e8002568a0bc
SHA256 4676268271892772a1ef643c75b1a345a5de282ebcc1e7232e4710438d586dfb
SHA512 79d04d1c4a29568b9f3246574e8b35a4ed79a44625adbc34c343ed0f795a7f4f0ebff5e97540bf6e6fb07c3b2b88443f431b13f207ef19f6aeba231537b2c757

C:\Windows\Installer\e577d8c.msi

MD5 5523cfe5c5eba73caa664cd794a117f0
SHA1 ce3e621dbd5514fbb51ae1b7155eff934bef31ef
SHA256 283002ab69cfb9f5f249d0cc0b27b0591e40161541aafb0503ec7db58dfa3bfb
SHA512 e6f89ca6213a82f29a28c91742288c6ee9dfaaaddc0cd25b38779a9f983c1954c8632704b5c780d3e5743e08fbb13b3c775916dee7c0ccc0d6c749d2bf6a7042

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dll

MD5 a1b58173ee91ef4023e69d364811a940
SHA1 c0881e97eb601dbb008dfc45b0e5bbc301270c13
SHA256 475fd3da1602cf339db3546c9a5b866cd9d232a9650eca282b4d9205df9a6f4b
SHA512 43c4b8ec5bcb323a97c8f8a117ae8311d74dbd7c786bc9cd7a9ce19154ff95bffdb3dbfe7f095bd16d3048b0bbeacaa39c6525646144c0c86e9d56a6ef264dfd

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll

MD5 39fed737bc2d16fffe90b3c5fb01a419
SHA1 40d431b623e70e52d80510faf5d09d007980a0de
SHA256 0f95733e5db01cc557c5b12f6590ab899bd0bdb1243574fd42b8e5e6cede8972
SHA512 bb33ddae632ecb5edba0867ec0d88ac0ce2eb5caaf6ee9cd52cf465c8577957fa25633b5d65da59aa221d15d3baa68c7d5ea4aa392933dba76452ee164c38d2f

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassasio.dll

MD5 ff3d92fe7a1bf86cba27bec4523c2665
SHA1 c2184ec182c4c9686c732d9b27928bddac493b90
SHA256 9754a64a411e6b1314ae0b364e5e21ccfe2c15df2ed2e2dce2dc06fa10aa41e8
SHA512 6e0f021eb7317e021dccb8325bc42f51a0bf2b482521c05a3ff3ca9857035191f8b4b19cbe0d7130d5736f41f8f2efb2568561e9063fa55aaab9f2575afe23db

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassmix.dll

MD5 8af4da37cde32a74c1e2d9cd396895c7
SHA1 a45f1f90e680d777794924a8ea56add1e7e18d45
SHA256 193411aa2f1e6c1812b1882ffa10f9dd802c6b29e8432582773055cfebc7a4c3
SHA512 492512929edcf8b5c9a6f9e3b0443cf9756100cd145857f288895db814824c96bff864d73e876dd199f011a9e079c6ab7d44a8b100754093699f61dfe66e2c93

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_ogg.dll

MD5 5983bf893fd653c74626cc6202983965
SHA1 eef54b3f64ad1b26280f2f7420ed6743702bcefc
SHA256 44d5aff4b625c34517075a8ee0cc983a08863e19e0106ca8f8a16e4edfc9ff27
SHA512 8e1715d18db2769248f40d0caa0769e7b5904b59349525257efaf461ee265300beae4f09b7f34528a51b10ef8b73b28892850591f830d6fa45bb150f15fa33f5

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 18bb8401ae06a4a20b9451c0ca9e4f80
SHA1 722eaf26368e5d67f2ca7499a217c395a12ff789
SHA256 d58120488597f2ee11ce2124761106c8bd6c7ebe624a73ce95ada78e4f46f98c
SHA512 a0f62cef72c4c5c1db657ffc6c71d229a6ec5731226bf42d1ad5314c025597eb65f306f859c1333610efab43cb4a761018999b94acd743b2c9365b2499e75623

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 d339afacb12ae2683a30b337f8693771
SHA1 adc77cfd624c2048646f87ca116964ca4cde2319
SHA256 4c84bfe3c5e9bee3c4506bea38be3247315aedbbfbc8c17320719cb68dc2b0b3
SHA512 1f369ef567b010e207e7dcac33d7bcd3c4ad39396e176f6cc5018bb30128eebec601c18d39a31cb954eb1b76d4fee0fbf1f65a95903641d83f4ff71dd17b7c52

memory/4332-80-0x0000000075B10000-0x0000000075B5D000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 c69b9bfcf1cc5327ecb5bdceaea77eda
SHA1 3c98d11698bbb0da7c7d32d2b80845631d570875
SHA256 c88c93d84fb32f593f4d49117f246431e22e5fa2988b335cd7bc7ffaefc524ef
SHA512 5d7740f5e0ec179decd089f85b90d101dac34291d348818c73b8ef9dd6ef9492072686bf34befc96aa6d86cc087209937d12e8fd379a45d6131b0e29ebd10b43

memory/4332-77-0x0000000001190000-0x0000000001473000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4332-84-0x0000000075A90000-0x0000000075A9E000-memory.dmp

memory/4332-83-0x0000000000D10000-0x0000000000D2D000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 4b47a18042190c7a113a5cf6c455d622
SHA1 f539267876add9732412821aec578f88f64262d1
SHA256 c7cb1951208b3b6957a749e7ae6c02442fcd7062cddd3e64de4596f37189da9e
SHA512 de3a84312a42f473f6decedc512eb9e81b90aab4db1d0acfef1b69e5b171735a235b34545052668a68aabdfb8fbb90cf45f340f713b6a77083246682166583df

memory/4332-86-0x0000000075A60000-0x0000000075A88000-memory.dmp

memory/4332-85-0x0000000000D10000-0x0000000000D14000-memory.dmp

memory/4332-89-0x00000000757A0000-0x000000007583E000-memory.dmp

memory/4332-92-0x0000000075760000-0x0000000075793000-memory.dmp

memory/4332-93-0x0000000000D10000-0x0000000000D1E000-memory.dmp

memory/4332-98-0x0000000075720000-0x0000000075756000-memory.dmp

memory/4332-99-0x0000000002C40000-0x0000000002C57000-memory.dmp

memory/4332-97-0x0000000000D10000-0x0000000000D15000-memory.dmp

memory/4332-102-0x0000000000D10000-0x0000000000D1D000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 1a2a4336b825c1cacfd23089fd8c2cc7
SHA1 cd0649f495d4cfda8777bad7699c3adbed00958d
SHA256 65d8f92074668d0830430a22653438b55110ed1e7afb634e8b41aa83c37e4b0d
SHA512 e535364cc4e2df0ab3c4de87979f3555443b81cfb0c5f5150fb44f8b224cec538e474058e454ac31f51c59d7d3694ee62a8041700dfe1f75fe00bf0118dd5c18

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll

MD5 3257ebbe60c6ac7a823ab7fdd7e4da67
SHA1 cbef27515bd3d19531afbf9462b5a9acdf946869
SHA256 e8f32292d53729329259eaa047419fbc38bf6ca6eecb24aa94ddfe518d201121
SHA512 a826439b7006f95f16f3cb26a01a683f984ab4cd7bc3279cdf3a2ce3c5373df97ca16b8906113df19385e2fae6e452317a6e4ea80cf1b6e98b14199cec4ffa2d

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 870e325c4378dd076c90ec25d46c2424
SHA1 0e42336618e85775df56fdcc160b49d9d2e5a411
SHA256 d28ddbf3ae3abc4cf6c9b9a2b93c30114bd410cee6f048e1cb582f30520a4ffc
SHA512 4810ab569d5766e4bcd87179fa0d3e4185651b2da5acbe85abe6bb49c1a23e27d791883995ecbbc28f480f2eaf1cee14af859f4924794b817d2e48db917a68ca

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 dc12ac27e836b7a664bebc2df2bf9559
SHA1 3b07ed67a6c9b87266205c2f6624f06090c5d36f
SHA256 ac8be5b31449b88452247580f21c8431a2365f365c04f98c14646f78f205e81e
SHA512 72ac294ffe2f5318c8227855ce3698becdab9a127c7162b1ab9f8056f11235cc92645927c0392a3497af57cba261ba896e8aee8b4c798b2eac9e40005a80142e

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 60e4e9773a9e174fa53bf3a885f3dcce
SHA1 374c4b68ab56809fbcb2f8b8c7152a8b91dd262f
SHA256 516a47bf0468a37b71b8bbf3689e1ae1ae93be033d6c4ad80476c85e37f64c8d
SHA512 2137f0e39b3c6d92486852660814c8f510f5824b0f84812d3360620a5510d22cc5d1ab3ee7cd6a61a90e72c89833ac961fcc85ab6e3629862e4febc1523e2110

memory/4332-126-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/4332-125-0x0000000000D10000-0x0000000000D14000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 aaa772b24fbfd175ca32ece3f7f83d9a
SHA1 81837e85d7e496a0bfd455e524121484d73d09c5
SHA256 77dcc65db50361b46759bc2f2197ba3841b0e1ed88cde1871eb6c674807753ab
SHA512 b23a6f0297c79a03a02939e76d308d336b85d2932ff36f5de5a6899293bd9cbad8626a93c2eb69e672dd79a416a8aa20b56201c04331a227abecb098e2f0aa4b

memory/4332-123-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/4332-122-0x0000000000D10000-0x0000000000D2D000-memory.dmp

memory/4332-116-0x00000000037F0000-0x000000000387B000-memory.dmp

memory/4332-113-0x00000000030F0000-0x00000000030F1000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 6c35bff5040bd2c2a924a1b10c9b6d41
SHA1 87d6469f8b3070229cf3ef1599ecd7d16e911ab0
SHA256 279e327d5db00a0c256134a137144a12039640deb5b9bc9dd1b59af448c9632e
SHA512 4c94ea98d05a80c0edd8b34552ca1a2f672675b1cc72e2caa2d93a0689737d515e6f0a7e286d050cb59cc052171d2cbf4e594eebaefe4eaae152ede5c10d26ae

memory/4332-111-0x00000000750E0000-0x0000000075205000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll

MD5 068ffb4af6dfc46472cc815cc0607020
SHA1 7b35e18e5f29e3179c241b16bc45156e2eb8f9ee
SHA256 24ea8d2df79456b5698448f4e032bcb04bf83a2703c270d373e641e6393babd8
SHA512 0f7ba89447fdf9565186f3113f6001c001409afb7dadd9f0268b5022815303385b63d51e9e2103ded503e515d4db951bf4c0f19808fde7efd7242537ce36ec54

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\tutorial.wav

MD5 0ffc7096ee81bde74ac963af642d562c
SHA1 f5d438f3115d9fbf1a64929f99754c636dab885f
SHA256 3fd93d0cb43c728da4fccb1013a7c4130a8f775cf3649b9aa657e6c4420a6911
SHA512 ccff168c211b6c14c90a8e0263df793694c9077d2a3b906be392edd980a58d8233d1cc5903d782b702b8be86fff5c19ac5fe0d6d29ebf4288eeca3b020a59a08

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dll

MD5 85c6b037fe1704cc7cbf07aa179e9821
SHA1 3f775e3f4bbf618454cda32d02111a3a144d9c37
SHA256 7c40496330c955eea71af69ce628c41c7376ed604cdbf67754fffb8fcacac163
SHA512 ff8fc8fd9ef99fb1c44aebea499a6919e8d3bf9b74a11fbac60e5fa312dbfe2b53f7f28772d1d74c25d75a02bf9ed61a3a34e252e6fea21be9460b6552931f57

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dll

MD5 617b357279d6c4c198c687d2372edefa
SHA1 b7cf9faac5c673c23dced0e8f9c2260c9a05e4e3
SHA256 9a240bf65823241212245560ad0250b561169b6383c953f65e2f782ad450f6ba
SHA512 ed1c188af2255219b44fb2f283f5fda93999415b1983582cd75550aae913444e4382de0f365a1907dd2b80a5df71320d6a0f162fd1c0f1326913303d0970643d

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 2e37b9aca3446447c440a3d2c16d5f43
SHA1 018ad743de8fdff9161d28875f06d03904df2b6c
SHA256 490b8c1541e09745179de0e8a50cb1d59c2029ad0405e3e0abf28c671e4d0a62
SHA512 f47d3d62af41cc45bee07d25163379feac1380bf59b5d68d60db5a76e7c9f730dcfa3e5d3d22f5b950cbd0065417794d510472b15bd68d01faa6e9735bc5cb89

memory/4332-101-0x00000000756F0000-0x0000000075714000-memory.dmp

memory/4332-96-0x0000000075840000-0x000000007584E000-memory.dmp

memory/4332-91-0x0000000002C20000-0x0000000002C3E000-memory.dmp

memory/4332-88-0x0000000000D10000-0x0000000000D14000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dll

MD5 cdfbe254cc64959fc0fc1200f41f34c0
SHA1 4e0919a8a5c4b23441e51965eaaa77f485584c01
SHA256 9513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9
SHA512 63704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 abdd67883989745b3b9c18e94a95ff3e
SHA1 93f8687c37809211ecd71036444edafc2015a4a6
SHA256 a8707ed6f1ce6ddc2ac7c4e46a73f81e4914434577f7a7a6958407cc16188b64
SHA512 88da416d624ec5aa1fe4dabdf400d28799b26dba8054508eed54514651642e7315a5f563064cc66791f15b8ae00f1307beaebbb92a03209a71b3d7ac9812975d

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_flac.dll

MD5 5199d6173a6deb45c275ef32af377c3c
SHA1 e8989859b917cfa106b4519fefe4655c4325875b
SHA256 a36f06cbe60fc1a305bd16cd30b35b9c026fd514df89cd88c9c83d22aefbe8c3
SHA512 80b96196f1b3d6640035e8b8632a25ecdb3e4e823e1b64fc658b31aae6c6799aa1d9fd1acffbef6ff9082e0433ac9ab9426d5400d3644db9958940b8bb13f6d8

memory/4332-129-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

memory/4332-128-0x00000000037C0000-0x00000000037C1000-memory.dmp

memory/4332-127-0x0000000002C20000-0x0000000002C3E000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dll

MD5 d8ccb4b8235f31a3c73485fde18b0187
SHA1 723bd0f39b32aff806a7651ebc0cdbcea494c57e
SHA256 7bc733acc1d2b89e5a6546f4ebc321b1c2370e42354ea415bc5fcc6807275eba
SHA512 8edafd699f9fbec0db334b9bc96a73a9196895120f3406fff28406fd0565415ac98665c9837a5b1e0c5027162ff26bf3a316ecda6a0b51d92eb5d7002b814713

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll

MD5 b6022150de5aeab34849ade53a9ac397
SHA1 203d9458c92fc0628a84c483f17043ce468fa62f
SHA256 c53b12ebe8ea411d8215c1b81de09adc7f4cf1e84fd85a7afa13f1f4a41f8e9d
SHA512 2286399bd1f3576c6ce168e824f4d70c637485fae97d274597d045a894740519512f1865e20562656297072b5625bdd2a5ec4d4f5038176f764eb37e22451ade

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_mp3.dll

MD5 46ede9ea58c0ac20baf444750311e3f8
SHA1 246c36050419602960fca4ec6d2079ea0d91f46e
SHA256 7ea1636182d7520e5d005f3f8c6c1818148824cee4f092e2d2fe4f47c1793236
SHA512 d9154430c72cbf78f4f49ec1eee888c0004f30a58a70cee49f5108ded0994ba299ba6bf552a55ffeedb2ab53107172324156e12e2fbae42f8f14f87ec37cc4e7

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassmix.dll

MD5 d31da7583083c1370f3c6b9c15f363cc
SHA1 1ebe7b1faf94c4fe135f34006e7e7cbbc0d8476c
SHA256 cff3edc109bc0d186ba8ddf60bc99e48ff3467771e741c7168adbdbe03379506
SHA512 a80364384eca446a378e3ae3420a0e3545e1d24426a9e43f3e27381cb09bb4cd1121b66c576e5a981b2e5d661f82590eb0c0fe8d8243ef872f84809ec906e266

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_ogg.dll

MD5 89e794bbd022ae1cafbf1516541d6ba5
SHA1 a69f496680045e5f30b636e9f17429e0b3dd653e
SHA256 7d7eb0bc188fc3a8e7af7e5325d4f5e5eb918c4138aea3de60d6b1afac6863f9
SHA512 16455e29a1beece663878e84d91c8e75c34b483b6ff3b5853ced97670a75a9c29cc7a7aa78b0c158eb760cda5d3e44541aae2cc89b57d290e39b427d4c770000

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dll

MD5 5efb2702c0b3d8eeac563372a33a6ed0
SHA1 c7f969ea2e53b1bd5dbeba7dd56bff0cc4c9ea99
SHA256 40545a369fa7b72d23a58050d32dc524b6905e9b0229719022dbda0d2fa8765b
SHA512 8119526f8573ea6e5bed16a57d56084260afee511c9aad3d542388a783548e5b32ed8fb568d5b97deed791162bcd5577fcc3c76abf4d147ea13bea5c2a6ea794

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc.dll

MD5 a6f27196423a3d1c0caa4a0caf98893a
SHA1 58b97697fa349b40071df4272b4efbd1dd295595
SHA256 d3b9e4646f7b1cb9123914313cec23ec804bd81c4ff8b09b43c2cde5ee3e4222
SHA512 0a84cf847b80b0c2e6df9274a4199db8559757781faec508cd8999bea2c8fb5cd9bed1698144b82b86b2c6938fa8006c482a09c1b46d6bb8d2a2648a2011dea0

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll

MD5 8e58fcc0672a66c827c6f90fa4b58538
SHA1 3e807dfd27259ae7548692a05af4fe54f8dd32ed
SHA256 6e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d
SHA512 0e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768

memory/4332-130-0x0000000000400000-0x0000000000BAB000-memory.dmp

memory/4332-131-0x0000000001190000-0x0000000001473000-memory.dmp

memory/4332-132-0x0000000073EF0000-0x0000000074C13000-memory.dmp

memory/4332-133-0x00000000750E0000-0x0000000075205000-memory.dmp

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 6cd84b2833b856c49365ee0ff923174a
SHA1 4270fb5ec5c83a2b927cac0b4dabe1f2e128733d
SHA256 c54de3187cc83d729c4c70a9b334d8708b73c9c03b6f399fb4590c284f04d598
SHA512 0b8b3e452f9c7f9c0bcee20d386f4a40f0b3f0bb2e27ec9bf55877abfcb2b48a4bf82284fa88c6adc87272538afb799d7f0d84055e080728ed1f8ab4d56dedf2

\??\Volume{14f6f45c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b8d7a6b2-92ca-48d7-be8f-38d4c669bfa4}_OnDiskSnapshotProp

MD5 b7b3ceb48356f8c70ded987cdb1b0ad4
SHA1 3ac7c460cad1f3b8e245d7b4c820aa28d9b795c9
SHA256 3f4bda4540733d52f2ef20f145e83ed60ba545175b631eb02e5bf69adce19600
SHA512 0955e3ef989ce386a05db0f97a4a1d2f9fdac241a43b857b2277d080e8d5296cb0d10f005c350bff8bed8cc8833af50de3eaa00364204cc12af9d1813c49a002