Malware Analysis Report

2025-08-10 12:05

Sample ID 240222-y6pa3seg3z
Target embergen-latest (1).exe
SHA256 137f77db24ac5102a538f116472e93100f74df425b2352f0274ae36197cc1326
Tags
discovery upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

137f77db24ac5102a538f116472e93100f74df425b2352f0274ae36197cc1326

Threat Level: Shows suspicious behavior

The file embergen-latest (1).exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery upx

UPX packed file

Drops file in Program Files directory

Loads dropped DLL

Checks installed software on the system

Executes dropped EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 20:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 20:24

Reported

2024-02-22 20:27

Platform

win7-20240221-en

Max time kernel

117s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\JangaFX\EmberGen\is-VATBO.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-DCCEA.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-B5EBU.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-LDB3E.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-6RS85.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\TurboActivate.dll C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-ULR3V.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-QJQKG.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-P2B40.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-B231R.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-1SR88.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-3JVSC.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-A8SH4.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-985G5.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-5Q50I.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-RH25P.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-SG9QL.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-CFGO6.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-BT0ID.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-9KK81.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-H0TG5.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-UMAJD.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-NCP9C.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-L12DJ.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\templates\is-1G4O3.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-VFHSF.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-368L5.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-Q855O.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-QV42A.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-JSKPV.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-LQLC7.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-E8V3F.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-F80PG.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-EQEDT.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\meshes\is-OHDDK.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-UUAKL.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-4JANE.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-NDHBQ.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-JBQHS.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-F1GTT.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-B9I6O.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\TurboFloat.dll C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-NH93M.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-JL3IE.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\meshes\is-986BH.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-EBNSF.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-4TMG8.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-PI7HR.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-0268U.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-8G6VV.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-32LK8.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-D5SV3.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\meshes\is-1HQAM.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\templates\is-5HGEB.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-5UG09.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-HTQN0.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-7KRUC.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-QEHQK.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-NSTFJ.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-1DCU9.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-0CI3V.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-BJGH2.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-4B238.tmp C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp
PID 2664 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp
PID 2664 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp
PID 2664 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp
PID 2664 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp
PID 2664 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp
PID 2664 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp
PID 2912 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2912 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2912 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2912 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2912 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2912 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2912 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2520 wrote to memory of 2484 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{AAE7FA73-DE0D-4CA8-9B1F-1D1DB5F9E417}\.cr\VC_redist.x64.exe
PID 2520 wrote to memory of 2484 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{AAE7FA73-DE0D-4CA8-9B1F-1D1DB5F9E417}\.cr\VC_redist.x64.exe
PID 2520 wrote to memory of 2484 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{AAE7FA73-DE0D-4CA8-9B1F-1D1DB5F9E417}\.cr\VC_redist.x64.exe
PID 2520 wrote to memory of 2484 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{AAE7FA73-DE0D-4CA8-9B1F-1D1DB5F9E417}\.cr\VC_redist.x64.exe
PID 2520 wrote to memory of 2484 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{AAE7FA73-DE0D-4CA8-9B1F-1D1DB5F9E417}\.cr\VC_redist.x64.exe
PID 2520 wrote to memory of 2484 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{AAE7FA73-DE0D-4CA8-9B1F-1D1DB5F9E417}\.cr\VC_redist.x64.exe
PID 2520 wrote to memory of 2484 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{AAE7FA73-DE0D-4CA8-9B1F-1D1DB5F9E417}\.cr\VC_redist.x64.exe
PID 2912 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\EmberGen.exe
PID 2912 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\EmberGen.exe
PID 2912 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\EmberGen.exe
PID 2912 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\EmberGen.exe

Processes

C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe

"C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe"

C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp

"C:\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp" /SL5="$70126,81894518,832512,C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe"

C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

"C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe" /install /quiet /norestart

C:\Windows\Temp\{AAE7FA73-DE0D-4CA8-9B1F-1D1DB5F9E417}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{AAE7FA73-DE0D-4CA8-9B1F-1D1DB5F9E417}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet /norestart

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

"C:\Program Files\JangaFX\EmberGen\EmberGen.exe"

Network

N/A

Files

memory/2664-0-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-8I240.tmp\embergen-latest (1).tmp

MD5 dd31b033b30ec195841653d64d5398df
SHA1 7c8c4df7ab82b20e8cf35a52f4258898fb1d6725
SHA256 25215efe760b7d32480816783dd80c85e315244c29af3b316a2bc6f342390599
SHA512 3b4d13bd873b62658f4c19d25b17cb5fd1e9888fe74a9ff6e61d31e07ce9c388cf4d7c51f73991d7819ebe0ba6e49ad386793d460bb9ae354d0e580055c5380f

memory/2912-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2664-9-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2912-10-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2912-12-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2912-13-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2912-108-0x0000000000400000-0x000000000071C000-memory.dmp

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 c7251e8e79f97dff07837fd031e62345
SHA1 828de8608607f7c15475d51a310ad49df3ff5f31
SHA256 25f16286e49b43296534cf6c4ab6fb93060401852483f97ca209c6f7d22212ae
SHA512 6e20916161eda816323f26d0a2cefc9595bbbf172fb05b3dbefdf6fecd125c76e6970b0ebb082483818cbfd3853705ff446c76904659560a3eed2760a4683478

memory/2912-348-0x0000000003410000-0x0000000003420000-memory.dmp

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 08999db5d84114a6c8ae028251df1190
SHA1 80db86cd6428ddc386eb16a82a6df3a7fd107d4d
SHA256 25cd1f0924d12e54619eba2b97cef07953dfa081801edb7dc96752b62d38b1f1
SHA512 4c3452ebb9018464dea13d950c631962f6b26b1a53b7d5cea326f215ea26a904945acdde326141ba896ac4b2ba8e9c7eb2e971a5731f4c1ba25a12aa489a72cd

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 0f0057ca9ac1afe8b86d31f0d660953c
SHA1 a650646bae94f97029c505c70b55c2b28cf58293
SHA256 d604b51f1e63f4662bba635b7ad00a4f6f35ffccfa1bd5143345c37b2ad63b29
SHA512 f1b3a5d6d0c4e99bff665fb1ed3e35cc3b9e2b1e38dd2f47dd0723f875dca1e3680caf179bae57f4a0a543d3d13e44d23527630260c89d0307d086e02c01f496

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 f0befd0acc16503aafc407f0b2f335d0
SHA1 eeb22e14a12fb65f8ed67d910f26a237b4ee4b04
SHA256 5ff553872b7eea9bf3d0822057fc8a34e1bbeb09cbd6146f4e0ba1359198f774
SHA512 8fb4a295796bb745d7c2d455597ba239e06eb45bd876981977a583ab53472b49158bc9f36a708d32fa9d3b0c5f0386bdaf24a3be29de2de296330bb9195025d0

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 d7766a0de2a4d58a73f3e577daf82df4
SHA1 37927ccee807ef9384822db28b38a3448435bba6
SHA256 dc8c37dfbb0c6a85c99d017cec405bd23dc09bff613bf4b48c5333481e4ab528
SHA512 bca06640e537807986104e2c338862e2a85cea79ac59cbcceb39fb9dbac6e01636a91548dcae0b360cdb8eaab427f2fc3e304dff160e2d5a85746148e12ed19a

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 16a853eb1c744f54db923b8c76bc1e85
SHA1 1d7d0ff1ebbfcf103f48bf9d55337a9b1448c119
SHA256 fd369f4dc0370f6ab17e36508805e4a3064fc34c003bc7a2e4ee55e6e7fd428c
SHA512 1db94606b6cc568a903dbcecaffae607b4557575d4da225ff385c57e5dd8e25760eda2fa708790cd1f301f632bdc0efb28992c2908eb55aa9e15665ca6ba4d04

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 0da9775f48dfc3c6dd14e83163cfd5fe
SHA1 d48a14f877851a9a3e8249bad33af4a75b6197de
SHA256 2b6cfa7e5286853ffc0e4d1bfd7101b42bc96811f85aaae6979c687ba310bcad
SHA512 e8ed1203f085ffcaba20b090c86551e84b0aabd2a6626138301537981e4459252267d7b8b78c80e5a4d1834d76be0def314511a4ebe03fb920bf6b302a2e4ca1

memory/2912-360-0x0000000000400000-0x000000000071C000-memory.dmp

\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

MD5 d66f11b9d9b1ccbd6db16c9440b513c8
SHA1 520197b0ab26ecb3105b0f44e104970e7087117f
SHA256 cff7912bf1c4d95743fe739f5b3689e39be443239f1820e7605c6021d92deca5
SHA512 94286d0d3f3b01ceecb9c47812a4e9ad186fae01605a939a861a6ec90b97db1ce0cd8604307e22c5e1dfb793fadf37dc729b8b7652b5e350c5aaea80db6373b2

C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

MD5 c7d539168461f651c9f8c7d209a0bcfe
SHA1 8a844815224e92e710eebe4c9b73bdb80db00537
SHA256 b809d93d76752b80a68dea9dbef12d0c79e1e8d6f4dd793a84c3e9832699af6e
SHA512 adbc9511419afe85c09be83f45e3b71655c1c6724e22009c054fc3726892d6d241930f982453af68106d5483fe5dee870e757b9a805803e25c08a568c86be174

\Windows\Temp\{AAE7FA73-DE0D-4CA8-9B1F-1D1DB5F9E417}\.cr\VC_redist.x64.exe

MD5 7f28c88875700454d8fb733341658edd
SHA1 434159872b168112b86e91cf84f4d9d545ab0410
SHA256 92d6a54089399fab9f00f25ccf568bdc2f4838aefbf37d51bc1ac94ed41508b9
SHA512 7b0d332ef78506e116ad620eb34424d7ca168822f768c30fe54a55168075e88d9fb40f1c4eb02498c3379843f50ac79bcc3d42a77b82d6157bfbd3fc4bd462fb

\Windows\Temp\{792D2C9E-71DF-4819-A4BC-0853A504F024}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{792D2C9E-71DF-4819-A4BC-0853A504F024}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 1b5a79c75b8476bd177689773ebb5f3c
SHA1 cb0b63d7ac1d3ec36f905947fee60da36f05286c
SHA256 8cb334782a27956b7d8b904c19d34639581cf080c1e29ecb421c3cc032fd5e81
SHA512 8ec9f93a50ba53a8be653828f4a3a5a3a450ab3432f586b20f1c188afe80123e90dcc17b109036984fc6d4cd21b3bbd7da7bc78a4c514ac99b03b0eb6c01f75b

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 9d05379ae7debabee262ea50b80697e8
SHA1 619fc584e446db19aab79ae177a6b11aed5ca5ad
SHA256 381466563f5854c292bd74dd46aa251ed11b356989afc579bad679ef3499aaac
SHA512 991e3c1a109e344ac36a4b4a956d4c023e6456059ffe2dc666d20cfdd9853eca1f8c37b15bdedab51b4afa316033673b3828c6df44899e0593a2e5b35a8540dd

memory/2912-454-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2664-455-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2912-456-0x0000000004320000-0x0000000006D4C000-memory.dmp

memory/872-457-0x000000013FF90000-0x00000001429BC000-memory.dmp

memory/2912-459-0x0000000004320000-0x0000000006D4C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 20:24

Reported

2024-02-22 20:27

Platform

win10v2004-20240221-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-IHI9D.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-TIJHJ.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-7SSHD.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-A31NH.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-60AQU.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-N5M8H.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-8DADC.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-U7SFI.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-7AOLL.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-IUU69.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-T4EKV.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-BR8R2.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-4D745.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-GM9C9.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-0E896.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-JH9DM.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-6TI55.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-30P2O.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-C7GAP.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-19Q6N.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-URKK5.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-EDGK7.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\EmberGen.exe C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-LD98I.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-S1SAS.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-HL5PC.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-2MJ4P.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-M5NFE.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-FMPPD.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-5C43A.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-NK5IB.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-CLG01.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-5QNC0.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-NMQ9F.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-G1EEN.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-CJ4BD.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\templates\is-D7HQ8.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-5948B.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-BJT9M.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-6644D.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-5KN4A.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-TH3MD.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-Q26JP.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-FOCVD.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\meshes\is-IIM01.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-T63IT.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-CHS7R.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-9969F.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-228PD.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-CUR9H.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-2L4SN.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-HGH6O.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-GNCLE.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-5DJP0.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-4TJCP.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-HG7EQ.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-S78MH.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-8FNER.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-IG50Q.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_1_0\is-DGFLC.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\TurboFloat.dll C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-0OJ95.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-7CQVR.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-59KB2.tmp C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp
PID 1644 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp
PID 1644 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp
PID 536 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 536 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 536 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 1248 wrote to memory of 2576 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{02A7ED19-B25A-402E-B565-F27C9AE92F1F}\.cr\VC_redist.x64.exe
PID 1248 wrote to memory of 2576 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{02A7ED19-B25A-402E-B565-F27C9AE92F1F}\.cr\VC_redist.x64.exe
PID 1248 wrote to memory of 2576 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{02A7ED19-B25A-402E-B565-F27C9AE92F1F}\.cr\VC_redist.x64.exe
PID 536 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\EmberGen.exe
PID 536 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp C:\Program Files\JangaFX\EmberGen\EmberGen.exe

Processes

C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe

"C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe"

C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp

"C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp" /SL5="$400E2,81894518,832512,C:\Users\Admin\AppData\Local\Temp\embergen-latest (1).exe"

C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

"C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe" /install /quiet /norestart

C:\Windows\Temp\{02A7ED19-B25A-402E-B565-F27C9AE92F1F}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{02A7ED19-B25A-402E-B565-F27C9AE92F1F}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

"C:\Program Files\JangaFX\EmberGen\EmberGen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/1644-0-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PIANJ.tmp\embergen-latest (1).tmp

MD5 dd31b033b30ec195841653d64d5398df
SHA1 7c8c4df7ab82b20e8cf35a52f4258898fb1d6725
SHA256 25215efe760b7d32480816783dd80c85e315244c29af3b316a2bc6f342390599
SHA512 3b4d13bd873b62658f4c19d25b17cb5fd1e9888fe74a9ff6e61d31e07ce9c388cf4d7c51f73991d7819ebe0ba6e49ad386793d460bb9ae354d0e580055c5380f

memory/536-5-0x0000000002800000-0x0000000002801000-memory.dmp

memory/1644-7-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/536-8-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 09549bc0868ba15007f508298c2a30fc
SHA1 dc11bd53a19acd96e9a9e33611fbe86e28fb153d
SHA256 cef745b71e4e2a187f4286aee5e04f0bdb60dfc3b57a4180de1c803463487c1f
SHA512 6c710717b3a36c488b972619e119b551a71a6850614e40c919248b4bdb62cf53d71543697557d577961f337f263a122b4d844a52936030f519d3458e96555190

C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

MD5 291e0c486cbe22cb000c5e541c9e8317
SHA1 64e813bb9024a8e8d5aa64ee20e0d13de97ec7fd
SHA256 9b9dd72c27ab1db081de56bb7b73bee9a00f60d14ed8e6fde45dab3e619b5f04
SHA512 666da980e006648c8ea5eb09ed1d8bafb59bb8c8e798d18bd1c9b1f523237bb7c0d5937813a34ab37f6e0daefe8f2baf9373b73c0c9262fe3a1d88c0f4eae611

C:\Windows\Temp\{02A7ED19-B25A-402E-B565-F27C9AE92F1F}\.cr\VC_redist.x64.exe

MD5 7f28c88875700454d8fb733341658edd
SHA1 434159872b168112b86e91cf84f4d9d545ab0410
SHA256 92d6a54089399fab9f00f25ccf568bdc2f4838aefbf37d51bc1ac94ed41508b9
SHA512 7b0d332ef78506e116ad620eb34424d7ca168822f768c30fe54a55168075e88d9fb40f1c4eb02498c3379843f50ac79bcc3d42a77b82d6157bfbd3fc4bd462fb

C:\Windows\Temp\{9DB7C42C-03AC-4640-9E27-6FA2181397C7}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{9DB7C42C-03AC-4640-9E27-6FA2181397C7}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/536-429-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 4fca2bb96115a5734b6175db1b7c30b7
SHA1 9d197229f8ad6b114eff4746ebe5319208c1cbb4
SHA256 20c6a765e64f43bda6470a5ec45b07aaa65eb1ebdda4459f6c881526420ebd4e
SHA512 75e4193590e8413774115a66f5e4be0bd42ab31115737221b0ec13c02c776e5e61fd78f0fd72cdef124182693f68e8871af8497858f40d501f10ed0c4876adde

memory/536-437-0x0000000002800000-0x0000000002801000-memory.dmp

C:\Program Files\JangaFX\EmberGen\TurboFloat.dll

MD5 e63679298cbf7273e4ac8f4bf720f68a
SHA1 b4ef94f680090e17b46ed1b4f1d3ebc4ee9bf7ea
SHA256 1475605b46351616689811a3fbcbbaae1bb40b62612986edfbae5e05df096963
SHA512 892e6256d4eaa1e6d31d06b33729def3eb8abfccf2b345dc717ff540a27987956a67bcbf7ad159879ee516beeb2b532676cc220c32f2f36d4cdff37ab470770f

C:\Program Files\JangaFX\EmberGen\TurboActivate.dll

MD5 5bbec33f549e9e44389be11ceb3c3f02
SHA1 3aeb71f10f5fa8b5df59358e0c6e3b7a21a23217
SHA256 f53487d184b268f5ddcecff98c2f62e5141ec0030b54a65f02cc4e7057d5c7ad
SHA512 91df575a850276d9eb4aa19ff32b74e4947a5b5836ee874a95a793603aef3330e7b73e1cca43cfcc432558800f46749e9bb51cb9504847c98e85fdcb81bbe571

memory/4860-438-0x00007FF6AFFF0000-0x00007FF6B2A1C000-memory.dmp

memory/536-440-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1644-441-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4860-443-0x00007FF6AFFF0000-0x00007FF6B2A1C000-memory.dmp