gh0strat | 9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974

Analysis

max time kernel
121s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe
Size

6.2MB
MD5

af87ccad9f171ee90f847f963bedfffd
SHA1

71825c9b153308caa2a70de4e20eb69aa9958963
SHA256

9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974
SHA512

2020bd18eda919ccb94a891bb61d3cabaa31f9aa8cba00b09ec85bb62027c6b9a91e1d98000ae809505639af0ea4e13caae3c66c0d620d7f7da141be28018637
SSDEEP

196608:HLPHdacOmAam8Zo9+SvvEVuRuimE4oc3CGZNv:xT0X8G9+S0V+ut15

Score

10^/10

gh0strat discovery rat vmprotect

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1904-318-0x0000000000560000-0x00000000005DB000-memory.dmp	family_gh0strat
behavioral1/memory/1904-331-0x0000000002700000-0x0000000002796000-memory.dmp	family_gh0strat
behavioral1/memory/1904-332-0x0000000002ED0000-0x0000000002F48000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Executes dropped EXE 1 IoCs

Processes:

tbtool.exe

pid process

1904 tbtool.exe

pid	process
1904	tbtool.exe

Loads dropped DLL 41 IoCs

Processes:

9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exetbtool.exe

pid	process
1704	9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1704-40-0x0000000000120000-0x0000000000B77000-memory.dmp	vmprotect
behavioral1/memory/1704-39-0x0000000000120000-0x0000000000B77000-memory.dmp	vmprotect
behavioral1/memory/1704-42-0x0000000000120000-0x0000000000B77000-memory.dmp	vmprotect
behavioral1/memory/1704-253-0x0000000000120000-0x0000000000B77000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tbtool.exe

description	ioc	process
File opened (read-only)	\??\H:	tbtool.exe
File opened (read-only)	\??\I:	tbtool.exe
File opened (read-only)	\??\Q:	tbtool.exe
File opened (read-only)	\??\R:	tbtool.exe
File opened (read-only)	\??\T:	tbtool.exe
File opened (read-only)	\??\X:	tbtool.exe
File opened (read-only)	\??\G:	tbtool.exe
File opened (read-only)	\??\P:	tbtool.exe
File opened (read-only)	\??\S:	tbtool.exe
File opened (read-only)	\??\U:	tbtool.exe
File opened (read-only)	\??\V:	tbtool.exe
File opened (read-only)	\??\O:	tbtool.exe
File opened (read-only)	\??\L:	tbtool.exe
File opened (read-only)	\??\N:	tbtool.exe
File opened (read-only)	\??\W:	tbtool.exe
File opened (read-only)	\??\E:	tbtool.exe
File opened (read-only)	\??\J:	tbtool.exe
File opened (read-only)	\??\K:	tbtool.exe
File opened (read-only)	\??\M:	tbtool.exe
File opened (read-only)	\??\Y:	tbtool.exe
File opened (read-only)	\??\Z:	tbtool.exe
File opened (read-only)	\??\B:	tbtool.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exetbtool.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tbtool.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tbtool.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tbtool.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tbtool.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exetbtool.exe

pid	process
1704	9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe
1704	9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe
1904	tbtool.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exetbtool.exe

pid process

1704 9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe
1904 tbtool.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe

description	pid	process	target process
PID 1704 wrote to memory of 1904	1704	9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe	tbtool.exe
PID 1704 wrote to memory of 1904	1704	9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe	tbtool.exe
PID 1704 wrote to memory of 1904	1704	9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe	tbtool.exe
PID 1704 wrote to memory of 1904	1704	9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe	tbtool.exe

C:\Users\Admin\AppData\Local\Temp\9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe
"C:\Users\Admin\AppData\Local\Temp\9004bb9d8735f57c48d4b79608535b34413435507d61b53c6013769e747ba974.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Public\lsb_release\tbtool.exe
  "C:\Users\Public\lsb_release\tbtool.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\lsb_release\DuiLib.dll

Filesize
1.5MB

MD5
a3b393d6604c40c51f9f28533161ab81

SHA1
19480433f1a094f135eff78e4b63c5b47411f333

SHA256
a830e40e43aef4d9d7b7eeb6d94c17cd2cb11be7f3ee8adce2399ec5c0a6049c

SHA512
12c460443ae98c0a57abe98e8d70802367d9fe2a14faf66164a094ffdb10ee6d8a6b41e4c96e58a423218f3653ea56d804ed15614ff6957948025f78389c3313

Download Submit
C:\Users\Public\lsb_release\LIBEAY32.dll

Filesize
1.2MB

MD5
1707bc560de9c69ae7325b6f63c8ec96

SHA1
d15e908a921cd17fbcfe0000b264d52e8fd413e7

SHA256
648a673ec8504f8255de37996a21895279985e011124e8ff2c7249271d5890cb

SHA512
941b3a76d43626d3d8e369437b83e63689eb3f8ecf90737a2d2df8df1c38e19e02146938af12d0fa9850ba3154ad60d74c5e4b80cae4ff6e3bff9d2583538ad5

Download Submit
C:\Users\Public\lsb_release\MSVCP140.dll

Filesize
438KB

MD5
1fb93933fd087215a3c7b0800e6bb703

SHA1
a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb

SHA256
2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01

SHA512
79cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e

Download Submit
C:\Users\Public\lsb_release\Plugin.dll

Filesize
271KB

MD5
27378e77fed60b91b9eacef55b10d3a2

SHA1
603050de753ae268e09aca9e37b30ac4e647b6b7

SHA256
553920c1b7dbcabcd18e8a17a3f0b3bd91f3fd2a3375a6163c8e85d441cb8a18

SHA512
95be8277a4ceaf29a2c7bbba6f8e06fb894bb883ff457e08851352dd751375f94c551a78204fc30838aa2c4a6741f49e30bfa6f0b6a6f0287c5d77b0e9ed6c6d

Download Submit
C:\Users\Public\lsb_release\QKGuide.dll

Filesize
893KB

MD5
057d333133ba16ad86fa644e8b28adf7

SHA1
7542ae74dbcaef4fd60e82937080efa1c2ac954f

SHA256
51d34fdf50a1542a86f2befa3e0f7615832558d29e41cf92c9206b44b67e1350

SHA512
83a61c8da999bdcc3bb47b47d8aeea3fb8605404cda949acb91bb0b7aaba7d1c854f7cf44d8d5ba81d5be5d2c3dfc5babf66f72bf1137c2786b34bd32b853e78

Download Submit
C:\Users\Public\lsb_release\VCRUNTIME140.dll

Filesize
78KB

MD5
1b171f9a428c44acf85f89989007c328

SHA1
6f25a874d6cbf8158cb7c491dcedaa81ceaebbae

SHA256
9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c

SHA512
99a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1

Download Submit
C:\Users\Public\lsb_release\alibabacloud-oss-cpp-sdk.dll

Filesize
1.0MB

MD5
0aaeb781e651be69f6d643a72b15c6cb

SHA1
8be4066c628629ffe77254c2cc452aecc1fee8dc

SHA256
e9359d5c42b6767d63525ae73eb194a88c3e68111cee4ec1a2bdbb8ecf530bb9

SHA512
c6f1af6bb30005f8b89951612961ef8db706d39ace2e674cf54a14445fdfcfe8cf8c5762fe04406b9d87154a919cc47e251eaefd9cbd15e00b2ecf471854e6f5

Download Submit
C:\Users\Public\lsb_release\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
95c5b49af7f2c7d3cd0bc14b1e9efacb

SHA1
c400205c81140e60dffa8811c1906ce87c58971e

SHA256
ff9b51aff7fbec8d7fe5cc478b12492a59b38b068dc2b518324173bb3179a0e1

SHA512
f320937b90068877c46d30a15440dc9ace652c3319f5d75e0c8bb83f37e78be0efb7767b2bd713be6d38943c8db3d3d4c3da44849271605324e599e1242309c3

Download Submit
C:\Users\Public\lsb_release\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
c9a55de62e53d747c5a7fddedef874f9

SHA1
c5c5a7a873a4d686bfe8e3da6dc70f724ce41bad

SHA256
b5c725bbb475b5c06cc6cb2a2c3c70008f229659f88fba25ccd5d5c698d06a4b

SHA512
adca0360a1297e80a8d3c2e07f5fbc06d2848f572f551342ad4c9884e4ab4bd1d3b3d9919b4f2b929e2848c1a88a4e844dd38c86067cace9685f9640db100efb

Download Submit
C:\Users\Public\lsb_release\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
39325e5f023eb564c87d30f7e06dff23

SHA1
03dd79a7fbe3de1a29359b94ba2d554776bdd3fe

SHA256
56d8b7ee7619579a3c648eb130c9354ba1ba5b33a07a4f350370ee7b3653749a

SHA512
087b9dcb744ad7d330bacb9bda9c1a1df28ebb9327de0c5dc618e79929fd33d1b1ff0e1ef4c08f8b3ea8118b968a89f44fe651c66cba4ecbb3216cd4bcce3085

Download Submit
C:\Users\Public\lsb_release\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
19KB

MD5
228c6bbe1bce84315e4927392a3baee5

SHA1
ba274aa567ad1ec663a2f9284af2e3cb232698fb

SHA256
ac0cec8644340125507dd0bc9a90b1853a2d194eb60a049237fb5e752d349065

SHA512
37a60cce69e81f68ef62c58bba8f2843e99e8ba1b87df9a5b561d358309e672ae5e3434a10a3dde01ae624d1638da226d42c64316f72f3d63b08015b43c56cab

Download Submit
C:\Users\Public\lsb_release\api-ms-win-crt-heap-l1-1-0.dll

Filesize
18KB

MD5
1776a2b85378b27825cf5e5a3a132d9a

SHA1
626f0e7f2f18f31ec304fe7a7af1a87cbbebb1df

SHA256
675b1b82dd485cc8c8a099272db9241d0d2a7f45424901f35231b79186ec47ee

SHA512
541a5dd997fc5fec31c17b4f95f03c3a52e106d6fb590cb46bdf5adad23ed4a895853768229f3fbb9049f614d9bae031e6c43cec43fb38c89f13163721bb8348

Download Submit
C:\Users\Public\lsb_release\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
8da414c3524a869e5679c0678d1640c1

SHA1
60cf28792c68e9894878c31b323e68feb4676865

SHA256
39723e61c98703034b264b97ee0fe12e696c6560483d799020f9847d8a952672

SHA512
6ef3f81206e7d4dca5b3c1fafc9aa2328b717e61ee0acce30dfb15ad0fe3cb59b2bd61f92bf6046c0aae01445896dcb1485ad8be86629d22c3301a1b5f4f2cfa

Download Submit
C:\Users\Public\lsb_release\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
fb0ca6cbfff46be87ad729a1c4fde138

SHA1
2c302d1c535d5c40f31c3a75393118b40e1b2af9

SHA256
1ee8e99190cc31b104fb75e66928b8c73138902fefedbcfb54c409df50a364df

SHA512
99144c67c33e89b8283c5b39b8bf68d55638daa6acc2715a2ac8c5dba4170dd12299d3a2dffb39ae38ef0872c2c68a64d7cdc6ceba5e660a53942761cb9eca83

Download Submit
C:\Users\Public\lsb_release\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
23KB

MD5
d5166ab3034f0e1aa679bfa1907e5844

SHA1
851dd640cb34177c43b5f47b218a686c09fa6b4c

SHA256
7bcab4ca00fb1f85fea29dd3375f709317b984a6f3b9ba12b8cf1952f97beee5

SHA512
8f2d7442191de22457c1b8402faad594af2fe0c38280aaafc876c797ca79f7f4b6860e557e37c3dbe084fe7262a85c358e3eeaf91e16855a91b7535cb0ac832e

Download Submit
C:\Users\Public\lsb_release\libcurl.dll

Filesize
525KB

MD5
543435082cdfc166c08f421ea4565435

SHA1
f23342e50991162de17d512557c25515390dde8c

SHA256
6fbf08126df32c672947fb1903915329b2c28ca44317ef8cae1a66f86c942c10

SHA512
6b408c3d4a38e23e03cc542543a5ec2284c3be7b2a7ce7a9001239ef3fe140c97e36e55352704b6d23d0ce78fd697170f587aafb60d1d007e28f3ad9f70f8090

Download Submit
C:\Users\Public\lsb_release\mfc140u.dll

Filesize
4.8MB

MD5
06f307b7ddb0994b448b9786cf5811b8

SHA1
4d70c5206e84b23916e4c686f430e5dcdc70dfc3

SHA256
dde3c8e9e7d414913a29979798311d095c1b8869ee405a1c3fcbba14da90446d

SHA512
b26bcfca4569ce9fb4b7196c952ce38b0e3a30aeff2e7ac4b2ea1c695c658c1d92029fb7e31ad231e62de8dff2a86ab3821aa1f9d5c944d88b263d88efeca16a

Download Submit
C:\Users\Public\lsb_release\msc.dll

Filesize
1.7MB

MD5
18d35237d397e8396c30356ddb12dd9c

SHA1
8f86896fd6f884f05c48c3034b7b55b7d9e50a5a

SHA256
1c1f3b6df9347b864ac879ef841196b97ed02f5be941fd490817831889b97b84

SHA512
e2e1e1fdb6e161b28e90236edd0b35d3b91f507161b50615caaaa8f9484946c72ea35298838e1b538e4d2801aff9cece97b89447e78a3dc2ae4fdc962a26c5c3

Download Submit
C:\Users\Public\lsb_release\opencv_core2413.dll

Filesize
1.9MB

MD5
b83a304b66f3c9799cae2be75bec361b

SHA1
d7ccc4067af699e62f9a7f9001589d3d8c7f4ac6

SHA256
b0f02252f1cee1826f3b193e682344a8d9785e424e8009b60a7700e5c88271c8

SHA512
dfa3dfa9faf6a85af25fa4f12726ec27075053112e9455461e435ff424bff0635bd624c39c2e15f962b4aab3a6374b23024e7d805e0e8f2d54df1f92e7edd6f2

Download Submit
C:\Users\Public\lsb_release\tbtool.dat

Filesize
61B

MD5
285094a0ab91134a0d07dfdb9ff123a9

SHA1
ba2c1ea08009ba2cd68d1da6afa92490e8edc5ed

SHA256
e60c84a228e48ca4ce5cc42d6c84ca748ede0828b4edaf3168457df4fa94fd5d

SHA512
b2ff3888d95c552034640fdf19d4f03c46a38d45548e7c84da4e9d307f4390567164ddc903cedc2e145186a4c99422eee6dfd4032fec0ee344534d6249a73edd

Download Submit
\Users\Public\lsb_release\QKHook.dll

Filesize
24KB

MD5
32f12897dbfad3149821d503013c6a28

SHA1
52fc6755add14e6f6eb2b2f5a20d8022a32c8225

SHA256
93fcab146f4061b93e6566b1846cfefd05dae52afd763fdd261e6a0543436671

SHA512
c0547fb67c4d80e2d2744179c4b21d1e9b8694f53a6c843adc7e28df48b0e56c95c25b6cfc956f440d856add2bfc339b8178c820c28a09250854b5a57587db59

Download Submit
\Users\Public\lsb_release\api-ms-win-core-file-l1-2-0.dll

Filesize
17KB

MD5
79ee4a2fcbe24e9a65106de834ccda4a

SHA1
fd1ba674371af7116ea06ad42886185f98ba137b

SHA256
9f7bda59faafc8a455f98397a63a7f7d114efc4e8a41808c791256ebf33c7613

SHA512
6ef7857d856a1d23333669184a231ad402dc62c8f457a6305fe53ed5e792176ca6f9e561375a707da0d7dd27e6ea95f8c4355c5dc217e847e807000b310aa05c

Download Submit
\Users\Public\lsb_release\api-ms-win-core-file-l2-1-0.dll

Filesize
17KB

MD5
3f224766fe9b090333fdb43d5a22f9ea

SHA1
548d1bb707ae7a3dfccc0c2d99908561a305f57b

SHA256
ae5e73416eb64bc18249ace99f6847024eceea7ce9c343696c84196460f3a357

SHA512
c12ea6758071b332368d7ef0857479d2b43a4b27ceeab86cbb542bd6f1515f605ea526dfa3480717f8f452989c25d0ee92bf3335550b15ecec79e9b25e66a2ca

Download Submit
\Users\Public\lsb_release\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
23bd405a6cfd1e38c74c5150eec28d0a

SHA1
1d3be98e7dfe565e297e837a7085731ecd368c7b

SHA256
a7fa48de6c06666b80184afee7e544c258e0fb11399ab3fe47d4e74667779f41

SHA512
c52d487727a34fbb601b01031300a80eca7c4a08af87567da32cb5b60f7a41eb2cae06697cd11095322f2fc8307219111ee02b60045904b5c9b1f37e48a06a21

Download Submit
\Users\Public\lsb_release\api-ms-win-core-synch-l1-2-0.dll

Filesize
18KB

MD5
6e704280d632c2f8f2cadefcae25ad85

SHA1
699c5a1c553d64d7ff3cf4fe57da72bb151caede

SHA256
758a2f9ef6908b51745db50d89610fe1de921d93b2dbea919bfdba813d5d8893

SHA512
ade85a6cd05128536996705fd60c73f04bab808dafb5d8a93c45b2ee6237b6b4ddb087f1a009a9d289c868c98e61be49259157f5161feccf9f572fd306b460e6

Download Submit
\Users\Public\lsb_release\api-ms-win-crt-convert-l1-1-0.dll

Filesize
21KB

MD5
9ddea3cc96e0fdd3443cc60d649931b3

SHA1
af3cb7036318a8427f20b8561079e279119dca0e

SHA256
b7c3ebc36c84630a52d23d1c0e79d61012dfa44cdebdf039af31ec9e322845a5

SHA512
1427193b31b64715f5712db9c431593bdc56ef512fe353147ddb7544c1c39ded4371cd72055d82818e965aff0441b7cbe0b811d828efb0ece28471716659e162

Download Submit
\Users\Public\lsb_release\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
034379bcea45eb99db8cdfeacbc5e281

SHA1
bbf93d82e7e306e827efeb9612e8eab2b760e2b7

SHA256
8b543b1bb241f5b773eb76f652dad7b12e3e4a09230f2e804cd6b0622e8baf65

SHA512
7ea6efb75b0c59d3120d5b13da139042726a06d105c924095ed252f39ac19e11e8a5c6bb1c45fa7519c0163716745d03fb9daaaca50139a115235ab2815cc256

Download Submit
\Users\Public\lsb_release\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
25KB

MD5
19d7f2d6424c98c45702489a375d9e17

SHA1
310bc4ed49492383e7c669ac9145bda2956c7564

SHA256
a6b83b764555d517216e0e34c4945f7a7501c1b7a25308d8f85551fe353f9c15

SHA512
01c09edef90c60c9e6cdabff918f15afc9b728d6671947898ce8848e3d102f300f3fb4246af0ac9c6f57b3b85b24832d7b40452358636125b61eb89567d3b17e

Download Submit
\Users\Public\lsb_release\api-ms-win-crt-string-l1-1-0.dll

Filesize
23KB

MD5
ad99c2362f64cde7756b16f9a016a60f

SHA1
07c9a78ee658bfa81db61dab039cffc9145cc6cb

SHA256
73ab2161a7700835b2a15b7487045a695706cc18bcee283b114042570bb9c0aa

SHA512
9c72f239adda1de11b4ad7028f3c897c93859ef277658aeaa141f09b7ddfe788d657b9cb1e2648971ecd5d27b99166283110ccba437d461003dbb9f6885451f7

Download Submit
\Users\Public\lsb_release\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
9b79fda359a269c63dcac69b2c81caa4

SHA1
a38c81b7a2ec158dfcfeb72cb7c04b3eb3ccc0fb

SHA256
4d0f0ea6e8478132892f9e674e27e2bc346622fc8989c704e5b2299a18c1d138

SHA512
e69d275c5ec5eae5c95b0596f0cc681b7d287b3e2f9c78a9b5e658949e6244f754f96ad7d40214d22ed28d64e4e8bd507363cdf99999fea93cfe319078c1f541

Download Submit
\Users\Public\lsb_release\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
70e9104e743069b573ca12a3cd87ec33

SHA1
4290755b6a49212b2e969200e7a088d1713b84a2

SHA256
7e6b33a4c0c84f18f2be294ec63212245af4fd8354636804ffe5ee9a0d526d95

SHA512
e979f28451d271f405b780fc2025707c8a29dcb4c28980ca42e33d4033666de0e4a4644defec6c1d5d4bdd3c73d405fafcffe3320c60134681f62805c965bfd9

Download Submit
\Users\Public\lsb_release\concrt140.dll

Filesize
243KB

MD5
8651e6272e310d5c64d0c91ca975b029

SHA1
0e2433c8771ac420b5684c79e96eb7e206350757

SHA256
b721897db5542d5b0c970ec624440442ed9ae781e55147feb9ff264f70f66cde

SHA512
d99d049b9ae9f7bcf9e6737b26a90f544a08ff49e06fdc39617b869eb97676024e18ba42e680db255a8a04f323de494dd8e7b706007e9b961c78a64cdf078ff6

Download Submit
\Users\Public\lsb_release\tbtool.exe

Filesize
346KB

MD5
b575cfefd5c7b14f4743ef2ad74b2736

SHA1
f433813501a7b5b96186bb02fe69ca01580627ed

SHA256
a38708da0db2003a1d14ed1e9d45a9ecb30a6294d472692f804ffb0cea70334b

SHA512
ea912b2589142f1a89ef84e503bf65999beb7aa76d2aa50e1e7edc178bf841debed906fc11da555a004fc715f52fa09baf3a3fe4b42c33e5c9cf811eba676e5e

Download Submit
memory/1704-2-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1704-30-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1704-5-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1704-7-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1704-35-0x00000000001A4000-0x000000000054C000-memory.dmp

Filesize
3.7MB

Download
memory/1704-9-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1704-12-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1704-0-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1704-14-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1704-17-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1704-19-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1704-22-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1704-24-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1704-27-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1704-29-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1704-4-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1704-40-0x0000000000120000-0x0000000000B77000-memory.dmp

Filesize
10.3MB

Download
memory/1704-32-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1704-39-0x0000000000120000-0x0000000000B77000-memory.dmp

Filesize
10.3MB

Download
memory/1704-41-0x00000000001A4000-0x000000000054C000-memory.dmp

Filesize
3.7MB

Download
memory/1704-254-0x00000000001A4000-0x000000000054C000-memory.dmp

Filesize
3.7MB

Download
memory/1704-253-0x0000000000120000-0x0000000000B77000-memory.dmp

Filesize
10.3MB

Download
memory/1704-42-0x0000000000120000-0x0000000000B77000-memory.dmp

Filesize
10.3MB

Download
memory/1704-34-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1904-316-0x0000000002700000-0x0000000002796000-memory.dmp

Filesize
600KB

Download
memory/1904-318-0x0000000000560000-0x00000000005DB000-memory.dmp

Filesize
492KB

Download
memory/1904-317-0x0000000002700000-0x0000000002796000-memory.dmp

Filesize
600KB

Download
memory/1904-331-0x0000000002700000-0x0000000002796000-memory.dmp

Filesize
600KB

Download
memory/1904-332-0x0000000002ED0000-0x0000000002F48000-memory.dmp

Filesize
480KB

Download