wshrat | 0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7
submitted
09-10-2020 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CV Actualis_.bin.exe
Size

1.7MB
MD5

384b434bcfeec7287cf02b7aefa06c52
SHA1

8e2abd5f01f36b38d3674847dff518e7a4eef897
SHA256

0aa70e7306349ec1f3b27d683bfb3fd717f242e86b508b4051e3691c584fbf8d
SHA512

a33c8f4c6746d16cd39a19c4ba9fcc3ebabefdeb443c2e46585958bc1d10fca4ff44a6c2612acec5fb284935121ebbf1f4f6028df9060beb38f9e4d01da7d235

Score

10^/10

persistence trojan wshrat discovery

Malware Config

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blacklisted process makes network request 27 IoCs

Processes:

wscript.exe

flow	pid	process
5	1888	wscript.exe
7	1888	wscript.exe
8	1888	wscript.exe
9	1888	wscript.exe
10	1888	wscript.exe
11	1888	wscript.exe
12	1888	wscript.exe
13	1888	wscript.exe
15	1888	wscript.exe
16	1888	wscript.exe
17	1888	wscript.exe
19	1888	wscript.exe
20	1888	wscript.exe
21	1888	wscript.exe
23	1888	wscript.exe
24	1888	wscript.exe
25	1888	wscript.exe
27	1888	wscript.exe
28	1888	wscript.exe
29	1888	wscript.exe
31	1888	wscript.exe
32	1888	wscript.exe
33	1888	wscript.exe
35	1888	wscript.exe
36	1888	wscript.exe
37	1888	wscript.exe
40	1888	wscript.exe

Executes dropped EXE 3 IoCs

Processes:

InstallSlimPDFReader.exeInstallSlimPDFReader.tmpkl-plugin.exe

pid process

1304 InstallSlimPDFReader.exe
1844 InstallSlimPDFReader.tmp
1892 kl-plugin.exe

pid	process
1304	InstallSlimPDFReader.exe
1844	InstallSlimPDFReader.tmp
1892	kl-plugin.exe

Drops startup file 2 IoCs

Processes:

WScript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallSlimPDFReader.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallSlimPDFReader.js	wscript.exe

Loads dropped DLL 6 IoCs

Processes:

CV Actualis_.bin.exeInstallSlimPDFReader.exeInstallSlimPDFReader.tmpwscript.exe

pid	process
240	CV Actualis_.bin.exe
1304	InstallSlimPDFReader.exe
1844	InstallSlimPDFReader.tmp
1844	InstallSlimPDFReader.tmp
1844	InstallSlimPDFReader.tmp
1888	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallSlimPDFReader = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\InstallSlimPDFReader.js\""	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Drops file in Program Files directory 2 IoCs

Processes:

CV Actualis_.bin.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.exe	CV Actualis_.bin.exe
File opened for modification	C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.js	CV Actualis_.bin.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1396 taskkill.exe

pid	process
1396	taskkill.exe

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	11	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	16	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	23	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	29	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	31	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	33	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	37	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	10	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	21	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	27	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	36	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	7	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	13	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	15	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	17	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	24	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	32	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	8	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	12	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	19	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	20	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	25	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	28	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	35	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands
HTTP User-Agent header	9	WSHRAT\|F86B013E\|AVGLFESB\|Admin\|Microsoft Windows 7 Professional \|plus\|nan-av\|false - 9/10/2020\|JavaScript-v2.0\|NL:Netherlands

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

InstallSlimPDFReader.tmp

pid process

1844 InstallSlimPDFReader.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1396 taskkill.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

kl-plugin.exe

pid process

1892 kl-plugin.exe
1892 kl-plugin.exe

pid	process
1844	InstallSlimPDFReader.tmp

description	pid	process
Token: SeDebugPrivilege	1396	taskkill.exe

pid	process
1892	kl-plugin.exe
1892	kl-plugin.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

CV Actualis_.bin.exeWScript.exeInstallSlimPDFReader.exewscript.execmd.exe

description	pid	process	target process
PID 240 wrote to memory of 1820	240	CV Actualis_.bin.exe	WScript.exe
PID 240 wrote to memory of 1820	240	CV Actualis_.bin.exe	WScript.exe
PID 240 wrote to memory of 1820	240	CV Actualis_.bin.exe	WScript.exe
PID 240 wrote to memory of 1820	240	CV Actualis_.bin.exe	WScript.exe
PID 1820 wrote to memory of 1888	1820	WScript.exe	wscript.exe
PID 1820 wrote to memory of 1888	1820	WScript.exe	wscript.exe
PID 1820 wrote to memory of 1888	1820	WScript.exe	wscript.exe
PID 1820 wrote to memory of 1888	1820	WScript.exe	wscript.exe
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	InstallSlimPDFReader.exe
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	InstallSlimPDFReader.exe
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	InstallSlimPDFReader.exe
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	InstallSlimPDFReader.exe
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	InstallSlimPDFReader.exe
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	InstallSlimPDFReader.exe
PID 240 wrote to memory of 1304	240	CV Actualis_.bin.exe	InstallSlimPDFReader.exe
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	InstallSlimPDFReader.tmp
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	InstallSlimPDFReader.tmp
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	InstallSlimPDFReader.tmp
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	InstallSlimPDFReader.tmp
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	InstallSlimPDFReader.tmp
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	InstallSlimPDFReader.tmp
PID 1304 wrote to memory of 1844	1304	InstallSlimPDFReader.exe	InstallSlimPDFReader.tmp
PID 1888 wrote to memory of 1796	1888	wscript.exe	cmd.exe
PID 1888 wrote to memory of 1796	1888	wscript.exe	cmd.exe
PID 1888 wrote to memory of 1796	1888	wscript.exe	cmd.exe
PID 1888 wrote to memory of 1796	1888	wscript.exe	cmd.exe
PID 1796 wrote to memory of 1396	1796	cmd.exe	taskkill.exe
PID 1796 wrote to memory of 1396	1796	cmd.exe	taskkill.exe
PID 1796 wrote to memory of 1396	1796	cmd.exe	taskkill.exe
PID 1796 wrote to memory of 1396	1796	cmd.exe	taskkill.exe
PID 1888 wrote to memory of 1892	1888	wscript.exe	kl-plugin.exe
PID 1888 wrote to memory of 1892	1888	wscript.exe	kl-plugin.exe
PID 1888 wrote to memory of 1892	1888	wscript.exe	kl-plugin.exe
PID 1888 wrote to memory of 1892	1888	wscript.exe	kl-plugin.exe

C:\Users\Admin\AppData\Local\Temp\CV Actualis_.bin.exe
"C:\Users\Admin\AppData\Local\Temp\CV Actualis_.bin.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Investintech.com Inc.\SlimPDF Reader\InstallSlimPDFReader.js"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\InstallSlimPDFReader.js"
3⤵
- Blacklisted process makes network request
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM kl-plugin.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Users\Admin\AppData\Roaming\kl-plugin.exe
"C:\Users\Admin\AppData\Roaming\kl-plugin.exe" blackid-43205.portmap.io 1118 "WSHRAT|F86B013E|AVGLFESB|Admin|Microsoft Windows 7 Professional |plus|nan-av|false - 9/10/2020|JavaScript-v2.0|NL:Netherlands" 1
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.exe
"C:\Program Files (x86)\Investintech.com Inc.\SlimPDF Reader\InstallSlimPDFReader.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\is-PJ9G4.tmp\InstallSlimPDFReader.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PJ9G4.tmp\InstallSlimPDFReader.tmp" /SL5="$300A8,1106375,177152,C:\Program Files (x86)\Investintech.com Inc.\SlimPDF Reader\InstallSlimPDFReader.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.exe
MD5
7bac896429f4f066bf4e894a8aeddb57

SHA1
68e9a9fccf924846d461ba2adfe16a345b1ab28b

SHA256
e21afdecd1eb7643fa95a3b2e7a059a0781d533afb105f6df23613b6b32cf1e7

SHA512
f0fc7869bac9388eb07254aa5b1be72e8864838c9c668be427738af5c3134349addc0ce3b4112b9262f1e54c1dada122e2b97407adec8f4b6bf3a1a7f473d45d

Download Submit
C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.exe
MD5
7bac896429f4f066bf4e894a8aeddb57

SHA1
68e9a9fccf924846d461ba2adfe16a345b1ab28b

SHA256
e21afdecd1eb7643fa95a3b2e7a059a0781d533afb105f6df23613b6b32cf1e7

SHA512
f0fc7869bac9388eb07254aa5b1be72e8864838c9c668be427738af5c3134349addc0ce3b4112b9262f1e54c1dada122e2b97407adec8f4b6bf3a1a7f473d45d

Download Submit
C:\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.js
MD5
3e3c515ce53a1aedb1fe7e8689f2cd39

SHA1
17b761826748ac4c63232f227d529b59323864d0

SHA256
ef487da7a8301df9dca1e74c58433912fca910fb06bc4c941e4c756ce5ff0712

SHA512
f786aebec2f7f31ca0a4b8d3d3dcad2dc3a5d2405d9a5c8f43aab84145d8a52978ee5861d048d49193bcc5c543d641ea8aeb486a4703ce9d746676a3ff579a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PJ9G4.tmp\InstallSlimPDFReader.tmp
MD5
78fd8cbc65d21ae9d82da0c6e5d9bedc

SHA1
a49e539502ba74b0eb466104f4d5335fc018adc4

SHA256
ae802402022b7a23c5d9e6863c9587102bbc04dbcd2fb4b087309e93a7dedd34

SHA512
fa82e553a57a2bcf54770de0c20a4b563161491a926984c3a4e0a2b92dc25fb0d86ea4bdbc6625672f73c4e6ee5eaff4de66311d46085c55659b6528ef22602f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PJ9G4.tmp\InstallSlimPDFReader.tmp
MD5
78fd8cbc65d21ae9d82da0c6e5d9bedc

SHA1
a49e539502ba74b0eb466104f4d5335fc018adc4

SHA256
ae802402022b7a23c5d9e6863c9587102bbc04dbcd2fb4b087309e93a7dedd34

SHA512
fa82e553a57a2bcf54770de0c20a4b563161491a926984c3a4e0a2b92dc25fb0d86ea4bdbc6625672f73c4e6ee5eaff4de66311d46085c55659b6528ef22602f

Download Submit
C:\Users\Admin\AppData\Roaming\InstallSlimPDFReader.js
MD5
3e3c515ce53a1aedb1fe7e8689f2cd39

SHA1
17b761826748ac4c63232f227d529b59323864d0

SHA256
ef487da7a8301df9dca1e74c58433912fca910fb06bc4c941e4c756ce5ff0712

SHA512
f786aebec2f7f31ca0a4b8d3d3dcad2dc3a5d2405d9a5c8f43aab84145d8a52978ee5861d048d49193bcc5c543d641ea8aeb486a4703ce9d746676a3ff579a13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InstallSlimPDFReader.js
MD5
3e3c515ce53a1aedb1fe7e8689f2cd39

SHA1
17b761826748ac4c63232f227d529b59323864d0

SHA256
ef487da7a8301df9dca1e74c58433912fca910fb06bc4c941e4c756ce5ff0712

SHA512
f786aebec2f7f31ca0a4b8d3d3dcad2dc3a5d2405d9a5c8f43aab84145d8a52978ee5861d048d49193bcc5c543d641ea8aeb486a4703ce9d746676a3ff579a13

Download Submit
C:\Users\Admin\AppData\Roaming\kl-plugin.exe
MD5
7099a939fa30d939ccceb2f0597b19ed

SHA1
37b644ef5722709cd9024a372db4590916381976

SHA256
272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

SHA512
6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

Download Submit
C:\Users\Admin\AppData\Roaming\kl-plugin.exe
MD5
7099a939fa30d939ccceb2f0597b19ed

SHA1
37b644ef5722709cd9024a372db4590916381976

SHA256
272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

SHA512
6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

Download Submit
\Program Files (x86)\Investintech.com Inc\SlimPDF Reader\InstallSlimPDFReader.exe
MD5
7bac896429f4f066bf4e894a8aeddb57

SHA1
68e9a9fccf924846d461ba2adfe16a345b1ab28b

SHA256
e21afdecd1eb7643fa95a3b2e7a059a0781d533afb105f6df23613b6b32cf1e7

SHA512
f0fc7869bac9388eb07254aa5b1be72e8864838c9c668be427738af5c3134349addc0ce3b4112b9262f1e54c1dada122e2b97407adec8f4b6bf3a1a7f473d45d

Download Submit
\Users\Admin\AppData\Local\Temp\is-EUJKP.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-EUJKP.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-EUJKP.tmp\itech.dll
MD5
bb22f4ca6729309df066bfe0159e3a91

SHA1
a6a4afded3f38f3a67fc727c5491d30f99fe8b45

SHA256
b81e159aa2030956619cf0dc62dfaadc3f9bb17341c03bfa898ede513f49d7a7

SHA512
c3a4fde918995c1ec8a4c6610ae31d2d35e3852e68c8dcb2ada136a1d89de0fe2631f7c72ecfe123669ff7e31b3ec8ba543b569eec5402261adab338732ec1b0

Download Submit
\Users\Admin\AppData\Local\Temp\is-PJ9G4.tmp\InstallSlimPDFReader.tmp
MD5
78fd8cbc65d21ae9d82da0c6e5d9bedc

SHA1
a49e539502ba74b0eb466104f4d5335fc018adc4

SHA256
ae802402022b7a23c5d9e6863c9587102bbc04dbcd2fb4b087309e93a7dedd34

SHA512
fa82e553a57a2bcf54770de0c20a4b563161491a926984c3a4e0a2b92dc25fb0d86ea4bdbc6625672f73c4e6ee5eaff4de66311d46085c55659b6528ef22602f

Download Submit
\Users\Admin\AppData\Roaming\kl-plugin.exe
MD5
7099a939fa30d939ccceb2f0597b19ed

SHA1
37b644ef5722709cd9024a372db4590916381976

SHA256
272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

SHA512
6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721

Download Submit
memory/1304-6-0x0000000000000000-mapping.dmp

Download
memory/1396-19-0x0000000000000000-mapping.dmp

Download
memory/1796-18-0x0000000000000000-mapping.dmp

Download
memory/1812-17-0x000007FEF7AF0000-0x000007FEF7D6A000-memory.dmp

Filesize
2.5MB

Download
memory/1820-0-0x0000000000000000-mapping.dmp

Download
memory/1820-3-0x00000000028A0000-0x00000000028A4000-memory.dmp

Filesize
16KB

Download
memory/1844-11-0x0000000000000000-mapping.dmp

Download
memory/1888-2-0x0000000000000000-mapping.dmp

Download
memory/1892-21-0x0000000000000000-mapping.dmp

Download