gh0strat | b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131

Analysis

max time kernel
119s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe
Size

1.2MB
MD5

256a3c053b2be31b33844f0aec28d6f7
SHA1

b40288bee799bb2d1e049161b0492283cb9fe41c
SHA256

b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131
SHA512

60be9ce431daab1cc40145ebe3e9fc9d538c7e4682f3167068f57355dbbab23329688fa61a45acaa3c958dc33ba4ea6b759f3eac24183c5ca7212875087c3aaf
SSDEEP

24576:YBcKhZKD2lG4HxeM2jO0HXflRRbKJpM8hhMPh2f3OaArF:ycKNlG4Hx7v0HXdKJCoqg3Or

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3764-124-0x0000000003870000-0x00000000038EB000-memory.dmp	family_gh0strat
behavioral2/memory/3764-138-0x00000000037D0000-0x0000000003867000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe

Executes dropped EXE 1 IoCs

Processes:

vtreamsetup.exe

pid process

3764 vtreamsetup.exe

Loads dropped DLL 27 IoCs

Processes:

vtreamsetup.exe

pid	process
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vtreamsetup.exe

description	ioc	process
File opened (read-only)	\??\X:	vtreamsetup.exe
File opened (read-only)	\??\O:	vtreamsetup.exe
File opened (read-only)	\??\Q:	vtreamsetup.exe
File opened (read-only)	\??\U:	vtreamsetup.exe
File opened (read-only)	\??\W:	vtreamsetup.exe
File opened (read-only)	\??\Z:	vtreamsetup.exe
File opened (read-only)	\??\I:	vtreamsetup.exe
File opened (read-only)	\??\N:	vtreamsetup.exe
File opened (read-only)	\??\V:	vtreamsetup.exe
File opened (read-only)	\??\S:	vtreamsetup.exe
File opened (read-only)	\??\T:	vtreamsetup.exe
File opened (read-only)	\??\E:	vtreamsetup.exe
File opened (read-only)	\??\J:	vtreamsetup.exe
File opened (read-only)	\??\M:	vtreamsetup.exe
File opened (read-only)	\??\K:	vtreamsetup.exe
File opened (read-only)	\??\L:	vtreamsetup.exe
File opened (read-only)	\??\P:	vtreamsetup.exe
File opened (read-only)	\??\R:	vtreamsetup.exe
File opened (read-only)	\??\Y:	vtreamsetup.exe
File opened (read-only)	\??\B:	vtreamsetup.exe
File opened (read-only)	\??\G:	vtreamsetup.exe
File opened (read-only)	\??\H:	vtreamsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

848 860 WerFault.exe b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe

pid	pid_target	process	target process
848	860	WerFault.exe	b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exevtreamsetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtreamsetup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vtreamsetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vtreamsetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vtreamsetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vtreamsetup.exe

pid	process
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe
3764	vtreamsetup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vtreamsetup.exe

pid process

3764 vtreamsetup.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exevtreamsetup.exe

pid process

860 b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe
3764 vtreamsetup.exe

pid	process
860	b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe
3764	vtreamsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe

description	pid	process	target process
PID 860 wrote to memory of 3764	860	b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe	vtreamsetup.exe
PID 860 wrote to memory of 3764	860	b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe	vtreamsetup.exe
PID 860 wrote to memory of 3764	860	b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe	vtreamsetup.exe

C:\Users\Admin\AppData\Local\Temp\b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe
"C:\Users\Admin\AppData\Local\Temp\b38f58cbfae22f29a973785149121b140f90490d8c688af59854706b38154131.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Public\stdio\vtreamsetup.exe
  "C:\Users\Public\stdio\vtreamsetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 620
  2⤵
  - Program crash
  PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 860 -ip 860
1⤵
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\stdio\0f40fc17.ppf

Filesize
576KB

MD5
bba2e0ec20cdcb6cf637e21284fc29be

SHA1
1ca261c0fa436fea4e0273b2a048114dd716e8ca

SHA256
6edfdc4856f81bba4b5ee19d06266c9792b400cf564d15d6518bcd934d5cd70e

SHA512
909b87147af92615269b3b414709537f3536b1807253405e8b1781384802eaa70541f4d98d62d84af36e03b17b6d1657d5434c475cee86d6f57f81441000ed5b

Download Submit
C:\Users\Public\stdio\Config.ini

Filesize
92B

MD5
e5182d72b06b42c5a104e4057965013f

SHA1
aa1f6a25b921a337fac11c233facc8ad36b755be

SHA256
c49387b35c8aa1e067eb02fa998db4ca13c9e7dde6a5267cb60ab68fb48ff8d3

SHA512
a08850f2b3db8425f4eed0202eb598f9f50dd41c77e444e3d08c009aef5e359ced27349eea63a302f6a3b2c13d27291d634a8b0bbd0b43cd696ce76fb609128a

Download Submit
C:\Users\Public\stdio\DuiLib.dll

Filesize
1.5MB

MD5
a3b393d6604c40c51f9f28533161ab81

SHA1
19480433f1a094f135eff78e4b63c5b47411f333

SHA256
a830e40e43aef4d9d7b7eeb6d94c17cd2cb11be7f3ee8adce2399ec5c0a6049c

SHA512
12c460443ae98c0a57abe98e8d70802367d9fe2a14faf66164a094ffdb10ee6d8a6b41e4c96e58a423218f3653ea56d804ed15614ff6957948025f78389c3313

Download Submit
C:\Users\Public\stdio\MSVCP140.dll

Filesize
438KB

MD5
1fb93933fd087215a3c7b0800e6bb703

SHA1
a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb

SHA256
2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01

SHA512
79cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e

Download Submit
C:\Users\Public\stdio\Plugin.dll

Filesize
271KB

MD5
27378e77fed60b91b9eacef55b10d3a2

SHA1
603050de753ae268e09aca9e37b30ac4e647b6b7

SHA256
553920c1b7dbcabcd18e8a17a3f0b3bd91f3fd2a3375a6163c8e85d441cb8a18

SHA512
95be8277a4ceaf29a2c7bbba6f8e06fb894bb883ff457e08851352dd751375f94c551a78204fc30838aa2c4a6741f49e30bfa6f0b6a6f0287c5d77b0e9ed6c6d

Download Submit
C:\Users\Public\stdio\QKGuide.dll

Filesize
893KB

MD5
057d333133ba16ad86fa644e8b28adf7

SHA1
7542ae74dbcaef4fd60e82937080efa1c2ac954f

SHA256
51d34fdf50a1542a86f2befa3e0f7615832558d29e41cf92c9206b44b67e1350

SHA512
83a61c8da999bdcc3bb47b47d8aeea3fb8605404cda949acb91bb0b7aaba7d1c854f7cf44d8d5ba81d5be5d2c3dfc5babf66f72bf1137c2786b34bd32b853e78

Download Submit
C:\Users\Public\stdio\QKHook.dll

Filesize
24KB

MD5
32f12897dbfad3149821d503013c6a28

SHA1
52fc6755add14e6f6eb2b2f5a20d8022a32c8225

SHA256
93fcab146f4061b93e6566b1846cfefd05dae52afd763fdd261e6a0543436671

SHA512
c0547fb67c4d80e2d2744179c4b21d1e9b8694f53a6c843adc7e28df48b0e56c95c25b6cfc956f440d856add2bfc339b8178c820c28a09250854b5a57587db59

Download Submit
C:\Users\Public\stdio\QKParameterMgr.dll

Filesize
35KB

MD5
1390bc15e3d2b403d962c6c6e9e77fee

SHA1
dab2a8a69cb014c682544c94efc2a9219fd603cc

SHA256
ae1cec46aaa7841b0d4e2dd719272821469be8121b32a60609b1bc3bfd5638d3

SHA512
e794d64bd63b8bbacdd59e8ad1b2b23011f07a8de70217082f56b710cadfec4f4579756eb693ceb9a223933366bb4058d26e7c5867d4c4e67988aa4532cbad5a

Download Submit
C:\Users\Public\stdio\QKPhotoshopMgr.dll

Filesize
551KB

MD5
a1b899fd31bff8b4d87e2edd78006b31

SHA1
199280dabac2c32324c59ec8da76c0126e5710e7

SHA256
09c6a24b0714da6e4bef6ed8070f6986c005cd974c35a4f7a9f406b88ee038b3

SHA512
40d9466ee6ae644c19e9c2f505370ed647379c6d3389a908ad32f24ed0cf6ef95728192a443324fde3a312b1fd31a4eb3ea616881595dac6ee1b4a047b948a17

Download Submit
C:\Users\Public\stdio\QKPlugin.dll

Filesize
307KB

MD5
216c638d1e32032145687d2e3851394a

SHA1
fdcb1cb31625a8023880a716205b29a1b7f71aa2

SHA256
965fd4c884b66a65c7b6800a43f1c6f9a0b5a5766606301494da227a8a80f35e

SHA512
5b50ad6f3a5aa25de08174df90db067676fb13991b93bcadba2698b0e69c096f46892467b1d6f75227825447b9eedbf40f6415d8804115fa3201a43bd7360bd0

Download Submit
C:\Users\Public\stdio\QKRecord.dll

Filesize
353KB

MD5
428f062a15575599e0fcbef2374754a8

SHA1
5dacffd79a14ac1b3b0377885460cc1bf1023810

SHA256
0553c54a2082a89b04bfa0a8373185ffcfa202523e98159a5e20012df1ce99b5

SHA512
492d4c4e35b55abc2f0517aa4fc3235bb88b115d7dc2b666f847f2b100d84b011eb9540675b60d3d68da4de6e49bff7253cd5428c991ac7ae521b73e0eacba27

Download Submit
C:\Users\Public\stdio\QKResource.dll

Filesize
616KB

MD5
e471a8665c05062f45e343b7f89ad319

SHA1
58a98da8295458c073d10622158a6a53a20be534

SHA256
1f75c77513b2554d94c692d6e7a00b674dcec354913159aea7f324062a4fa798

SHA512
f033a1e8044b070a8f2ad4fe97e06f810747988ce5bb269bd6a502b39c24158ce0a150305666b73de74252762371e5d091ed258fc11e94259c78bcaba04dfc46

Download Submit
C:\Users\Public\stdio\alibabacloud-oss-cpp-sdk.dll

Filesize
1.0MB

MD5
0aaeb781e651be69f6d643a72b15c6cb

SHA1
8be4066c628629ffe77254c2cc452aecc1fee8dc

SHA256
e9359d5c42b6767d63525ae73eb194a88c3e68111cee4ec1a2bdbb8ecf530bb9

SHA512
c6f1af6bb30005f8b89951612961ef8db706d39ace2e674cf54a14445fdfcfe8cf8c5762fe04406b9d87154a919cc47e251eaefd9cbd15e00b2ecf471854e6f5

Download Submit
C:\Users\Public\stdio\concrt140.dll

Filesize
243KB

MD5
8651e6272e310d5c64d0c91ca975b029

SHA1
0e2433c8771ac420b5684c79e96eb7e206350757

SHA256
b721897db5542d5b0c970ec624440442ed9ae781e55147feb9ff264f70f66cde

SHA512
d99d049b9ae9f7bcf9e6737b26a90f544a08ff49e06fdc39617b869eb97676024e18ba42e680db255a8a04f323de494dd8e7b706007e9b961c78a64cdf078ff6

Download Submit
C:\Users\Public\stdio\libcurl.dll

Filesize
552KB

MD5
b58a42118168c1c18a26acbc353b2ec0

SHA1
c1a048e3a941972cabf9d91be5b28df189d0a3bd

SHA256
762d69078a248a0c99344ae69b1f84c3f85c332b878869e054be67825423ec0b

SHA512
58339b6c26f5fbda2a12bd84e88b41c4bee407ae53da3b72ca2b2ddddd49f64ea75096feb57d654aa748b7eaa83190b417933c0ac43b5819ef32db46b29db770

Download Submit
C:\Users\Public\stdio\libeay32.dll

Filesize
1.2MB

MD5
1707bc560de9c69ae7325b6f63c8ec96

SHA1
d15e908a921cd17fbcfe0000b264d52e8fd413e7

SHA256
648a673ec8504f8255de37996a21895279985e011124e8ff2c7249271d5890cb

SHA512
941b3a76d43626d3d8e369437b83e63689eb3f8ecf90737a2d2df8df1c38e19e02146938af12d0fa9850ba3154ad60d74c5e4b80cae4ff6e3bff9d2583538ad5

Download Submit
C:\Users\Public\stdio\libmysql.dll

Filesize
3.5MB

MD5
fcd72aa6a80b75556057d77b729f17c5

SHA1
8689cd54043136e644c82cb8eae419a5d43289ca

SHA256
6a59443d3a5cf8572e2e80b5987040ddbf2630e14036204a3bf77ce27e02d918

SHA512
e2c7c02ec1b997c3888ce20e8a3ac4c84a4e36a6e1c37aaf1a65983096ba64e60fbe61ca988821a1807872e9bf284cc577938db5957abcb57555321a7e36c7ba

Download Submit
C:\Users\Public\stdio\mfc140u.dll

Filesize
4.8MB

MD5
06f307b7ddb0994b448b9786cf5811b8

SHA1
4d70c5206e84b23916e4c686f430e5dcdc70dfc3

SHA256
dde3c8e9e7d414913a29979798311d095c1b8869ee405a1c3fcbba14da90446d

SHA512
b26bcfca4569ce9fb4b7196c952ce38b0e3a30aeff2e7ac4b2ea1c695c658c1d92029fb7e31ad231e62de8dff2a86ab3821aa1f9d5c944d88b263d88efeca16a

Download Submit
C:\Users\Public\stdio\msc.dll

Filesize
1.7MB

MD5
18d35237d397e8396c30356ddb12dd9c

SHA1
8f86896fd6f884f05c48c3034b7b55b7d9e50a5a

SHA256
1c1f3b6df9347b864ac879ef841196b97ed02f5be941fd490817831889b97b84

SHA512
e2e1e1fdb6e161b28e90236edd0b35d3b91f507161b50615caaaa8f9484946c72ea35298838e1b538e4d2801aff9cece97b89447e78a3dc2ae4fdc962a26c5c3

Download Submit
C:\Users\Public\stdio\opencv_core2413.dll

Filesize
1.9MB

MD5
b83a304b66f3c9799cae2be75bec361b

SHA1
d7ccc4067af699e62f9a7f9001589d3d8c7f4ac6

SHA256
b0f02252f1cee1826f3b193e682344a8d9785e424e8009b60a7700e5c88271c8

SHA512
dfa3dfa9faf6a85af25fa4f12726ec27075053112e9455461e435ff424bff0635bd624c39c2e15f962b4aab3a6374b23024e7d805e0e8f2d54df1f92e7edd6f2

Download Submit
C:\Users\Public\stdio\opencv_highgui2413.dll

Filesize
1.9MB

MD5
f6a0b1bf98161f7231039f6ffceee155

SHA1
7f888d40d50ae85490e2126c9f9a14ce78d4c7d0

SHA256
1ad5b3f2447a6d48e3ade61cbdc4abb0f18f3dbc8b7dcd3b050d60c68197d0df

SHA512
69ea3f74d40a5aecedb5ea120e01a5cd348af9542f16124973b028a3e2965d3d63a804d0bab1bdd4b548e55f8bb21365605b241891993177cfc08608d895764b

Download Submit
C:\Users\Public\stdio\opencv_imgproc2413.dll

Filesize
1.6MB

MD5
27e2d298d6905a73ea98b7a2c4c889c5

SHA1
600eb3e14e20f91c7e9788bf3cde864f9e1bc17c

SHA256
f67e68461b7fa1bdf83b00020affc17c203e5d5fb6d051c00d2654e181115f8f

SHA512
751cceddd052cb3a540b842ed9a69f0842f3c1a5d503555ba990838550b0e784dafc577e0070383af7cfe36bf51a4944b9a9fadfbcfdbcc92ba6deb52ff30f95

Download Submit
C:\Users\Public\stdio\task.dat

Filesize
79B

MD5
b2ac0d246681013e392b3e2452993a7a

SHA1
91ae4948ea16552ea517ffd2f21d463747f6e737

SHA256
d9298f116ec4d21afe0b266600cc5fc24dbcc58085d8f6249869e0f6bf7ac995

SHA512
69e3b3738d1804906562166b6ecf8d7f089082fc0704e1dff35fabed5bb79627389af4620c6184339abe09726b5867c482413272959bcff02825eae2cd98a93e

Download Submit
C:\Users\Public\stdio\vcruntime140.dll

Filesize
78KB

MD5
1b171f9a428c44acf85f89989007c328

SHA1
6f25a874d6cbf8158cb7c491dcedaa81ceaebbae

SHA256
9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c

SHA512
99a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1

Download Submit
C:\Users\Public\stdio\vtreamsetup.dat

Filesize
61B

MD5
dc8244e4d95dc957a2c4afe5df9b1a19

SHA1
9f20029bae1f5f1f4147d021ad95648d6301e0c5

SHA256
9cc6ef130569f6531099a5f527be66c8e9e996f03e6585398b7f282efbd11024

SHA512
6b0bd51d77261d0b26e5d992d1479825d87e6ce37f7460ebd4905f1124059ab136397c7fb7105a3cbc705204b748ec7d25d16e3609608e906120d75b76995604

Download Submit
C:\Users\Public\stdio\vtreamsetup.exe

Filesize
346KB

MD5
b575cfefd5c7b14f4743ef2ad74b2736

SHA1
f433813501a7b5b96186bb02fe69ca01580627ed

SHA256
a38708da0db2003a1d14ed1e9d45a9ecb30a6294d472692f804ffb0cea70334b

SHA512
ea912b2589142f1a89ef84e503bf65999beb7aa76d2aa50e1e7edc178bf841debed906fc11da555a004fc715f52fa09baf3a3fe4b42c33e5c9cf811eba676e5e

Download Submit
memory/3764-124-0x0000000003870000-0x00000000038EB000-memory.dmp

Filesize
492KB

Download
memory/3764-122-0x00000000037D0000-0x0000000003867000-memory.dmp

Filesize
604KB

Download
memory/3764-116-0x00000000015B0000-0x00000000016DD000-memory.dmp

Filesize
1.2MB

Download
memory/3764-138-0x00000000037D0000-0x0000000003867000-memory.dmp

Filesize
604KB

Download