32f5183395c20856fa10399da6d5dde99135507b4125a7b2c0b957e9de37d8c1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3805ed8a271ce1e3eb9c80ce61945ede_JaffaCakes118.exe
Size

3.9MB
MD5

3805ed8a271ce1e3eb9c80ce61945ede
SHA1

80e33752670474d84478a62d0dd50e8f5d051ffc
SHA256

32f5183395c20856fa10399da6d5dde99135507b4125a7b2c0b957e9de37d8c1
SHA512

20a9e9f49369c97e195948b214955971e8f42356892f465e0edd72aaa778af6e9ba93a1ef53516321cba64fb0d7536d2d646a0abbe944e12106ebf585cfcabe3
SSDEEP

98304:waE9LOk6Nx4J8PG2cNS2fnzvWUvJYvtlyGviSJNIvB6j:ueH4J8Pi4onLWHLygHHj

Score

7^/10

adware discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	00000dfcT8SETUP.EXE

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
2456	00000dfcT8SETUP.EXE
4484	AppIntegrator64.exe
3116	65srchmn.exe
2372	65barsvc.exe
4832	65barsvc.exe
3112	65brmon.exe
4432	65barsvc.exe
3012	65HighIn.exe

Loads dropped DLL 53 IoCs

pid	Process
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
3116	65srchmn.exe
4484	AppIntegrator64.exe
4484	AppIntegrator64.exe
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
3112	65brmon.exe
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
3112	65brmon.exe
3112	65brmon.exe
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
3012	65HighIn.exe
2456	00000dfcT8SETUP.EXE
3012	65HighIn.exe
3012	65HighIn.exe
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
3580	3805ed8a271ce1e3eb9c80ce61945ede_JaffaCakes118.exe
4500	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FromDocToPDF Home Page Guard 64 bit = "\"C:\\PROGRA~2\\FROMDO~1\\bar\\1.bin\\AppIntegrator64.exe\""	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FromDocToPDF Search Scope Monitor = "\"C:\\PROGRA~2\\FROMDO~1\\bar\\1.bin\\65srchmn.exe\" /m=2 /w /h"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FromDocToPDF_65 Browser Plugin Loader = "C:\\PROGRA~2\\FROMDO~1\\bar\\1.bin\\65brmon.exe"	00000dfcT8SETUP.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f236ca79-3123-4afb-9f74-e98117ad5625}\	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a235e1e3-6296-4710-af39-104a7faa6c7c}	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a235e1e3-6296-4710-af39-104a7faa6c7c}\	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f236ca79-3123-4afb-9f74-e98117ad5625}	00000dfcT8SETUP.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{F236CA79-3123-4AFB-9F74-E98117AD5625}	00000dfcT8SETUP.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\gen1\COMMON.T8S	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\IE9Mesg\COMMON.T8S	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\Settings\s_pid.dat	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\AppIntegrator64.exe	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65brmon.exe	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65htmlmu.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65htmlmu.dll	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65SrchMn.exe	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\CHROME.MANIFEST	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65msg.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65skin.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65medint.exe	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65script.dll	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65uabtn.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\chrome\65ffxtbr.jar	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\EXEMANAGER.DLL	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\Hpg64.dll	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65dlghk.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65feedmg.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65idle.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\AppIntegratorStub64.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\Hpg64.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65barsvc.exe	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65impipe.exe	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\DPNMNGR.DLL	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65datact.dll	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65msg.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65SrchMn.exe	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\Message\COMMON.T8S	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65brstub.dll	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65script.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\T8EXTPEX.DLL	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65highin.exe	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\T8RES.DLL	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\chrome\65ffxtbr.jar	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65auxstb.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\VERIFY.DLL	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\AppIntegrator64.exe	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65auxstb.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65regfft.dll	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\BOOTSTRAP.JS	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65SrcAs.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65tpinst.dll	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\VERIFY.DLL	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files\Internet Explorer\msimg32.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65brmon.exe	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65datact.dll	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65regfft.dll	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65sknlcr.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65sknlcr.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\LOGO.BMP	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65bprtct.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65brstub.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\gen1\COMMON.T8S	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\CHROME.MANIFEST	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65dyn.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\T8EXTEX.DLL	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65idle.dll	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65bar.dll	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\installKeys.js	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\LOGO.BMP	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65bar.dll	00000dfcT8SETUP.EXE
File opened for modification	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\T8HTML.DLL	00000dfcT8SETUP.EXE
File created	C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\T8TICKER.DLL	00000dfcT8SETUP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65barsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65HighIn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3805ed8a271ce1e3eb9c80ce61945ede_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00000dfcT8SETUP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65srchmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65barsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65barsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65brmon.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{36b445bf-1b84-466a-a623-a360a8cff8c3}\AppName = "AppIntegrator64.exe"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e0c3a839-0e5e-4ebc-9f8f-e56f8fc732ce}\AppPath = "C:\\Program Files (x86)\\FromDocToPDF_65\\bar\\1.bin"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}	00000dfcT8SETUP.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\CrExtP65.exe = "0"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d97143c2-4282-496b-bdc4-7ec852f1497c}\AppPath = "C:\\Program Files (x86)\\FromDocToPDF_65\\bar\\1.bin"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a3b975a0-f679-444e-9d94-6d292fa53140}\AppPath = "C:\\Program Files (x86)\\FromDocToPDF_65\\bar\\1.bin"	00000dfcT8SETUP.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6cbf5c01-c876-481b-867e-111cb1d2a7d6}\Policy = "3"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4c60e5ab-5c68-4c59-abaa-885010b24b32}	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d97143c2-4282-496b-bdc4-7ec852f1497c}	00000dfcT8SETUP.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d97143c2-4282-496b-bdc4-7ec852f1497c}\Policy = "3"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a3b975a0-f679-444e-9d94-6d292fa53140}\AppName = "65medint.exe"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6cbf5c01-c876-481b-867e-111cb1d2a7d6}\AppPath = "C:\\Program Files (x86)\\FromDocToPDF_65\\bar\\1.bin"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d97143c2-4282-496b-bdc4-7ec852f1497c}\AppName = "65impipe.exe"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{36b445bf-1b84-466a-a623-a360a8cff8c3}	00000dfcT8SETUP.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{701f5c41-bb30-46da-a56b-68784b0b762b}\Policy = "3"	00000dfcT8SETUP.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e0c3a839-0e5e-4ebc-9f8f-e56f8fc732ce}\Policy = "3"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6cbf5c01-c876-481b-867e-111cb1d2a7d6}\AppName = "65SlSrch.exe"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{701f5c41-bb30-46da-a56b-68784b0b762b}	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{701f5c41-bb30-46da-a56b-68784b0b762b}\AppName = "65SrchMn.exe"	00000dfcT8SETUP.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{36b445bf-1b84-466a-a623-a360a8cff8c3}\Policy = "3"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{c66a678d-5e6c-4af9-8f57-c6192f42cf74}	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6cbf5c01-c876-481b-867e-111cb1d2a7d6}	00000dfcT8SETUP.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\UrlSearchHooks	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{701f5c41-bb30-46da-a56b-68784b0b762b}\AppPath = "C:\\Program Files (x86)\\FromDocToPDF_65\\bar\\1.bin"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e0c3a839-0e5e-4ebc-9f8f-e56f8fc732ce}	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{e0c3a839-0e5e-4ebc-9f8f-e56f8fc732ce}\AppName = "65SkPlay.exe"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a3b975a0-f679-444e-9d94-6d292fa53140}	00000dfcT8SETUP.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a3b975a0-f679-444e-9d94-6d292fa53140}\Policy = "3"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{36b445bf-1b84-466a-a623-a360a8cff8c3}\AppPath = "C:\\Program Files (x86)\\FromDocToPDF_65\\bar\\1.bin"	00000dfcT8SETUP.EXE

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	00000dfcT8SETUP.EXE
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run	00000dfcT8SETUP.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run	00000dfcT8SETUP.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3CDDB72-3ADC-4920-B42B-68A8C29FA942}\1.0\FLAGS	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3700b685-d795-4e17-9b78-73bcee5d4086}\Programmable	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{777CEBBF-A763-42BE-ABBF-FF264689666B}\TypeLib\Version = "1.0"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EF6208B-483A-48F6-B9E5-9B6C54200F8C}\TypeLib\ = "{3BB1BA04-1B88-4690-9AD3-0D38412F5FF1}"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CB19259-5D60-49A7-8AF7-2B7CAF36C124}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87509D74-1F24-4B10-A14E-0AACF713CE14}\ProxyStubClsid32	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33119133-0854-469d-807A-171568457991}\InprocServer32\ThreadingModel = "Apartment"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2bd4465d-669a-42e6-b449-636b0b10ebb8}\MiscStatus\ = "0"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74C02D12-FAEE-4834-80D2-5B7D2480AD61}\1.0\0\win32\ = "C:\\Program Files (x86)\\FromDocToPDF_65\\bar\\1.bin\\t8res.dll\\626"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8285E4C-5C92-4AA5-B227-3147E9454EC8}\ = "_ITemplateXMLSessionEvents"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{316A2A46-F832-49B3-95E0-D460BD88D6B4}\TypeLib	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f96ee2ef-fe15-4878-aecd-bc367f12c70f}\ProgID\ = "FromDocToPDF_65.DynamicBarButton.1"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Software\Microsoft\Windows\CurrentVersion	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FromDocToPDF_65.HTMLPanel	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F39D8ED3-A6F6-427F-8AF8-BC9784FA70D8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72d05120-df65-4c27-921e-899b5267fef2}\TypeLib\ = "{2c9d27d8-c81e-4968-8026-e725e01650c1}"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87509D74-1F24-4B10-A14E-0AACF713CE14}\TypeLib\ = "{3EFEC319-72E8-42AA-AC38-8CF8A0661CDD}"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8285E4C-5C92-4AA5-B227-3147E9454EC8}\TypeLib\Version = "1.0"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1747AE4D-0A83-4336-84D4-48500BF1554F}\1.0\0\win32\ = "C:\\Program Files (x86)\\FromDocToPDF_65\\bar\\1.bin\\t8res.dll\\405"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c66a678d-5e6c-4af9-8f57-c6192f42cf74}\InprocServer32\ThreadingModel = "Apartment"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ae84501a-2cb6-41d6-b3a7-9679bdbdfa0b}\ProgID	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CB19259-5D60-49A7-8AF7-2B7CAF36C124}\TypeLib\ = "{4D8AEB1D-4ED4-44AC-A039-4775B2575DB0}"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E70DAE92-1A31-4AB8-9FCF-52FBDA0CC66A}\TypeLib\Version = "1.0"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3e6260ac-bc6f-44b4-942b-1568c367543a}\ = "Popup Menu Plugin"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CBF5C01-C876-481B-867E-111CB1D2A7D6}	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CBF5C01-C876-481B-867E-111CB1D2A7D6}\ProxyStubClsid32	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bc7e25d7-4681-46a3-af5a-9a1b865783ed}\ProgID\ = "FromDocToPDF_65.SettingsPlugin.1"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4563BA4-FABD-4B37-804A-3903D3511491}\TypeLib	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{504b4aa9-9952-4490-b0e1-80a5321c35f7}\	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{504b4aa9-9952-4490-b0e1-80a5321c35f7}\VersionIndependentProgID	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1747AE4D-0A83-4336-84D4-48500BF1554F}	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{314D051A-F3B4-4B7A-AAB4-1122FB82A0B5}	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{afa196f4-80e5-47ad-b7bc-c671487d36fb}\InprocServer32\ThreadingModel = "Apartment"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{542EAC56-BF4B-46A7-943E-0A4C2CBA34EA}\1.0\FLAGS	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4563BA4-FABD-4B37-804A-3903D3511491}\ProxyStubClsid32	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BB1BA04-1B88-4690-9AD3-0D38412F5FF1}\1.0\HELPDIR	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e0c3a839-0e5e-4ebc-9f8f-e56f8fc732ce}\MiscStatus	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C64B02A7-77F8-4EC9-B2C3-78EBBFFC00EE}\TypeLib\ = "{1747AE4D-0A83-4336-84D4-48500BF1554F}"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13119113-0854-469d-807A-171568457991}\ProgID	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F05D47B2-7C9F-401D-A083-3AA4A4711F4F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{542EAC56-BF4B-46A7-943E-0A4C2CBA34EA}\1.0	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CBF5C01-C876-481B-867E-111CB1D2A7D6}\TypeLib\Version = "1.0"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36B445BF-1B84-466A-A623-A360A8CFF8C3}\ = "_ITemplateBarSettingsEvents"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4D8AEB1D-4ED4-44AC-A039-4775B2575DB0}\1.0\ = "ToolbarProtector 1.0 Type Library"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87509D74-1F24-4B10-A14E-0AACF713CE14}\TypeLib	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{504b4aa9-9952-4490-b0e1-80a5321c35f7}\MiscStatus\1\ = "131473"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cbbea4b9-b183-47ac-8b1f-fd526ac99a8d}\VersionIndependentProgID	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bc7e25d7-4681-46a3-af5a-9a1b865783ed}\Control	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7879E06-4C3F-4061-B619-7CFD072E4F26}\TypeLib\Version = "1.0"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FromDocToPDF_65.HTMLPanel\CurVer	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FromDocToPDF_65.SkinLauncherSettings.1\CLSID\ = "{33119133-0854-469d-807A-171568457991}"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72d05120-df65-4c27-921e-899b5267fef2}\InprocServer32\ThreadingModel = "Apartment"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1F3E70D-04BA-47FB-ACCA-CC8FCFA74D41}\TypeLib	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FromDocToPDF_65.HTMLPanel.1\ = "FromDocToPDF_65 HTML Panel"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FromDocToPDF_65.HTMLPanel\CLSID\ = "{e1c4699e-5e74-4f30-a4a2-378e45d44f07}"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c66a678d-5e6c-4af9-8f57-c6192f42cf74}\InprocServer32	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F05D47B2-7C9F-401D-A083-3AA4A4711F4F}\TypeLib	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a0cf6cb9-2276-4f30-b841-05a67067ace0}\ProgID\ = "FromDocToPDF_65.UrlAlertButton.1"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{314D051A-F3B4-4B7A-AAB4-1122FB82A0B5}\ProxyStubClsid32	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FromDocToPDF_65.SkinLauncher\CurVer	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36B445BF-1B84-466A-A623-A360A8CFF8C3}\ = "_ITemplateBarSettingsEvents"	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{afa196f4-80e5-47ad-b7bc-c671487d36fb}\InprocServer32\ = "C:\\Program Files (x86)\\FromDocToPDF_65\\bar\\1.bin\\65datact.dll"	00000dfcT8SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cd1d181e-c654-4ca5-9d09-b3648537fd7d}\Version	00000dfcT8SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D97143C2-4282-496B-BDC4-7EC852F1497C}\TypeLib\Version = "1.0"	00000dfcT8SETUP.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE
2456	00000dfcT8SETUP.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3116	65srchmn.exe
4484	AppIntegrator64.exe
3112	65brmon.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2456	3580	3805ed8a271ce1e3eb9c80ce61945ede_JaffaCakes118.exe	84
PID 3580 wrote to memory of 2456	3580	3805ed8a271ce1e3eb9c80ce61945ede_JaffaCakes118.exe	84
PID 3580 wrote to memory of 2456	3580	3805ed8a271ce1e3eb9c80ce61945ede_JaffaCakes118.exe	84
PID 2456 wrote to memory of 4484	2456	00000dfcT8SETUP.EXE	87
PID 2456 wrote to memory of 4484	2456	00000dfcT8SETUP.EXE	87
PID 2456 wrote to memory of 3116	2456	00000dfcT8SETUP.EXE	88
PID 2456 wrote to memory of 3116	2456	00000dfcT8SETUP.EXE	88
PID 2456 wrote to memory of 3116	2456	00000dfcT8SETUP.EXE	88
PID 2456 wrote to memory of 2372	2456	00000dfcT8SETUP.EXE	89
PID 2456 wrote to memory of 2372	2456	00000dfcT8SETUP.EXE	89
PID 2456 wrote to memory of 2372	2456	00000dfcT8SETUP.EXE	89
PID 2456 wrote to memory of 4832	2456	00000dfcT8SETUP.EXE	90
PID 2456 wrote to memory of 4832	2456	00000dfcT8SETUP.EXE	90
PID 2456 wrote to memory of 4832	2456	00000dfcT8SETUP.EXE	90
PID 2456 wrote to memory of 3112	2456	00000dfcT8SETUP.EXE	91
PID 2456 wrote to memory of 3112	2456	00000dfcT8SETUP.EXE	91
PID 2456 wrote to memory of 3112	2456	00000dfcT8SETUP.EXE	91
PID 2456 wrote to memory of 3012	2456	00000dfcT8SETUP.EXE	93
PID 2456 wrote to memory of 3012	2456	00000dfcT8SETUP.EXE	93
PID 2456 wrote to memory of 3012	2456	00000dfcT8SETUP.EXE	93

C:\Users\Admin\AppData\Local\Temp\3805ed8a271ce1e3eb9c80ce61945ede_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3805ed8a271ce1e3eb9c80ce61945ede_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\00000dfcT8SETUP.EXE
  "C:\Users\Admin\AppData\Local\Temp\00000dfcT8SETUP.EXE" /p=^Y6/n="FromDocToPDF"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\PROGRA~2\FROMDO~1\bar\1.bin\AppIntegrator64.exe
    "C:\PROGRA~2\FROMDO~1\bar\1.bin\AppIntegrator64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4484
- - C:\PROGRA~2\FROMDO~1\bar\1.bin\65srchmn.exe
    "C:\PROGRA~2\FROMDO~1\bar\1.bin\65srchmn.exe" /m=2 /w /h /r
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3116
- - C:\PROGRA~2\FROMDO~1\bar\1.bin\65barsvc.exe
    "C:\PROGRA~2\FROMDO~1\bar\1.bin\65barsvc.exe" -remove
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2372
- - C:\PROGRA~2\FROMDO~1\bar\1.bin\65barsvc.exe
    "C:\PROGRA~2\FROMDO~1\bar\1.bin\65barsvc.exe" -install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4832
- - C:\PROGRA~2\FROMDO~1\bar\1.bin\65brmon.exe
    "C:\PROGRA~2\FROMDO~1\bar\1.bin\65brmon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3112
- - C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65HighIn.exe
    "C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65HighIn.exe" 65tpinst.dll,#5
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3012

C:\PROGRA~2\FROMDO~1\bar\1.bin\65barsvc.exe
C:\PROGRA~2\FROMDO~1\bar\1.bin\65barsvc.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\FROMDO~1\bar\1.bin\65barsvc.exe

Filesize
41KB

MD5
622fcf264119f7df127be353f796b319

SHA1
56cf4f2ac44c6add5cdcd419ba4b99d22dc7a0e3

SHA256
6689d8f62f860178685496ef45520967afaeff94cfbcc64cf77074f21577e0a2

SHA512
57b261c5b9f30d6fc7da6ee70200c22cd07d11b94bf9107fba7fe793195112ce90b34bcc7774adf87de00b0abbc621602e7e164caf28975056d952d0eb1d7c6c

Download Submit
C:\PROGRA~2\FROMDO~1\bar\1.bin\65brmon.exe

Filesize
29KB

MD5
35d6caaa9e4d82974a74dbdb53801f98

SHA1
0f78fe90af015b0a511ede007bd1791a341e891e

SHA256
5418b7bb40b097da6370ada1194f8b2d2d3eefa3ca36a6eb31d39df7791a25a3

SHA512
bdace57d273841bb476289d6fe9803c57a48ab7ce630b8797f848f6eb7816b00b43223fd28c8caa440b1b1d027a2dcf3cc9cee007fcf5905650d15e800c8b245

Download Submit
C:\PROGRA~2\FROMDO~1\bar\1.bin\65srchmn.exe

Filesize
43KB

MD5
fb85f333d10b1475650c4304f99a1ece

SHA1
8ace75f6c2417666ad9d60837b72d78b394c3944

SHA256
bed200cccbab9d0b7f5ff299b74a0ff52731366da956960fc3ea45edaaf9cb10

SHA512
715af74edd2b66cad493a7f0c9a72a8ea9984dbc267ea05b4e4f8a7d987eef32779d1574c4ad95f8c00dcb60dd57d10f1a274402618b394ff5b1a185a5edfb20

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65Plugin.dll

Filesize
67KB

MD5
de7f03c3b7194eecdf0c9af3ae400d7c

SHA1
cbf93e0f6ff8ae054c18bdbe477cbfaf9f467cf9

SHA256
20c4ee40010959c2b74f5bae90fcf433e25f74de3907173293c3799f8c851c2e

SHA512
354d0840f86113dde2d6247ec7830708c3fc79af19df1a676ab5c07f9e83583b628058ffe22742b85fec08b2a09e47ac7d129a7cfa4e414fae17436cc9c2c90d

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65SrcAs.dll

Filesize
61KB

MD5
cb31249537d2758f73046888aa02ca7a

SHA1
be21d76e502d546b2d88093e13f07923eb59380b

SHA256
3d43bed1f03d4b7c744f6dd7031fa98d13ee482b43ee7828a7dc5427cabeb835

SHA512
885025a255c2a18000bcd11cf9cf4d3bb2e7c5b4236b5defe881ab1a8c32b09c7a12d458d966adbf575fd46881ba1db5a945ab612bce995175effd1ea81b8d99

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65auxstb.dll

Filesize
29KB

MD5
22ae719e91b4bfcdf6122d3e2a0f272e

SHA1
99df98dfef4b483889fa88162d20ee46340a5dbe

SHA256
2529f6465570ac7f0b82613c694181cc10515ee045cfaa48dd7402e9b9d791bf

SHA512
61028e30c28501f0c18c00ec8888cec3eade43b823a545608fc6ee9c6c2529723b5bede0cb2d4a016562a8ad4a59b1cf2b6ed00d1f745387ef9f15b05b63ce8f

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65bar.dll

Filesize
695KB

MD5
f86336c978311761bc3e2a80b08d46bc

SHA1
1a77ea9e7975b74fb40a3b624896e30caa8ccc3e

SHA256
f99827a6134d064f7fdd3582034c1e5c1af4d8fda796cae3070d29511f2c711e

SHA512
1166d854345b11788df637d1b0af69914957dfdf0630816f58a8a2c482f9481038831e109ca3b63829ad2e5b280dbf5e31f635a35dc6aadc01d790febf0d2282

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65bprtct.dll

Filesize
150KB

MD5
6c0323f452235446604b1f54341e8bb8

SHA1
0ff3588ecb69d2b18c6faec012672ca2f60314f6

SHA256
0911baadea3a57160214f794034afbe9fa54e633af633e51c73e39a013c629e8

SHA512
da777a2030b81dbdf3bfb0c1aa4d937ff0285818872e340b9beb693e84b9632b990d23a135bf24bc2db1023f9e9fa69376e386817bd7da7ded69fc750ef58648

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65brstub.dll

Filesize
33KB

MD5
d3efe03300caf0fa2215206280d31220

SHA1
12ff3195bdaca5482034aac3c3e132d5ada421a9

SHA256
b67d6eba635dc1cec42eec2d1a1ceee34e43cb3a55e6080b1a17d29af5d9cf08

SHA512
a2e32cc4926e017f04a7feb3ed9da4a32741109b75ca845cdadc20b577c4d96f1de4d05e08466559c174b46731e0f8c35f305082c845f298c55779c6058e96a0

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65datact.dll

Filesize
97KB

MD5
70a6b86cb0a6a3f7b35421ec7b9f5b7f

SHA1
baefcb03679575349e01668c4f0938643baaa022

SHA256
0059d01f099fffa09373a6ead57f3cd1c6772667b9a7eeb6edabca3cd1963cf1

SHA512
4d6cdd61afb68b3fe6b705c2298ce35a1e42834c17e4faae11413bda44f0739647b6d773e73b530046c37ec0e15d8687f7546c0cdf30dedf5b5ab2adbd8c427d

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65dlghk.dll

Filesize
49KB

MD5
8fb2c1103382577f8248d83e7487ea86

SHA1
0c88efcfa1c77d597111125a6c031ceb47b18ba7

SHA256
2e274740283a6977d068baf1d1535d7e235fbcfc0b7f620cb87bd42e07d30344

SHA512
bc5564d1129cfe1aa1a1c12ea180253807d132ddf4a442ddde12851b2250d77534fde7e2b7db88151707f5a6b29ed9b9f86e7c0fee2931f48d75846a408bbe52

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65dyn.dll

Filesize
53KB

MD5
8d721a2bc356a862ac8b2349bbeb614c

SHA1
8090e240f528004402b29c11e5072bed79d95384

SHA256
5dc33b6ae31bb0b277f6db3b983e4adf5c509646b574c0630864ef462c6626c3

SHA512
57a61aef5c03e69ee26fc7baf3ae30198b95c28b0d8887e86015683c94ced7cb7e6a5cc310da13bb32d87f81ab33778c412d60f48a4f646e18d17242b609fb10

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65feedmg.dll

Filesize
89KB

MD5
f18d8bcb38dfd1409cf19f3ebd3de3ea

SHA1
2ca2ea6cf1ad1fe87c25d4ab6b1c7729e48c6390

SHA256
090686b394ebf791b262b97249b20083c6a78e6cb04847a3ba643eb64c5ff184

SHA512
b251f89728dda4f7250d39c6875d5362a89076340df34fc04f5d03773c354b0297bce2d9d898c5359339bdba49620fb143d72b5d9a6ce4ef2ab33ddab57e73a7

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65highin.exe

Filesize
21KB

MD5
635f5e4b01597d0baf2422245c8ff541

SHA1
9788294f2b8ab28dbae4c73bb61a6b1200bdd89d

SHA256
b1c485330062beb4d02e3e67e68de82c6ffa22b0bbf1eeb6356d2ae15d03249d

SHA512
d93fe70d449df96321d30f2ebd725af2cf07f0ebead6ba9db4af47ee513160d1a6a8f78533c642fe685609438a2d1af00089aaee202b820fc7bf7a2cca9ead02

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65hkstub.dll

Filesize
33KB

MD5
98e56fd43f64538baa9b1f367951091f

SHA1
9d54baf23397e5f1444bc6471052ad234b76fbd3

SHA256
efbae6177e046b2a1b165cc0aeb1cb4812df29de4da48a8286abb9d02460384d

SHA512
baf47142fcca94069e2ec71eb00457b4187cad831e215e56539d23d01acc842b8bac090fa8d4827c55e4ad16019fd3310f2506515a3cc47cee0b7609585d23c1

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65htmlmu.dll

Filesize
159KB

MD5
65871eaefe51bf6ba0731f4fc62c2f55

SHA1
eaa9d46b8fab8f3d48bb239adfe46ba312434017

SHA256
72d7cb57c8de250ebe3fe65317957b9045a09c4a70d0751f016230f321d0a3f6

SHA512
9e72a3b07de65773e654b433e28ea0189a96d3656ca518948738c6e02edbeb5ea65779699d94490a7589735aa65988287b390a7639b11b1cea226c04262267b9

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65httpct.dll

Filesize
81KB

MD5
6df45cd8b40014f94f1a949fb96d3284

SHA1
978867b422339e68971e56c49c66f14f2acd745d

SHA256
c7a2447a749292e6aa3a8db104b46058af0f044ee376d6ca49a3764955d9b6b1

SHA512
aacbf2c8cf9e06d94b622762d33d2f8614410589ef8f0e02b87006e74c7c0dddab1ebd9e6018b6857b34ffcf5100b896c2bf06067e3bde659972ef966a64d996

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65idle.dll

Filesize
33KB

MD5
121fe87b463651d75c9bff704883c978

SHA1
dc971c75ffce77cc952fb6660a2603e09d62d4d9

SHA256
120b46557864c807dde6be7c0c1e71a2110d784a242dc79159945669d920fdb6

SHA512
75337eb17c5db5276ecdc789e8e075376c18941047358e0946dc710580a5bbf2bf122d0c443e02e04f908bad18b5eb31c84b4e29a0676886af51d754b3bf1520

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65ieovr.dll

Filesize
41KB

MD5
b315203e6d9995156946194516cf5332

SHA1
92ac05fff3ad68271062a3dcb87e12ee6b816ddb

SHA256
aa30c65ee96701116138ebae7d1f0e831452a749f1f9724232a03e660ef13f51

SHA512
83d897c787d37804dee112dac89c51066969c59b77080404da0c2f0cd36db478f0eed31f127bc1e636ce3ce4ca4b96a2fc8a4aa62d2da52336fff8d33762ce5d

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65mlbtn.dll

Filesize
45KB

MD5
896943b4b92b7e3f406844674f629076

SHA1
3eb4a6a25199e6339ec04f36189c71738de63ce7

SHA256
f8274d77f804ad805806d531e940956d096f75c6b6b17f34a753f1cbce6c1632

SHA512
35a39b00cf7e0da8b151a6261f833f12e442107157602d0a8cf991a424978158177203b79290f4b0ad8e6d0fee70e4655980727c3db3f26b249c49d98afa7e71

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65msg.dll

Filesize
157KB

MD5
92aad41d2e12e797af52d4bcd75cbed7

SHA1
dfd07b722e317d1cddaab7d5b31bfab57cc5e739

SHA256
a2122cc682e9155708a0a8c12d1e0935231c82a30f4ec1afe0245d8ea4c7e7f6

SHA512
b005d8ed9d9413914a7c3b28277ab7b126843dcf2a4ca28e58c8e5cdb942d11384deb69cd7ecd5bb7d6ac9f5d593de36a5ded07bc8dc68f0b833ae3110276397

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65radio.dll

Filesize
121KB

MD5
4876e787ed8d945838235f8cfe079d05

SHA1
77c8dc985373b1e5d9035ecb3a831c7dd1abfd55

SHA256
97b3a0272aa17e018d91d235cf5e21882a626bfc0ece264a699c25c2999bb9fc

SHA512
dc920a2ad55acc725ee362bab710f50e8edc92729bcc6c1793471e9fef17352218c9680e132ddea95dbe16415c6c2c18cd00b0f52b1c3143395fff8e681e7ac4

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65regfft.dll

Filesize
41KB

MD5
5de55f0f8967fdb31ee5b259a5aba975

SHA1
c5f26031d5e0c487bff0d60aa44603135bf60395

SHA256
159ffbb40567e8ebbcb29a24fa76bad6f1af81f5ec45a75cc5875dcdb5a78e4b

SHA512
72320cec163ee236569a7f747e4aa819a81796f7de13feccd553477546223ca706e67f2554f724b240b1445753129d476485bd2b8e57d413877467437c684028

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65reghk.dll

Filesize
47KB

MD5
071d962e0e256dcf0b360b59ad6897eb

SHA1
a2f202f68fef2a31e9fe3ae124a46b908349778c

SHA256
3f2295b542c1163f96e6cab547074a2d052320874f39ce0ee4428adea9a8fe9e

SHA512
55ae5128c278619452f88b6f1267fa97665d9b49ce1062f88fc920e11287060f96148db414bfc97cee5d8ae85ed5044be3f49eeadbe23e17129c8063c68fe87d

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65regiet.dll

Filesize
41KB

MD5
a4c73c71941826db74af6598336eda99

SHA1
65d604a070334183e5034cdeec5838e46d705794

SHA256
64fa4044c2e8657b84eea6de847254731f20c010eed16bce9e82201dad825c13

SHA512
a8471104d239709c039a56f1aefb0f9004c1b038df3bf830e125a1efbcab5fbe2e77e19d4d78fee50c8357c192dc27e67957cb951225a01907a6322591efe6c4

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65script.dll

Filesize
45KB

MD5
2c0327baa4c4e39bc839fcaeb7156dd2

SHA1
72e48f7f37e208a52ad975eaecab29fc50223c27

SHA256
5b1fe0d4b92c46a303e112763b926c978d5a60462f72327aa4655d7663507652

SHA512
9b2b3e90fdfc5067e3d3f5c13d60103eb036f9e3ba8cce990fb97a17a4668b9033ce823793f03fb39070b140d0e3d1956000d0b339735e938dba40b95c566034

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65skin.dll

Filesize
125KB

MD5
00fbbb2b564dd1f2f54ed0810a08b8d9

SHA1
857980a7b7ab77ff8e34a090ccd76b8ba628e7e4

SHA256
5925099be414f4f006fdbbac9d46b50d2c25e97410e9f1bd931e13ec586cd669

SHA512
13b6e9965fdfe4ec390b5d9146303d34e12dc0e23f85202a0954345cdb83d9d004a98eaf45dd4fb0cfd684546d483b7a23e7dbc63f64df506dd7b5bbc5ed4547

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65sknlcr.dll

Filesize
296KB

MD5
4d660347c844a8bf9ee0fbe4a086bd54

SHA1
496310ee0816b49176e03226db102fae9aa452b4

SHA256
561bd2c1ead9313dc75693b36b8741108113186494c153ede8ae2dfd490b2a7b

SHA512
4c20bf2979083dd55565d866caddd3cb4f7fdc8b606f905698476a96cbd9f2d974b4f0c00ad6c38cd61e3b54e249356c1622384a6753818bbdb3249e0ce33483

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65tpinst.dll

Filesize
175KB

MD5
cf0646bb879911192c833e314e0afc57

SHA1
72489280930f183e34fe5af817f207a5eb65f8d4

SHA256
d6ac1b4a4cf592a269768f5792cd53be89425ed3eed95223dda9a3ca6b42d428

SHA512
0bac280faeffb0c79d1eae260795d94556a81090200d8f59a79dfc09724eee2d0a8ea2e915cb886bd2fa7f74951473a584a68d88a44d6d1c84f714b479a05305

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\65uabtn.dll

Filesize
41KB

MD5
6335d76eb910f4ae1fc616b208c7c300

SHA1
110033f4a78dca521e8ba73f75747e4e3b6ae545

SHA256
54fa5362ab82e7b7d631c48b7931ca50efeac29e2bfbbea30619f8f6be3b45e3

SHA512
60fef65b4fe22ca617d4b5bf7bf3bb3ba44190437666889f26c4e65244b423b97681fcc44d11606ffdc4ccd71b598f096c7b08de07ecf1c82ac0a617963c5ec7

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\AppIntegrator64.exe

Filesize
536KB

MD5
f6dc4156b10629b1bcb37152d3523326

SHA1
630d5fc9acc4932c87263895f554f8c3cb6d4b4a

SHA256
468546874c24817222da03ae6308005a4ce3243b2d0559d88c5466837e8aadda

SHA512
b11deb0863535e0aeb5a9cad6e9add49b3f74020857e4df29cb8755377dd1fd487a66edce1f2a74a2bb521314f72c9430c704a85501b7548618d4e28219f3265

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\AppIntegratorStub64.dll

Filesize
285KB

MD5
205a514bd9275ac0e837c7ac1a80edf5

SHA1
374e378a91209732b48c8416d1e9805e98fdcfa9

SHA256
bccb4c112435ac8ef6246d054c6b7e4254ff2532cf5cc3212f910de9d3803708

SHA512
c0ed9c41765379e4ca0222825e02b088dd42d0bd9797f6948ca49ee9305aad95215e5a5194f2740347f18a4f8a9df535ad915d4577f3a2928b6ba9c3de9cd3a4

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\BOOTSTRAP.JS

Filesize
20KB

MD5
0893b06e5c3e70ba1241c49a980a7d3f

SHA1
bc1a2b25a955999bdb11cb3349aa17a2ff4d9acc

SHA256
1657ef07c715b6e7896c8055dfa5bac9d21e90b15dd8c33d0a0643d714dfbbb1

SHA512
4a1ffbc5b4761afaa6ffef09bb548ae4b6a6e23f458dd72b226fd749e2fd77d755083e1cae77a979684c835a20d81c8fd91f941ecad331289af6ffe14c2d5ae6

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\CHROME.MANIFEST

Filesize
1024B

MD5
08eafec8bd0861f8059bd959045da3a1

SHA1
9cbb7292f4393eac53948180b51aa3bf870b9ea3

SHA256
39aa248351be9d19782ff4ff67628ab80add27d4676cee993bf6b6b7a7b3bc5a

SHA512
28b10ebb52fb1c33a2f787a84e30906d72356bd1c604a2ad5107800d57cc3ed8d10a188ee58c6bf5b2465f6f18e234c314944c967534862955266b0e62f2ebd7

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\CREXT.DLL

Filesize
1.2MB

MD5
e83ba06c9fd18923c168a12e3f30e81d

SHA1
6902d246f8fc2457c9ae369b094292de6eb454bc

SHA256
dce18833e08121db1bb9c56cc9229405ee13cb9b1961956bccfe7679cf929d45

SHA512
eb6d0d601b6a1c8dfdddfe13c69e19eb4031afc34d0788cdb620211123d070e63a99fe7a5bdbbc1070550ea18b55e59273f0d73d6f0eaf1a1d502a491c7c4acb

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\DPNMNGR.DLL

Filesize
283KB

MD5
500b47a48a172c0625692fdcc01b3889

SHA1
244414d9d39e114e7989c3b35a5ff038508ecfc1

SHA256
c62544ba1c451d590883230838373ee89838f6db2327ec4b5a5111460a8e3a49

SHA512
e4677e9a16c3d45401b87443801f6ba69f57b5e9c1537abafbe80c6a98c08b5eba1a54f696fb6aa6fbe03209717d7e648e4a039acc8cc6e4e010c79586864718

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\EXEMANAGER.DLL

Filesize
471KB

MD5
511cda01fb8a730349e0d6577136e053

SHA1
6ff50369661027a1cd5f5e465f78c78913ff84cc

SHA256
0f26dbb7816ed764d475cf640e88b21ee8ff38d2435e1f1ff357adfa03887449

SHA512
edc2b90a8c67094fc500b3ffbfdfafc103a624ec41c3be9a25a242c92bee2a809e5d38d5940d2dade79e0c5f91071987970871b948ead7b5680565b4c722b695

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\Hpg64.dll

Filesize
432KB

MD5
6837c7bb84d6c3200117e05b4fe1d147

SHA1
3d7cd376dfdb97512a376e85fbb7f04344c051b6

SHA256
b9e6945ca093d66a37d44c16f0470e301852e62ceaf522b5672254b00f4c4699

SHA512
e1e08a3c6052a847af2e45dda747d795fd4ffeb491a2322b8400fbe81c3d6933f058493b4548e6e2ef03fb976a470adc46414b432bbaab928dc3154e4eaddd9d

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\INSTALL.RDF

Filesize
2KB

MD5
87b3652a701afccca1ce0cde6e7158d2

SHA1
407be41fc1b14a565781cc83f2880f7408d9114e

SHA256
27b2a08476f2312b45504e191bdcec55c096b82623be7dc76758fd9a34cada32

SHA512
c5eab160eb7cbc1e98ca2e794c506c7a7a2ff948f9bec1e379cc791830627769665c58d3dad52a26f67c75b8101253d70a23a4835621f5ee55685c0308f7b341

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\NP65Stub.dll

Filesize
30KB

MD5
3a907490edf49cc5b49b69b145854483

SHA1
ca556bcd15655e654aa4f4b1e155dd26d9869caf

SHA256
76c263622b89f2fb8ac5ce387264c4989088cd0775f263bef1033fab58db30c0

SHA512
f2eee0611974dcffb99bc2b9175770e8e108722fa602954c78996afda22dad3dfab6477037d1ac3e777ac655c4015b9c7110f207aa832b56e5c5b517bf008d40

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\T8EXTEX.DLL

Filesize
72KB

MD5
995c45ccb72ab2efdd3f1602ad8ec907

SHA1
2f938d8c9a5d3c9c239793346d43193ba1cbfcd6

SHA256
70e5d3fab80653f3a0d96f4c8ee0cd4034c4b1120b455313ddd1654027887c72

SHA512
20f9009d8039004726409fa62296b2fc6f4a5b461426ad6d7736922f11cbbfffcbb42fb60ec731d239f723fe89ea64a0655f764ef018289fd6c1b01123be5040

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\T8EXTPEX.DLL

Filesize
78KB

MD5
7f98949c5607f96114dd87a538f2b269

SHA1
b8944722e8d577e67925dd4a72d1d8e44c3bc6ca

SHA256
908e9d66885f2f3d610da9ad2e038acb26622969b2a8fad2da6ad7b0c2d69150

SHA512
aa6a514e830567b9d71c09e61b160fd5766db051c18b8a08ee85c52b58fc939b381111bc641573f0c42676600ef9beca523a0acb1b74434ad0392080e8f5ae8a

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\T8HTML.DLL

Filesize
99KB

MD5
e8298b19ec987061e98f83dff8c310be

SHA1
7bbff8810bb79104fe275fbbf7de48dcbd877e01

SHA256
ef6c98b1f7aa59cea89f8756e7d2adf8f55de2bdf3f93bcbab542accaa1aa6aa

SHA512
53389d996517ec00538e7afdd6d2f4b8d7a97dfb3e197c467ebfe3d791f48fd6a7263149f8433ad8bbf07fe0d8c4a61913426c3d5ea4e2a183f7633513f3690e

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\T8RES.DLL

Filesize
190KB

MD5
220c94891891769c6ec0d5d2d9eeac4a

SHA1
cb59f40104a6705bdee3b0ff647221d7041fb2de

SHA256
7985692f6e2f9cfd3255541747960d1643d892d7a259f0b3203b50811bdd381f

SHA512
29eb351ac34845f888a3a05fd7990d02a49953b2c74c864ea985c96621af8fc8a96d2cfa7fe657386e4e95ed5046a180ffc5e46c8a81fc80ceabc4bc8cdaa143

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\T8TICKER.DLL

Filesize
71KB

MD5
3d4aca84349bff8642dc00145bbc51c4

SHA1
2e85c71e79c5b2a65d8ccdd5b21afe559102062f

SHA256
ba9df414f1ec5af8a5a876ae5b4c7d43f5ed2fccfaa16a497c1b34131d97a0c6

SHA512
c1fe162a93d2e2f33369d58fee8eb334a67671a83dd7195c6348891841623342d008b2497abd893f9e4e09844da312c6751c294cef25290e855228eb3ddb58d1

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\chrome\65ffxtbr.jar

Filesize
536KB

MD5
761b9482dd1ae4f8c8f5c2a40552687b

SHA1
eedd231e732381e335d371124f999206d135e7db

SHA256
c76ccfa91a33468e7aeacdea5dd23d8552077f49c8d192eeb05f56f33ce91bd8

SHA512
343a53eb604f1625e639aacb246c0e6b3b13375c87f2a892dcb4c387c9755f1eec60cc9e5934414cf183ce619e11d178fc56eded071a2a5c1a34bd4efdd80027

Download Submit
C:\Program Files (x86)\FromDocToPDF_65\bar\1.bin\installKeys.js

Filesize
206B

MD5
ebf3667ae6014267f8fd65e9f96a8b2a

SHA1
664f8fb3ceed498ed8e83df40ec54dd55aac8444

SHA256
aeb900970de7174284c0a488776adcaeef2721e6f05cc416e32786f5c5e0b2f1

SHA512
c632680e37b88db9168bb666f9d342b6859e116a6ff9cbccfc5f73eb2e4b365412041ca73ee8fb370945d4d35eb105fe3202e7175ba1832750310901992c9e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000D~1.EX_

Filesize
3.9MB

MD5
6d9c6bc5beca9eeaf937786b9bd884e8

SHA1
6ba692e5315bcedcefdcd5d829ec9981bb72f27a

SHA256
8224ddf9590e6a0db2ffd0c89531e164c21be1660bebc953217c35155ec4bc57

SHA512
f20bd7c67a5ce2e341c07459b8d37283b3c139988f04a36eb1417c87b4287bc9bad974f33f5107c615385ec58b099f47e45fc682f6d78eb920f0a80f79e475d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000dfcT8SETUP.EXE

Filesize
9.2MB

MD5
7bea7852d578ee962c10b7b8dbf8a02b

SHA1
87deeea9749926f3a34d590086490a9ee9aea852

SHA256
11847d6444198c7c8d7f960922c239fc3c1d07136f53b5d972f8623a56aa5fe9

SHA512
02fdfb72f7cf216c30808de7dcaed5dddacc1160d1015c3a227725f281447faf259e685aee1d1d67b0b2abc4044d2f876b28a1245106d0739e10f6d0486a2d1f

Download Submit
memory/2456-220-0x00000000039B0000-0x0000000003A5E000-memory.dmp

Filesize
696KB

Download