strela | 6a0ac5a6cef15e181e0808a20033f12af37c0ab5d80d6eba62ca3c98b430a740

Analysis

max time kernel
150s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22-10-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

82.5MB
MD5

2b408f64508f89f31eea20586050fd85
SHA1

8f26ee1f0d9714dbadd99ca6d26751a35dca3dcd
SHA256

7c7b22145b0d6b10576d358a3eb903b642b71dcf374cb58d8a372aa23b3e4baa
SHA512

cfa073a656dadb8455c6b9ef535858f87c747a42021b23a83596c71220e304ea61bfe4880f7f0df96f88d2ecca22d6d3b7b9a8dfbc01bd620fb9100ffe9b9290
SSDEEP

1572864:m2n1DWpbcQb+1hekC/0LQJzBNEcxOrIP/YpUIHdwDVKdj0nnodsYAWbjZk:m2tWNkekDLqNEAAU4wha29sjZk

Score

10^/10

strela discovery stealer

Malware Config

Signatures

Detects Strela Stealer payload 1 IoCs

resource	yara_rule
behavioral4/files/0x001900000002aada-35.dat	family_strela

Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Executes dropped EXE 1 IoCs

pid	Process
2568	Melodyne.exe

Loads dropped DLL 11 IoCs

pid	Process
4232	setup.exe
4232	setup.exe
4232	setup.exe
4232	setup.exe
4232	setup.exe
4232	setup.exe
4232	setup.exe
4232	setup.exe
4232	setup.exe
4232	setup.exe
2568	Melodyne.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mfc71.dll	setup.exe
File created	C:\Windows\SysWOW64\ReWire.dll	setup.exe
File created	C:\Windows\system32\ReWire.dll	setup.exe
File created	C:\Windows\SysWOW64\msvcr71.dll	setup.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Celemony\Bundles\MelodyneCore-4.0.4.001.dll	setup.exe
File created	C:\Program Files\Common Files\Celemony\Bundles\MelodyneCore-4.0.4.001.dll	setup.exe
File created	C:\Program Files\Celemony\Melodyne Studio 4\Melodyne.exe	setup.exe
File created	C:\Program Files\Celemony\Melodyne Studio 4\Melodyne 4 Introduction.pdf	setup.exe
File created	C:\Program Files (x86)\Celemony\Melodyne Studio 4\uninstall.exe	setup.exe
File created	C:\Program Files (x86)\Celemony\Melodyne Studio 4\Melodyne.exe	setup.exe
File created	C:\Program Files (x86)\Celemony\Melodyne Studio 4\MelodyneReWireDevice.dll	setup.exe
File created	C:\Program Files (x86)\Celemony\Melodyne Studio 4\Melodyne 4 Introduction.pdf	setup.exe
File created	C:\Program Files\Celemony\Melodyne Studio 4\MelodyneReWireDevice.dll	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\ = "Celemony MDD File"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\ddeexec\ = "[open(\"%1\")]"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\DefaultIcon\ = "\"C:\\Program Files (x86)\\Celemony\\Melodyne Studio 4\\Melodyne.exe\",1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\DefaultIcon\ = "\"C:\\Program Files\\Celemony\\Melodyne Studio 4\\Melodyne.exe\",2"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\ddeexec\ = "[open(\"%1\")]"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\command\ = "\"C:\\Program Files\\Celemony\\Melodyne Studio 4\\Melodyne.exe\" /dde"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdd	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdd\ = "com.celemony.mdd"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell\open\command\ = "\"C:\\Program Files (x86)\\Celemony\\Melodyne Studio 4\\Melodyne.exe\" /dde"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\ddeexec	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpd	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpd\ = "com.celemony.melodyneproject"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\DefaultIcon\ = "\"C:\\Program Files (x86)\\Celemony\\Melodyne Studio 4\\Melodyne.exe\",2"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.mdd	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\ = "Melodyne Project Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\command\ = "\"C:\\Program Files (x86)\\Celemony\\Melodyne Studio 4\\Melodyne.exe\" /dde"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\DefaultIcon\ = "\"C:\\Program Files\\Celemony\\Melodyne Studio 4\\Melodyne.exe\",1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.celemony.melodyneproject\shell\open\command\ = "\"C:\\Program Files\\Celemony\\Melodyne Studio 4\\Melodyne.exe\" /dde"	setup.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2568	Melodyne.exe
2568	Melodyne.exe
5020	msedge.exe
5020	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4232	setup.exe
2568	Melodyne.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	904	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	904	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4232	setup.exe
4232	setup.exe
4232	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 4432	2568	Melodyne.exe	87
PID 2568 wrote to memory of 4432	2568	Melodyne.exe	87
PID 4432 wrote to memory of 4936	4432	msedge.exe	88
PID 4432 wrote to memory of 4936	4432	msedge.exe	88
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 3824	4432	msedge.exe	89
PID 4432 wrote to memory of 5020	4432	msedge.exe	90
PID 4432 wrote to memory of 5020	4432	msedge.exe	90
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92
PID 4432 wrote to memory of 408	4432	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004AC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Program Files\Celemony\Melodyne Studio 4\Melodyne.exe
"C:\Program Files\Celemony\Melodyne Studio 4\Melodyne.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://services.celemony.com/cgi-bin/WebObjects/LicenseApp.woa/wa/Melodyne4Service/downloadUpdate?token=518943dfde8248d4947381c40e50acc5&trk=676307f4603541308eac44716c6032e5
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8297c3cb8,0x7ff8297c3cc8,0x7ff8297c3cd8
    3⤵
    PID:4936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1788,11971033219215379518,7397402284550216806,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
    3⤵
    PID:3824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1788,11971033219215379518,7397402284550216806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1788,11971033219215379518,7397402284550216806,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
    3⤵
    PID:408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,11971033219215379518,7397402284550216806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,11971033219215379518,7397402284550216806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:4652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Celemony\Melodyne Studio 4\Melodyne.exe

Filesize
1.1MB

MD5
d32422e914e189bfb2ba4a549fb1c0b5

SHA1
903c8156b20f49b90aef282dafc5ec9d91cfc3e6

SHA256
467f6eecc90e22bf114d55acb5a68f7ff25798e341bb08fd418182c9a7c03b9e

SHA512
b9ea71a67976cda6c856d4a49465f90a02a27aa551a722d13887ca42191441b5e279c18d29e6e4b8542301b28c07dd6e9eee925a1be80f84df6c8bee08228c1f

Download Submit
C:\Program Files\Celemony\Melodyne Studio 4\Melodyne.exe

Filesize
1.4MB

MD5
b4aeae270498dc2b7f9a4589dfb9d17f

SHA1
c5d45fa9e59b7566ee4aa6af648974969a0d133f

SHA256
4776e30359f5aa2f32660579afeb014daab0dfe91e7a3bbdbbbe9ceb83b91368

SHA512
00bca96406f4fec76a42c7097cee9347eb2961b09cbeeb017d65412e628208954322a0c975bc4c2e8516de7e4e9adaf16e7b22c8881457e9069123ad1230067c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
c2dc9a2af4b6f5a51811aaf13ae03aa5

SHA1
7b2c4d38144cb5520841de768d6034205036ac01

SHA256
ef541d26da4c257debc71e03c557f40abd4f8ac2975dbfab557ae2ae47e00b32

SHA512
cd41cfd53c1a14fd7612c442ee4b6c91a4e3b1d5840eaff465bde2573c1e6258908bdb3a4869a5e0464cac92e15a8d70e049576718c158fb56ffbd379c8ecd0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
395B

MD5
8250087c6f075de0c9eaa13fc2098bf6

SHA1
541e6c3b70c198a3686836bb8940837659f2fe73

SHA256
f0e8778271884af773d8a57451d519f6d4ce62e45adbba93f4753e6997b32ccd

SHA512
fab4907602e93afda37cd6d965e14e831280f7f30a9f57f356a6e261bb498d8769ec8c6d02ea482e9897a166e0082bf822a7e98cbf3ed6fd03b0c3ea7469ba8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
95636b6ad17de3d16131c78ecd7e099d

SHA1
c84d9af721d0423089b245582486a0425e345ad9

SHA256
f0408d3a7a68202e90698327e58768e56b52a3884b20a0ac89389013e4e74368

SHA512
7d30bb7913e74d847a957ab6648dfcf025f4df51c59852668ddca76e86abb770d86906cd60d2b0cddc2594f2af5bf86af3be7b666ac957f038be46bec557d562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
112c2d795255c81b7bd50fab1ca3efc7

SHA1
68207c1f2df219ba9354cb9a11e0f151c355235c

SHA256
65532d20290c7020d1700adf8ac9cc780e810eb90c68bbcf02ddbdfd75ce236e

SHA512
4d58c44cf4507ce547811e94ef3aeb73e99e5ea92b34abce5d003cb79efffd81da8fbb4c1ad9eb8de6f9a672f24aaebf31e48e8ca633e7ed93df5b6989ea0b8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
597300e9721092b2bd54fc345f7e8f19

SHA1
8efb029c6ac4f2fc1027eff899c6c3d9bed4bc08

SHA256
4d33a9333bbbe5309bf8a0ddcc4e8c23afa327c67828e15bb4a84f7487dfb3e0

SHA512
4903278ec6e3d6dd7c9ff857d29b12608d549633c2aca75dda4f3030a65599a1e538d037482b69dc42dac9d3ce131c5476ac3b7744f25054cb2dcaf29b3a4d3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aa2e03c1d18e3654832091503f2da8fa

SHA1
ddc4987704163419e9733e5c29a183f2f5a6a46e

SHA256
f8b1e8e2f7828a6cb711da92b08dd6a2a46f0e14fff2f6adcccbbb76cf37d3f7

SHA512
056d271efeac709c847bcc4c792599ce9128bcc1eee1bb4c81b6633ace555d0a3f808fc388260c605be079fcad5837dc2242d731344a6e3bd576bb2a24a019b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ba83b4173033f51c0ea2ec07469fd46d

SHA1
7f2db84ef4e39dd163b52bb6651a79add3a6306e

SHA256
21a429f24fc8db7ceb1a7ae7915e2658657d1e095adf777534f15522202412e4

SHA512
133e85343e8113137af6253baf564a136df5d22c3d08c707dbc4cb64d2e1f2f0e0253a2bc30add300528b8c53b90c1d7e04d9dacc08add5124ca9ab4d51fb0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB354.tmp\InstallOptions.dll

Filesize
15KB

MD5
89351a0a6a89519c86c5531e20dab9ea

SHA1
9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

SHA256
f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

SHA512
13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB354.tmp\NSIS_SkinCrafter_Plugin.dll

Filesize
5.8MB

MD5
2e13e03b7cf2d8c8338bbc3d29fd3e07

SHA1
173e6e67c5315474765dcd303b3214d5600c48ea

SHA256
ea1552de423ed1768bace344d9a07bf529845c75fe6fc6ce3c4ba91d4aae5409

SHA512
94220a07aea2f4a45ef6b7566baba5a9ce73e70236bf97fc2489bee50b662f3fd05824d7804dd544eef85d73e69091aaae5de3094f0866bf51521024eb3d168d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB354.tmp\SkinCrafter.dll

Filesize
792KB

MD5
8fea8fd177034b52e6a5886fb5e780bd

SHA1
99f511388a2420d53b8406baed48ba550842eaad

SHA256
546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de

SHA512
5d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB354.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB354.tmp\bass.dll

Filesize
107KB

MD5
c0b11a7e60f69241ddcb278722ab962f

SHA1
ff855961eb5ed8779498915bab3d642044fc9bb1

SHA256
a8d979460e970e84eacce36b8a68ae5f6b9cc0fe16e05a6209b4ead52b81b021

SHA512
cb040aca6592310bffb72c898b8eb3ca8a46ff2df50212634c637593c58683c8ab62e0188da7aea362e1b063ae5db55cf4bf474295922af0ab94a526465cc472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB354.tmp\page_component.ini

Filesize
890B

MD5
ee8d193fb80ca974147fb757e9d96094

SHA1
66dbe5190661a33f3ea8b54a29be44d668fb5f7a

SHA256
2f4f162ba3e257ed96d294189263a651ed716a9c4b0c2c0d4b9860bcf0ff42e0

SHA512
61db075cd9ab69bc3c4a55f6d07dd0b50882313bac573c059ec816a06706adc206eaeec70efa1653384a4f773454c5190f85007dc52da9323c13175d0dd79293

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB354.tmp\page_component.ini

Filesize
890B

MD5
b49111aeb0a8a1165a234861697967c8

SHA1
12148365a50a133d711486d564c17913315d6b84

SHA256
a10a45ded419041a19f566573d01344ffd54fb392f8f879b100102f736ed5e6d

SHA512
9c51abb2c0a79b6e8e8aa0636250674cbbac8b23b5af218c94e9b6ffa8fbc472e8faa8925c21c4f6ef5f94697d78644d3185192cd9c0119137a70565ff8c449a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB354.tmp\page_component.ini

Filesize
1022B

MD5
a2141ecfa815b3513ab0ca17334181f5

SHA1
7d2b4b6c6169eacafa25a56632a21b3fb103bf08

SHA256
6095ac8285fc671e5fe6bc9463062b9b981d837cc53c46c624abbbe12854f922

SHA512
5a2f2e3e1449b76f4f4210c6ec24553f68fd9c618a51e7a061a153a4ceea4a59d0d625417344a767b51cd90c3c62c917404076e678c5617c41a24fbd290daa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB354.tmp\page_component.ini

Filesize
787B

MD5
75a65577d878c0238f7be2611246a061

SHA1
7858cbb53edef3a9f8e8ba5f95961fce883245cf

SHA256
58b69f563c8b84334e45884ff00c295fab7ce5b45bde2b8ffc4c4a74513645eb

SHA512
e64298cc12d9a780a4f67be9f7d869e730c3580c449cdd4e0756f339874dca12ccb5ac3d8c7f2a6afe6419505d84028442acaa55aaaded7ddd4497b13abcffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB354.tmp\page_image.ini

Filesize
179B

MD5
364b40a883521572da0b25b8c2d3f172

SHA1
4581012f6d77883c790dce28c98c0e060ea61e70

SHA256
0bd1eb7103fa16a746f3e81c41d59f8c087fae63ec2a118a3e4d6b6bbe01f369

SHA512
6ebdcedc991c303ec3e871c15ddd8c7a8979eaf9d2c5bb537cb1fd7b8421d3ff77bad968dace209acdc128a1a38599029ba8c240e6d7a7257b31e0f9b793bc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB354.tmp\page_image.ini

Filesize
170B

MD5
c941fa101c3c846265eaaa28af8ec367

SHA1
6ce65cdeb77dc9cca64f283a1f2f25137d57f46b

SHA256
0efb3907c4410289a80871b90ed7e2767f92d1c3c3d72943fc95d9114b618dc3

SHA512
ac46a8015b2eef4e6940749b88dd8da472e33b3a0a2a1dbd04bac36a5afbfd34f3dbb1c1fb08218a5992c4138972d3f09ab9a2bf792047c475a5028abd80a620

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp#2568#2016.cur

Filesize
15KB

MD5
08dc150b70cf7aad25c4c3028eafc4f9

SHA1
14ec5ec0078dca8fb0935850e0df32e84f0ef02a

SHA256
507cb2661e510d2f53de04033b343f5920dd294784f5aba648b0b06bcd41b430

SHA512
4384471a387e0b696cd7767997c44ec60542bff4da66bb8f748424fd55b9b643f9ac1cec067f0fd8968574785ea820e5ddddd64426877a7c38d5f8ac868575b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp#2568#2016.cur

Filesize
15KB

MD5
0fde7ba25e4c285ffbb3029334d4a457

SHA1
2d1ac828f8220b9668d78dfb6103edbcd36bd40c

SHA256
cd01413c76e8cc149f4f02df875141984c1dcc51efedee7e85d6f5b1c9227a5a

SHA512
4aea36afee0abfb034d2d4fb48f46b512a625f2d7d6a4961dabb1ab9d7dd6911b7f1ed46bcbcffc4dd38cf70dc56b585e7ed7cece673767db5c9ea341be558df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp#2568#2016.cur

Filesize
15KB

MD5
2f3bfccd6bbbbff3e9eefd9909727bc3

SHA1
abf4fbcff8e7c5c981793f050458e6b23d8dead6

SHA256
20035f24056b582a3a86d86390ad89851f5b8348d10d5b53e5dbe06e311ee86d

SHA512
bcbedf29c0ab234188b4b322d00db50eb12420b0f4e8de394c8e93a9425fa39d90ee103ab0aa2061dbe380ea5bd1f2be9dfcd8056ff6af11e19daa00879333b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp#2568#2016.cur

Filesize
15KB

MD5
74aedf8c3edcbec1f4ec45eab45f9331

SHA1
6a2d72c177dccdce22e295c13a0b8f2fe537d584

SHA256
3258ef803f16777960244aaefae4ced886b63b9f99953b860d977c7327c156a8

SHA512
08bbf03150fbf1906831f6069b47f2b4c51e083114343f4c3bf777471ca9a1a1c28b2537ac70453d7e2e4c59e0204f5591e69361f61940069d655b8809b91664

Download Submit
C:\Users\Admin\AppData\Roaming\Celemony Software GmbH\com.celemony.melodyne.plist

Filesize
865B

MD5
4eb6b4dc9b12df1da3df48a2a3a9fb54

SHA1
4ac919141dd02513c87105323b72fed69e3b46dd

SHA256
5db1b22a4247b6e4581edfa0ab447d644dd5cc6f62cd72b7a723e99ba74849e0

SHA512
959d46a86099873fb3ee389de66f5e1f171ae4ed6bd50dd33375c3b191407caf8ceebb41514df2da3c39b8d1c77326d54991b5b5a558129720a43c7bf150377a

Download Submit
C:\Users\Admin\AppData\Roaming\Celemony Software GmbH\com.celemony.melodyne.plist

Filesize
675B

MD5
b02dd56be1467dc1020bc139e064c625

SHA1
e59223dcf96fbf3c9f7655928d49041cc1a0f05a

SHA256
eba424fe56de31313e42599426215d6cf380e79a882f876074e4daf2f4dab5ef

SHA512
74b55bf23c135df495bcb6dd20fab49e147a561f4af2673adc7de9aaad95030ab21cf73f98d06f5d892b57453cc069a99ee63fcd85023c8cf45b5619592445e6

Download Submit
C:\Windows\SysWOW64\mfc71.dll

Filesize
1.0MB

MD5
1fd3f9722119bdf7b8cff0ecd1e84ea6

SHA1
9a4faa258b375e173feaca91a8bd920baf1091eb

SHA256
385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823

SHA512
109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6

Download Submit
C:\Windows\SysWOW64\msvcr71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
memory/4232-17-0x00000000745D1000-0x00000000745F7000-memory.dmp

Filesize
152KB

Download
memory/4232-16-0x00000000030F0000-0x0000000003108000-memory.dmp

Filesize
96KB

Download
memory/4232-88-0x00000000030F0000-0x0000000003108000-memory.dmp

Filesize
96KB

Download
memory/4232-45-0x0000000003C80000-0x0000000003D4C000-memory.dmp

Filesize
816KB

Download
memory/4232-13-0x00000000745D0000-0x0000000074620000-memory.dmp

Filesize
320KB

Download