Malware Analysis Report

2024-09-22 16:36

Sample ID 240201-dzgx7sccbq
Target eb64b1dbb38961bdb4c0f4b724b1ed3d.bin
SHA256 88430144366f4833f7e71c205f09cc4d2ea08983a8a8b98122c1989a9712f622
Tags
babadeda crypter loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88430144366f4833f7e71c205f09cc4d2ea08983a8a8b98122c1989a9712f622

Threat Level: Known bad

The file eb64b1dbb38961bdb4c0f4b724b1ed3d.bin was found to be: Known bad.

Malicious Activity Summary

babadeda crypter loader

Babadeda

Babadeda Crypter

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Blocklisted process makes network request

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-01 03:26

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 03:26

Reported

2024-02-01 03:29

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

122s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cf5d6c68811f37d9ae1a9cc62abc1987fdd8900d271fdaa01d4a84853d7db10d.msi

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e5778aa.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5778aa.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{E8907531-0946-43B7-A05C-D15D055BE638} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI79F3.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5778ac.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cdbedf05adb60d680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cdbedf050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cdbedf05000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcdbedf05000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cdbedf0500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cf5d6c68811f37d9ae1a9cc62abc1987fdd8900d271fdaa01d4a84853d7db10d.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

"C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x514 0x49c

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 telldruggcommitetter.shop udp
US 172.67.132.181:443 telldruggcommitetter.shop tcp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
US 172.67.152.52:443 gemcreedarticulateod.shop tcp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 104.21.16.152:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 181.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 52.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 172.67.199.120:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 104.21.83.220:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 152.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 120.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Config.Msi\e5778ab.rbs

MD5 61bc63ad73fe6ef83903c015dc07b52a
SHA1 2bdc80f3ef35b89d113316582e2ffab97997afba
SHA256 480a4750a86b14276175bf3d9b1b86583cd96ee68ef92c85dd242d91151dc808
SHA512 006d8f80ff987a5dab8826508f435fdcbf34505b11637a3a97d90378b6a9af90e2d4c2b6d28aa69573a0ccbe446ed514c6c6e86bcf649a7797559e804f6fd1c8

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 57b81110f71b98b8f30edc6d8aaaf48f
SHA1 1612d999897278eeac23c26ea502f780df20c0f9
SHA256 aeb1fa7b2486daa3f938e0ac63e602a4f5c594baebcd5be85a48f688ba1b8d9b
SHA512 ea527aa859a9cfa4e311a095b973eb6372c4c6e25eab08f109299410992c1820aede7d642c078562cf566ce7984e4631ee73854cde16d87df257165da9720fc4

C:\Windows\Installer\e5778aa.msi

MD5 dbeb452692dfb55ae4e54b16254fa837
SHA1 5d86c717de92e2a79b8a4b1ebbc8db7e0325ada6
SHA256 bb50271dd77a347e30177ba38509a33423c6eb863b0a1c541999e8090e6a7454
SHA512 b17b277e9be6f041f8fb0dc7ceba6c5c796e0428025bf2f2e2f90fa8727bb20fb892096426b1c027fd6f298fa77ece7285845870a744f8c44a0c149c17e76e6d

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll

MD5 8e58fcc0672a66c827c6f90fa4b58538
SHA1 3e807dfd27259ae7548692a05af4fe54f8dd32ed
SHA256 6e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d
SHA512 0e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dll

MD5 5efb2702c0b3d8eeac563372a33a6ed0
SHA1 c7f969ea2e53b1bd5dbeba7dd56bff0cc4c9ea99
SHA256 40545a369fa7b72d23a58050d32dc524b6905e9b0229719022dbda0d2fa8765b
SHA512 8119526f8573ea6e5bed16a57d56084260afee511c9aad3d542388a783548e5b32ed8fb568d5b97deed791162bcd5577fcc3c76abf4d147ea13bea5c2a6ea794

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_mp3.dll

MD5 46ede9ea58c0ac20baf444750311e3f8
SHA1 246c36050419602960fca4ec6d2079ea0d91f46e
SHA256 7ea1636182d7520e5d005f3f8c6c1818148824cee4f092e2d2fe4f47c1793236
SHA512 d9154430c72cbf78f4f49ec1eee888c0004f30a58a70cee49f5108ded0994ba299ba6bf552a55ffeedb2ab53107172324156e12e2fbae42f8f14f87ec37cc4e7

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dll

MD5 d8ccb4b8235f31a3c73485fde18b0187
SHA1 723bd0f39b32aff806a7651ebc0cdbcea494c57e
SHA256 7bc733acc1d2b89e5a6546f4ebc321b1c2370e42354ea415bc5fcc6807275eba
SHA512 8edafd699f9fbec0db334b9bc96a73a9196895120f3406fff28406fd0565415ac98665c9837a5b1e0c5027162ff26bf3a316ecda6a0b51d92eb5d7002b814713

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_ogg.dll

MD5 89e794bbd022ae1cafbf1516541d6ba5
SHA1 a69f496680045e5f30b636e9f17429e0b3dd653e
SHA256 7d7eb0bc188fc3a8e7af7e5325d4f5e5eb918c4138aea3de60d6b1afac6863f9
SHA512 16455e29a1beece663878e84d91c8e75c34b483b6ff3b5853ced97670a75a9c29cc7a7aa78b0c158eb760cda5d3e44541aae2cc89b57d290e39b427d4c770000

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassmix.dll

MD5 d31da7583083c1370f3c6b9c15f363cc
SHA1 1ebe7b1faf94c4fe135f34006e7e7cbbc0d8476c
SHA256 cff3edc109bc0d186ba8ddf60bc99e48ff3467771e741c7168adbdbe03379506
SHA512 a80364384eca446a378e3ae3420a0e3545e1d24426a9e43f3e27381cb09bb4cd1121b66c576e5a981b2e5d661f82590eb0c0fe8d8243ef872f84809ec906e266

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 1c0be67161e9ec8e235e7aa26486aee2
SHA1 003df28ff74f12cdc03c52d5971bf865f811f7cd
SHA256 cadaa1509ec35e28eb45b4a958fcb325ae728e8b93192ad4e0ccdf0558614c62
SHA512 44255e52a54c9f267ada22ace95521699badf37417c9cae3bee2fefdf2c6a7602de01384f2fd42ce0f430634e1e2106d06ff879de98b7bad485c57400be6d65d

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 eeb2c9f79926c1074703c378fb27215c
SHA1 df632ea453d0986aebb5961a7874c25426e5885b
SHA256 ba71994c06091dfdc0f1c51eda9e41be888224d165fc0d62d7d882384569600c
SHA512 0ffb563a20b1bf6659ae78d79fe28379e9560c91e4a258dd12046c4659aaf30772b1dcbd426466fee513f42711bc55c70f3f8c8f9ebfc533173b5e9cc3b80406

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 71cb761fbd9a6c08dd114d15717de010
SHA1 59968321a4b6b78f0622dbd5e278916cf5616942
SHA256 5d5d8e91c5fb007634551f073e7623f3b64dfac78b0d2588899e78b2f4cf1b34
SHA512 241c4d8f021ad2fa0eb2502ecc7bf031721e22a5fee055e31f123897f786090fb22c2a4a7d0fa7e568fccf64e736f2d91fc47f247567fe6891f7386a57c3e61c

memory/2956-80-0x0000000074E40000-0x0000000074E8D000-memory.dmp

memory/2956-81-0x0000000000C00000-0x0000000000C1D000-memory.dmp

memory/2956-77-0x0000000001180000-0x0000000001463000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_flac.dll

MD5 5199d6173a6deb45c275ef32af377c3c
SHA1 e8989859b917cfa106b4519fefe4655c4325875b
SHA256 a36f06cbe60fc1a305bd16cd30b35b9c026fd514df89cd88c9c83d22aefbe8c3
SHA512 80b96196f1b3d6640035e8b8632a25ecdb3e4e823e1b64fc658b31aae6c6799aa1d9fd1acffbef6ff9082e0433ac9ab9426d5400d3644db9958940b8bb13f6d8

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 5e9cf7cc6bcf639bbc79a9c76366fdfb
SHA1 27a3910c1cb7a6bfa08f53df7064f45120e33515
SHA256 bbf2602878f0ce50d628cb230affe07a5d42fa2dcc5a0476ea23bef950829a29
SHA512 0cc0a536e73d17258c9cfaeaf2f19647fdccf4f58df7f26b7b594bbadbd962b5f5ccf3d01aae90d19e768d3b5cbbaf1da4a6f36f87c4bab3cbd78d64ec7fbc60

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll

MD5 b6022150de5aeab34849ade53a9ac397
SHA1 203d9458c92fc0628a84c483f17043ce468fa62f
SHA256 c53b12ebe8ea411d8215c1b81de09adc7f4cf1e84fd85a7afa13f1f4a41f8e9d
SHA512 2286399bd1f3576c6ce168e824f4d70c637485fae97d274597d045a894740519512f1865e20562656297072b5625bdd2a5ec4d4f5038176f764eb37e22451ade

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dll

MD5 cdfbe254cc64959fc0fc1200f41f34c0
SHA1 4e0919a8a5c4b23441e51965eaaa77f485584c01
SHA256 9513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9
SHA512 63704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 471ba4f1fddc0bc43f1db793c662b17f
SHA1 b04543001ed04b5fdca7f8d3972b5c7571e3f6df
SHA256 c432b634062de431918b42d104e641684250f70c4f7bcfe8cf949888e4f1a9d8
SHA512 683103b736940eb22fefe7ba4b61aebb4d0277509fc8cf7312688555da8c8ca85893fb76e244ac2aa7453730a4cb20ba566457ccc918644f66db8a64b0712a56

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc.dll

MD5 a6f27196423a3d1c0caa4a0caf98893a
SHA1 58b97697fa349b40071df4272b4efbd1dd295595
SHA256 d3b9e4646f7b1cb9123914313cec23ec804bd81c4ff8b09b43c2cde5ee3e4222
SHA512 0a84cf847b80b0c2e6df9274a4199db8559757781faec508cd8999bea2c8fb5cd9bed1698144b82b86b2c6938fa8006c482a09c1b46d6bb8d2a2648a2011dea0

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassasio.dll

MD5 ff3d92fe7a1bf86cba27bec4523c2665
SHA1 c2184ec182c4c9686c732d9b27928bddac493b90
SHA256 9754a64a411e6b1314ae0b364e5e21ccfe2c15df2ed2e2dce2dc06fa10aa41e8
SHA512 6e0f021eb7317e021dccb8325bc42f51a0bf2b482521c05a3ff3ca9857035191f8b4b19cbe0d7130d5736f41f8f2efb2568561e9063fa55aaab9f2575afe23db

memory/2956-85-0x0000000074DD0000-0x0000000074DF8000-memory.dmp

memory/2956-88-0x0000000074CE0000-0x0000000074D7E000-memory.dmp

memory/2956-87-0x0000000000C00000-0x0000000000C1D000-memory.dmp

memory/2956-90-0x0000000000C00000-0x0000000000C1D000-memory.dmp

memory/2956-92-0x0000000000C00000-0x0000000000C1D000-memory.dmp

memory/2956-94-0x0000000000C00000-0x0000000000C0E000-memory.dmp

memory/2956-97-0x0000000000C00000-0x0000000000C05000-memory.dmp

memory/2956-98-0x00000000749B0000-0x00000000749E6000-memory.dmp

memory/2956-101-0x0000000074980000-0x00000000749A4000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 9551a0e6533db7d68441fccc61e809fb
SHA1 c62d1311a81eaea421afaa0df342fb88421439fc
SHA256 f5261d1fa46b8313d649057dbe4a75d35ae807573499e599c68ac1e39d3db44f
SHA512 ef2f328d779962fb19799bab098a6a4df072c494bba752a5dcded2ecad1721ef4cce1e51a813a4359e5299ad6d950946d600b1b3fc4cfd14c9807543e3d31a7e

memory/2956-110-0x0000000074440000-0x0000000074565000-memory.dmp

memory/2956-112-0x0000000003090000-0x0000000003091000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 534921c1a4378f34cc7dbd6872db880c
SHA1 3fd54b8afabb379401f54545a9ac86bf56603519
SHA256 f343e3d9e139e9770193821f76cafd21e79f87d57d98936b9ae0bad4184cf4d8
SHA512 beb18ccc4cc723cf2c0acbd45559e12d16937303dc788a70f4a376d3c031e66ced703a08f245fa14cf4502d13cb96b2ffed11cc3be7f0ca726c3323b240feffe

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 fae662af9527a523fe419ece62bde745
SHA1 d61f337151d1eaeca602760cc124c1b9dc9954da
SHA256 5d658ab955d2fa8322eb2bad3e5db70b78341ce5fd8d820485f28512f11db431
SHA512 dbad3fa0cc0d0b5da9655096ab2425a92836927aac97c5d0e8e37dd96308b99c5b0c08e11e3b0d1fb68820fc8f7014d5e2ce35f0df1de1c1b8b002673d8de15e

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll

MD5 44a9b2fae9a70d095ac3f550398b1da7
SHA1 210fc26446d9380e5012643fcaad77b11e93e3d1
SHA256 d9420a22c21f7150d61eca45141087f46aafabba690b692ca8699ec979bce0d1
SHA512 9d0a66fee59af1e631419305418496b5a85fe028b569d0da06dc740a35511a967046860e8882e018260829c3b4bc7f06b3cd58d3d09caedfa35cd140710ecc62

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll

MD5 c8738e0fb67a502dd3fab69920fbb545
SHA1 9d3222e8769fb87efb203e4d905ec637d1f457a6
SHA256 24edc6217323a19afb4d758774995d5a533890fc77767416bb89db2b174c9115
SHA512 2d2b48876431a9003318b76cdb56030200b44dd1c9eec5c367ded94df26c708287f1ce13807d3c8d503fd602fe6ace9b31f969cb9065a30cc4b3bd12924c67b3

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\tutorial.wav

MD5 82e19c65cd36b92d26e344ca5b1743ff
SHA1 c1dc7b7d6ba06cd3856aa84d523ecb2110e0c3fe
SHA256 42cf2c304c1d9a31bd4d96bacc8c264871956ee560da811deea44794e1bff2d5
SHA512 f438f8ce7f540135ccbf23a9ef689bc1247965fa1ea08adafef0741b069681e6f29da102a0ba4662d431845865d8455cbc5147ed52dca0342f7adb0730bc9521

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dll

MD5 e98f595caa5ee23e8a3e46d83211da9d
SHA1 a7ef9e7c3eddaa7b82acb7eba7a2c88a70bac017
SHA256 df12ced54ee1dd73b230be239fb2ffce141bbf4ff979fb33ebb153a0bda88a1a
SHA512 e777a5ace5ecef10ae051df02a443279af5f28a1e996905774f574ef8679363ae78db064ef6eb7c3f77dd87284cc0d070b1fe54b422f9ae0a2240286a9541938

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 8235a406439d1de0bb502ece76fc1bf1
SHA1 f67f53644a3377320fd13baf73e9f6bbbb91dc1e
SHA256 a132676637cc921badc392f6809675d394f46c860d6cb5d4eb70c87570e29b5e
SHA512 23635a638b3fe02d6081420e2993060fd0d8eb076351f44d2165d8597871d790c56f9a747351cb394b5aab79814ecfe14605da0815b2b5253576f86b4d03d500

memory/2956-116-0x0000000003D80000-0x0000000003E0B000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 76e7251e36860d99bff2699bc252d0a5
SHA1 53ff1e255d4f5f77cfdebfd863be2c10a2d90a32
SHA256 649b94dfdc3da412c536e5cdd11e086506c1ac03615090ee4ca395fc9b05ca26
SHA512 bb324fe9b175b455b50b3670cd885d948f804c459f8fcb91ebc0c43d81e69dd72d9b4f52bc448f1bfb55a9bc7e368c716ab04941c65d4f455f3bec08dc43c5fa

memory/2956-125-0x0000000003E50000-0x0000000003E90000-memory.dmp

memory/2956-124-0x0000000003090000-0x0000000003091000-memory.dmp

memory/2956-122-0x0000000003090000-0x0000000003091000-memory.dmp

memory/2956-121-0x0000000003090000-0x0000000003091000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 6b568d83cf92822d4ecbfc5728dae75f
SHA1 7d01a0adc4978767a4c5a9db31cbbe0f1d2246f9
SHA256 cf42fd84069165a9149360629250f88d1d2c7e71408834016e5ee9b14b702ab0
SHA512 90d6d7f574c495735685b558b23ef017ac0ae55a2bd0e438bf5723291f44b3471d6ef20ba37d7191fb2ff4815e46634bb2f1566088f3f5fdfd563f99eb525df3

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dll

MD5 b3b009076dc3165547b773a16622a832
SHA1 283ed6c4cb11358945bfc1e317cdae49793f8148
SHA256 b1eba1f6bf75322b9a02eb227c076f23faccef7f307ddaa18c16f390e18e9c00
SHA512 e4b08cf7372674900afc0413eaaac261055ab3dc44b0d8f54bd2775a5745232abc30ebaa64b402d5196d83b956ef54aa42fd4fc6b4e7c4227be41d28acbad84e

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 df77d3de56623ba8dc40df5be20ad5e7
SHA1 d84baff5c832cf1572251f1ebe924bfb81d21886
SHA256 efce4013c316d55c3eda7fe9bac0beee173bd13fc4500300ee98fce7f80252cc
SHA512 cdd05e7b92368abbdf48ed49f99576532d821588147c08e78a0f312609acc5e21cca985573abf02fbee4e02a37611fd814ee954a55717082627c15b99992354f

memory/2956-100-0x0000000000C00000-0x0000000000C0D000-memory.dmp

memory/2956-96-0x0000000074CD0000-0x0000000074CDE000-memory.dmp

memory/2956-91-0x0000000074D90000-0x0000000074DC3000-memory.dmp

memory/2956-84-0x0000000074D80000-0x0000000074D8E000-memory.dmp

memory/2956-127-0x00000000014E0000-0x00000000014E1000-memory.dmp

memory/2956-126-0x00000000030B0000-0x00000000030B1000-memory.dmp

memory/2956-129-0x0000000001180000-0x0000000001463000-memory.dmp

memory/2956-128-0x0000000000400000-0x0000000000BAB000-memory.dmp

memory/2956-130-0x0000000073250000-0x0000000073F73000-memory.dmp

memory/2956-131-0x0000000074440000-0x0000000074565000-memory.dmp

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 8b23ac3143697e7f5edab0d26e502c68
SHA1 4db27716f7651b06fa52b30979b9cac5d10b2a02
SHA256 17f5adec222db53dbf3540d6a71b6e35aa4ff52f5be9a38d3d5b8a618db241e0
SHA512 1c45df9d96f030321201d37d1761979183bbc12a4d9549bc49ab4bfe06231cea2db68bbdfa593f3ebd3c2ea83e570bd9d33fd74690b133f9795310db74991e1f

\??\Volume{05dfbecd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0261a327-a7e4-45f5-bc35-286f29068086}_OnDiskSnapshotProp

MD5 6239211d2febc908bb8667e36b50ef86
SHA1 141a5418305203fe20af3679907617e1b3eb58fa
SHA256 bcf98165b82ae0d105e4f1e7eead2d01c62592de40d2585b52e4705fed1c4499
SHA512 cbba06e995e5bf851e98d2fb63cce5c075b1cc4cd77a6ad2c13d19f215a6982a05e9aa1e580a977bc76ecc805300b27873cb50f8cdf5fb9a4635c2c4f01a7730

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 03:26

Reported

2024-02-01 03:29

Platform

win7-20231215-en

Max time kernel

145s

Max time network

121s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cf5d6c68811f37d9ae1a9cc62abc1987fdd8900d271fdaa01d4a84853d7db10d.msi

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f768a46.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8DA3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f768a46.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f768a45.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f768a45.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f768a48.msi C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cf5d6c68811f37d9ae1a9cc62abc1987fdd8900d271fdaa01d4a84853d7db10d.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B4" "00000000000005C0"

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

"C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 504

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab3D60.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar3E7C.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 771c23fe43fa540cbe539a60fbb15e67
SHA1 e68dc2440df9a984fab97a774bcefbaa464c9c34
SHA256 2d072d4cf645f4ea760cd206e2f3bbc74eba64194ec955c6c1ae91eadd60bc19
SHA512 44da85c718411ae042837d063f611bf30b9981cd0f693f56e0c370f8db566d5ae678b1b150110a71b3bbe6f07d3c828f748ef9cd018284f1786749f19176b20b

C:\Config.Msi\f768a47.rbs

MD5 66163229eaa00d8a67668aacfcf63c12
SHA1 93df95d53bc32450d6a5245d9d096b8d81448711
SHA256 58c7f29a5efb580d34caa67e2b8760acec0abaedc5ac26c15507c2b0542c6094
SHA512 8471965ebeb8e5fefcb93aaf252b91f964e0efa9d3e87085ae5aac34de7f30659c456d96fe977cbb8087ff948ddbb3aa0bdfbab3f5e59247437fd7fcf64e05f7

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 c968564ad07538c537b7f91960399a08
SHA1 70e63cf1a42deae9de3c6d2f89cb7ea4904e50f5
SHA256 102dd29dc62f93baa4f8f81455f7517263e98b3951771c43ff202e10c95be563
SHA512 3200fb10ae77ec2c9bde9be2685383cb5fddc560d2749e881d14d388873028069c34a0e8dc68cd6df1acbd085404c009a75cbe20402d4ce04c3ee2b75d4c8c9b

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll

MD5 8e58fcc0672a66c827c6f90fa4b58538
SHA1 3e807dfd27259ae7548692a05af4fe54f8dd32ed
SHA256 6e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d
SHA512 0e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc.dll

MD5 a6f27196423a3d1c0caa4a0caf98893a
SHA1 58b97697fa349b40071df4272b4efbd1dd295595
SHA256 d3b9e4646f7b1cb9123914313cec23ec804bd81c4ff8b09b43c2cde5ee3e4222
SHA512 0a84cf847b80b0c2e6df9274a4199db8559757781faec508cd8999bea2c8fb5cd9bed1698144b82b86b2c6938fa8006c482a09c1b46d6bb8d2a2648a2011dea0

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dll

MD5 5efb2702c0b3d8eeac563372a33a6ed0
SHA1 c7f969ea2e53b1bd5dbeba7dd56bff0cc4c9ea99
SHA256 40545a369fa7b72d23a58050d32dc524b6905e9b0229719022dbda0d2fa8765b
SHA512 8119526f8573ea6e5bed16a57d56084260afee511c9aad3d542388a783548e5b32ed8fb568d5b97deed791162bcd5577fcc3c76abf4d147ea13bea5c2a6ea794

C:\Windows\Installer\f768a45.msi

MD5 8b1fa194528093152f23290620ae2223
SHA1 abc994abdff3628208426ccc04a39f5b22af67db
SHA256 2536f899c82cb2492949e638aed2fa3420d669a6e3c6baf515cf0cf1beda3c71
SHA512 fe519b2f8309dd079d798e1c2e37f7511a4a30b6bea13bfca649669f7a21fbcd1e2e92fd75631a0af52444db61385765015c1aea2a0905516f151317ea4d28e1

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassasio.dll

MD5 ff3d92fe7a1bf86cba27bec4523c2665
SHA1 c2184ec182c4c9686c732d9b27928bddac493b90
SHA256 9754a64a411e6b1314ae0b364e5e21ccfe2c15df2ed2e2dce2dc06fa10aa41e8
SHA512 6e0f021eb7317e021dccb8325bc42f51a0bf2b482521c05a3ff3ca9857035191f8b4b19cbe0d7130d5736f41f8f2efb2568561e9063fa55aaab9f2575afe23db

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dll

MD5 d8ccb4b8235f31a3c73485fde18b0187
SHA1 723bd0f39b32aff806a7651ebc0cdbcea494c57e
SHA256 7bc733acc1d2b89e5a6546f4ebc321b1c2370e42354ea415bc5fcc6807275eba
SHA512 8edafd699f9fbec0db334b9bc96a73a9196895120f3406fff28406fd0565415ac98665c9837a5b1e0c5027162ff26bf3a316ecda6a0b51d92eb5d7002b814713

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassmix.dll

MD5 d31da7583083c1370f3c6b9c15f363cc
SHA1 1ebe7b1faf94c4fe135f34006e7e7cbbc0d8476c
SHA256 cff3edc109bc0d186ba8ddf60bc99e48ff3467771e741c7168adbdbe03379506
SHA512 a80364384eca446a378e3ae3420a0e3545e1d24426a9e43f3e27381cb09bb4cd1121b66c576e5a981b2e5d661f82590eb0c0fe8d8243ef872f84809ec906e266

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_flac.dll

MD5 5199d6173a6deb45c275ef32af377c3c
SHA1 e8989859b917cfa106b4519fefe4655c4325875b
SHA256 a36f06cbe60fc1a305bd16cd30b35b9c026fd514df89cd88c9c83d22aefbe8c3
SHA512 80b96196f1b3d6640035e8b8632a25ecdb3e4e823e1b64fc658b31aae6c6799aa1d9fd1acffbef6ff9082e0433ac9ab9426d5400d3644db9958940b8bb13f6d8

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 04adbbdcefa4318263b0d53fae0dd42a
SHA1 ee76babea22ff568f5c3f5d1868984b08785dfa9
SHA256 9dd105d58e96fc3536b1fb9802320da53931aad99f2d428634bedc783c1a70ce
SHA512 9a0e6ab10c16ad2ebf934766d7207032d3aaf1cf5eb522a9d06031cf1d06b5e54f42bf042768ab679c547eccf75539c074c5a90f3ca4221a4a8e7b83ad89c2f7

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll

MD5 b6022150de5aeab34849ade53a9ac397
SHA1 203d9458c92fc0628a84c483f17043ce468fa62f
SHA256 c53b12ebe8ea411d8215c1b81de09adc7f4cf1e84fd85a7afa13f1f4a41f8e9d
SHA512 2286399bd1f3576c6ce168e824f4d70c637485fae97d274597d045a894740519512f1865e20562656297072b5625bdd2a5ec4d4f5038176f764eb37e22451ade

\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll

MD5 54e0201723e628a6546eba18db743b78
SHA1 3cf90861b160bfb74d9dc3feef46b33bb8f26cce
SHA256 2af9d5843c6f35620ef5f414f6358cf601ccbc829facbca376b730645fe91702
SHA512 d6cbbcb037fbbde6fac5dd89655ab130156744b39fc4706a4c4753d89142517c1c0bef8c684185700204921be4a2f73f9533f7a358620c617289303c2fcbbd19

\Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dll

MD5 cdfbe254cc64959fc0fc1200f41f34c0
SHA1 4e0919a8a5c4b23441e51965eaaa77f485584c01
SHA256 9513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9
SHA512 63704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610

memory/2236-125-0x0000000000BB0000-0x0000000000E93000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 ac1adace74866c7cf424644753de2c86
SHA1 dfb9a7ccb493120a393b004b3471d1ed8b83a5bf
SHA256 aa658f50d4d4788e598fc1da4c25731a6e7845649cfcd1707dae7253f71e1635
SHA512 6dab4e6e36942bc2231ec3e8d6895d199ecc299320f13790c4dee9626ab87b89ed9a3c5e44f7cbc37b33ccdcd1578194fd5a9c56f0c888b467a737d51184de80

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_mp3.dll

MD5 46ede9ea58c0ac20baf444750311e3f8
SHA1 246c36050419602960fca4ec6d2079ea0d91f46e
SHA256 7ea1636182d7520e5d005f3f8c6c1818148824cee4f092e2d2fe4f47c1793236
SHA512 d9154430c72cbf78f4f49ec1eee888c0004f30a58a70cee49f5108ded0994ba299ba6bf552a55ffeedb2ab53107172324156e12e2fbae42f8f14f87ec37cc4e7

\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_ogg.dll

MD5 89e794bbd022ae1cafbf1516541d6ba5
SHA1 a69f496680045e5f30b636e9f17429e0b3dd653e
SHA256 7d7eb0bc188fc3a8e7af7e5325d4f5e5eb918c4138aea3de60d6b1afac6863f9
SHA512 16455e29a1beece663878e84d91c8e75c34b483b6ff3b5853ced97670a75a9c29cc7a7aa78b0c158eb760cda5d3e44541aae2cc89b57d290e39b427d4c770000

\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll

MD5 322d95e2c172ff8dd88f1f3af280d6c9
SHA1 2eaca7c9b870de1662f30c8995d2a2f5a4541773
SHA256 3ae47306d2bcc52c9aaaa8a88d279885a6ebef9563dcdbedb1e64bb9853b3204
SHA512 342c001e5e556244ba537a8e3bbc51dcf137e79aba55e154a0a40ce3024b14e34ee2b8dec44d55988fa89b7502aed460c938013aad3c52843fa1050797b42aa1

memory/2236-128-0x0000000074E80000-0x0000000074ECD000-memory.dmp

memory/2236-129-0x00000000003D0000-0x00000000003ED000-memory.dmp

memory/2236-132-0x0000000074DD0000-0x0000000074DDE000-memory.dmp

memory/2236-136-0x0000000074D00000-0x0000000074D9E000-memory.dmp

memory/2236-135-0x00000000003D0000-0x00000000003ED000-memory.dmp

memory/2236-137-0x00000000003D0000-0x00000000003ED000-memory.dmp

memory/2236-133-0x0000000074DA0000-0x0000000074DC8000-memory.dmp

memory/2236-139-0x00000000003D0000-0x00000000003EE000-memory.dmp

memory/2236-141-0x00000000001C0000-0x00000000001CE000-memory.dmp

memory/2236-140-0x0000000074BB0000-0x0000000074BE3000-memory.dmp

memory/2236-144-0x0000000074CF0000-0x0000000074CFE000-memory.dmp

memory/2236-145-0x00000000001C0000-0x00000000001C5000-memory.dmp

memory/2236-148-0x00000000003D0000-0x00000000003E7000-memory.dmp

memory/2236-150-0x00000000001C0000-0x00000000001CD000-memory.dmp

memory/2236-149-0x0000000074AB0000-0x0000000074AD4000-memory.dmp

memory/2236-146-0x0000000074AE0000-0x0000000074B16000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 bd7080f930113055740a2c6e6fc27432
SHA1 29b0255ba4f78840f7ebe99d40955b1de8c80cbd
SHA256 db91f4a79ea83a042002d5115e370e9716a08a38c155a9df1ca8adf1ff9d377c
SHA512 df94b402d858ad5c8a6f9b514ce9288b895885f84762527e662a0d600e02948946c7b846a737b8e656974f96cecf60d121617694ff829952e37c2c3951bee3ca

\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll

MD5 5080bc1e4f5b88647b203a92bc55296b
SHA1 77f92daa787d2511381eb3c77f8b53779844d38c
SHA256 fef37f27d557848ee19d8b21065af566d3588c5f3f73ed26cedb57ebc85971f7
SHA512 feae5d03c431a47b3f22b3804bb494db5bd1a336a06e4f6e0f02e6344bae399be53f02da290b1f267f9034b7e2d21a8c2d229dcccaaa69ee8f1a4fcc32220f4f

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dll

MD5 e98f595caa5ee23e8a3e46d83211da9d
SHA1 a7ef9e7c3eddaa7b82acb7eba7a2c88a70bac017
SHA256 df12ced54ee1dd73b230be239fb2ffce141bbf4ff979fb33ebb153a0bda88a1a
SHA512 e777a5ace5ecef10ae051df02a443279af5f28a1e996905774f574ef8679363ae78db064ef6eb7c3f77dd87284cc0d070b1fe54b422f9ae0a2240286a9541938

\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll

MD5 3f445b05f46e32fdd6e432746972a9c7
SHA1 3708af1e027f97ca869910e26bff075b7a2354ca
SHA256 7c46bd332a90f66203b45b9fa9834b70cace371252202d427b48ac263f620dc4
SHA512 67da0f3627310c84d327496e95d5c222bf26d353b1646218496c6d37884361b0ed38392af523e172a2902300ab08719653ec58449201b28c7eb366674c15bab4

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll

MD5 3e74f168ecfebd58cf6ccd53d44e2c36
SHA1 94b451195c161f087469025d208cf35989577169
SHA256 65340ef26c466ca3f76a475e8aae69eda403aa1bb8514d7f2218cfd629090679
SHA512 b5d18779345e553e34f59b9e451a4e083cef72bf13f2bb745ff143924b27a9c88765e97d172e67c091eebf373bd96671e4059030ba1761b6b3a9ca89f493cf15

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\tutorial.wav

MD5 2681a8548eaff75b452695aa5fd5d10b
SHA1 55035741de83e4923deea71053bc1ad41b0b4850
SHA256 81c018dacc7bf03ace288c5f31845f28e90f44bf839c0752bfce383ea302800f
SHA512 2e48fcdb60bb34a21f5ba4073918912ea63f95ce90916bef5d558eb4eb7efb5a2be2c2d7789a09565b36add1989ca2c13b995c43ce6b94a21498eb012157de5f

memory/2236-160-0x00000000033A0000-0x000000000342B000-memory.dmp

memory/2236-163-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 62295d2559907e61c7e74247b6a957ea
SHA1 4f4ac36435675ed38acd5bd82c73daa63342eeec
SHA256 a5860624257cf3efd51b7974e7caa0f1456380082b1199adcd8f5cf9a36495b0
SHA512 2b1bf890784e76b1504ee3ad5373faa3886dc5532484925e011f5c8f9c7aeaf1986ef2ef9491677682c678e205c22442e6415bcbde190ef06306ee111ee3f2eb

memory/2236-159-0x0000000074330000-0x0000000074455000-memory.dmp

\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll

MD5 ed28c75577f469c025bc335f6b932742
SHA1 00ea239d5b208a8258397f3478e827cc60ec8353
SHA256 45ee48060427db81c57adc64db581190c7cc1e25416293b6be43e72b8a03cbb3
SHA512 ccdc6143dcc76e1bf9903f1a52898fb7651b9bf7edfc8fa5a4b28b601d509e2d6b806569073536ee09c67a29932813391d025777cd05e46048c6da17af3068dd

C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 00d6d60044b89817c3998c0bdb51cf05
SHA1 a576b444d65fca2a24541c7096c008afda26b614
SHA256 931b546cf07542ef5d631dfa270bace0dd9d104abdbad22cd6698c18f4c37b7a
SHA512 02aa66497299e16e19054ccd40e040b619e9914799f221286c94f80e3f4324a5146e42aff787d628c2678e465f756b623b2f7e50ffa395f08d9c837d4f126ad2

memory/2236-167-0x00000000026F0000-0x00000000026F1000-memory.dmp

\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll

MD5 4fb7c041ea405ed0101725d959287968
SHA1 34e58a44c1f87b5328cd34b832cad1fa5eaf973e
SHA256 ba501733a9be30fa908d3c1c3c2ebb8b6b4f197d22bca710b5e714a84d94446d
SHA512 74121cc2018200b6e2fdf6f2ccfc87dc330b9d2cb922db91f73156171aec04bb59744a950c48b1f6f3c280f58463955d0d6ff678a8ba7cb529998426c6eda15c

\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 1019be25b415065bdcfdc9ef9c259f88
SHA1 8d59b5469443fce608468576c988b8d0c8bbd123
SHA256 8411cf45e3459f51dad91a9a6749dfdbfe98e2dd8669637b708204c8a1d7c66e
SHA512 077704b51682b404624221898720a2f873ecd717a3c6decfa304cc47b2658e9dc26399a85f1919c58bb4a671370ed2be6ba0ce762be40057db2f4c473a7a4d13

\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 f3e9271da313414e07f0080d0f4b3d1c
SHA1 d3004f675eef214aabb7bfadca8cc1d665cfc08e
SHA256 727662fd649c3e0a3c3255b66fc635dce24af3da11b43ef93eef257b27d29e3a
SHA512 da8584e5ae43b2be14da0e99ba223f61b6ae98e94dca3b35ed782f69f2d4213aadcd17d0bd62ffdcb76802ee29957087e4745e66228c4355cd14c5c9f44567e1

\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 36771fa50176424d423a259546d36fa9
SHA1 804c0c56ccfcc0cfdc6d80527f169358f422f57c
SHA256 ba0adcbc2440c006f52dd3e85b3936af3a252e43ccf2e83045945d2b21c8ecb5
SHA512 db34e48101b760cad4f5909845a4a3e724063a2decfb3bc4a075999a5c9df4727e7b70aa2df17e83e39f442e515664ff0cfb2d62e2f8c2d3236cec3e9f0f9733

\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 189b1b9d6ec1677f8fb358e1ff22b766
SHA1 b3e9d1b09c53a512efd93ea79a1c155f5c0434c4
SHA256 f0328d7312ea741eb7860a00e3e387d3f0a4522bf9daa9dd51e740b83a8776ea
SHA512 35860534540ed5cdd4a1982f65ec9a51eadd9506fa9304390e57f854c57ec7cbcce86e71a292e76e6951fbaf21d185440acb4d9c1eaa0b78407b813d5992e39f

\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe

MD5 361144144302e903187328da4ab5e7dd
SHA1 cb5f7bf8a576dd636895ecd05807be4b0ef589d2
SHA256 0cdd9e5a49a0c9ce068d9888ac37ed765a9c8784b7f6df05adb415c0fbcad6f4
SHA512 2fbbe63c2a0c2ee1b2e47d7f0a2827f89a955ada77ca224ca71c4c9a9e7e9201c5fc7877d22d6a97bd7af9781f299f966fb9a7e171b04b3168b00d1473bfa792

memory/2236-177-0x00000000003D0000-0x00000000003EE000-memory.dmp

memory/2236-176-0x00000000003D0000-0x00000000003ED000-memory.dmp

memory/2236-178-0x0000000000400000-0x0000000000BAB000-memory.dmp

memory/2236-179-0x0000000000BB0000-0x0000000000E93000-memory.dmp

memory/2236-180-0x0000000072B30000-0x0000000073853000-memory.dmp

memory/2236-181-0x00000000001C0000-0x00000000001C5000-memory.dmp

memory/2236-182-0x00000000003D0000-0x00000000003E7000-memory.dmp

memory/2236-183-0x00000000001C0000-0x00000000001CD000-memory.dmp

memory/2236-187-0x0000000000FA0000-0x0000000000FA1000-memory.dmp