Malware Analysis Report

2025-08-10 12:06

Sample ID 240222-yzywyafb24
Target JangaFXEmberGenEnt1.0.4_DownloadPirate.com.rar
SHA256 f91c0dfc57f4d990e3572ea57203fce13090ab3cd52bb57456bd52f398a92c78
Tags
upx discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f91c0dfc57f4d990e3572ea57203fce13090ab3cd52bb57456bd52f398a92c78

Threat Level: Shows suspicious behavior

The file JangaFXEmberGenEnt1.0.4_DownloadPirate.com.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx discovery

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 20:14

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 20:14

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

119s

Max time network

130s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\Read Me.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\Read Me.txt"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 20:14

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

141s

Max time network

154s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\Read Me.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\Read Me.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-22 20:14

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\crack\EmberGen.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\crack\EmberGen.exe

"C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\crack\EmberGen.exe"

Network

N/A

Files

memory/1948-0-0x000000013F350000-0x0000000141BA7000-memory.dmp

memory/1948-1-0x000000013F350000-0x0000000141BA7000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-22 20:14

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\crack\EmberGen.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\crack\EmberGen.exe

"C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\crack\EmberGen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4044-0-0x00007FF783FB0000-0x00007FF786807000-memory.dmp

memory/4044-1-0x00007FF783FB0000-0x00007FF786807000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-22 20:14

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\out.exe

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-22 20:14

Reported

2024-02-22 20:17

Platform

win10v2004-20240221-en

Max time kernel

92s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\out.exe

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-22 20:14

Reported

2024-02-22 20:18

Platform

win10v2004-20240221-en

Max time kernel

137s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\JangaFX\EmberGen\is-D0LKM.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-NHKD4.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\license_manager.exe C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-QMA3I.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-AM2AT.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-AM5QB.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-QKGUN.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-UO0HP.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-SD0DS.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-QDVMR.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\TurboActivate.dll C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-A8OJP.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-FNMSN.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-1USCR.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-2O8SO.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-Q8BID.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-QQKET.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-NCPOF.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-FHQHJ.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-SUSQF.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-Q1LMM.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\meshes\is-BBSIF.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\templates\is-TS4MD.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-25F48.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-UUQMH.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-E8CF3.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-885SL.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-J96K7.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-5CELF.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-KKAQS.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-LF08Q.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-57P15.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-88MRP.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-0CIVQ.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-SK6P3.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\TurboFloat.dll C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-2S73F.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-8SH9H.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-K3IO7.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-9MUU4.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-S8L49.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-D63GK.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-H96VE.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\meshes\is-539B3.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\templates\is-AV9K3.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-IJOJJ.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-MVLC4.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-63Q8H.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-423UC.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\templates\is-VT2I9.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-GP6GE.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-BLFFR.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-C7BAV.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-DN87V.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-4S53F.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-96CQO.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\EmberGen.exe C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-6LMQU.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-2J7BC.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-OCO1S.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-Q2NTA.tmp C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp
PID 2512 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp
PID 2512 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp
PID 5008 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 5008 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 5008 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 4684 wrote to memory of 2276 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{4BC4C7E2-6057-4E70-988A-FF142A91B23D}\.cr\VC_redist.x64.exe
PID 4684 wrote to memory of 2276 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{4BC4C7E2-6057-4E70-988A-FF142A91B23D}\.cr\VC_redist.x64.exe
PID 4684 wrote to memory of 2276 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{4BC4C7E2-6057-4E70-988A-FF142A91B23D}\.cr\VC_redist.x64.exe
PID 5008 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\EmberGen.exe
PID 5008 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\EmberGen.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe

"C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe"

C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp

"C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp" /SL5="$80050,59153228,832512,C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe"

C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

"C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe" /install /quiet /norestart

C:\Windows\Temp\{4BC4C7E2-6057-4E70-988A-FF142A91B23D}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{4BC4C7E2-6057-4E70-988A-FF142A91B23D}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe" -burn.filehandle.attached=648 -burn.filehandle.self=656 /install /quiet /norestart

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

"C:\Program Files\JangaFX\EmberGen\EmberGen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 wyday.com udp
N/A 127.0.0.1:50653 tcp
N/A 127.0.0.1:50655 tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/2512-0-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-57CBI.tmp\embergen_1_0_4_installer.tmp

MD5 33e017fa55cece71daf2f1b7a289b380
SHA1 8a834d925e74e9c89f93e9b46c01791e84c2d966
SHA256 d478c7730c76bdb3250acd7f0c7ca5895df7710c3283e2507450ee72bf15f2c7
SHA512 a0457630d8735e07e1ab9832ed71379ccb2630f8ff17738ca706331abf81d0832925e5f14fd555a256268dc089ff81434bbb6afe305039999ef9e0316954f05f

memory/5008-5-0x0000000000E50000-0x0000000000E51000-memory.dmp

memory/2512-7-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/5008-8-0x0000000000400000-0x000000000071C000-memory.dmp

memory/5008-11-0x0000000000E50000-0x0000000000E51000-memory.dmp

memory/5008-30-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 4be377c5bb118b96fba2e450e0a9267b
SHA1 e1851fcbb81d2aef36cdd6a5a3c07354c8dd85e5
SHA256 208b838755083599b358550988c841f31c6aa835d030a071b6a50cc9e463f05f
SHA512 42fb53dd69c1587c132adf98136b95fcd583038b753c4a46aaf309f0173d9fcd41a84bfc699e201238dbb586eaaadba16d15739a5ca1575efb13f8c383089a6f

C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

MD5 6b09e111b6a9c7725cd48e6485b9d823
SHA1 d1ffd368ef9afe60f4102826840aba1e68cabe32
SHA256 7c8996c90a3b310ae8d59f85be3eaf9e4c729422af5a8262f102989a5bc7313b
SHA512 2d8e132485a80b64f6e0dfdef6af2b1da6adadd44ee22b3b7ae348bad4232f94987e08be70d78945c922e78c089bf90344f42fec307f92c2b69377d1186607ff

C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

MD5 7677277c01c387582fb317f8bb7ed61b
SHA1 ae1e81cb079c83aeca6ea74913a71674d4d64190
SHA256 3c8a397865058c39c3e92afc33181c3ecc11476d6bf7ed1de540487824019b3b
SHA512 6224ce2492dea48105482987eb0b983e147746a8b803061e08e215f01348e2bb7f60b97650a0bb1edb26d052af632735979d2f7f6f4f8176246688fbf4fba9a1

C:\Windows\Temp\{4BC4C7E2-6057-4E70-988A-FF142A91B23D}\.cr\VC_redist.x64.exe

MD5 57cdadede3379a93633287fd16376b6c
SHA1 fd39252fb552d7dc0967e386eb9324e00f4b242b
SHA256 ac9a98826f75cfdd1fddeb4b5d7c67accb1a1cc2250fa47b664bc7abd87be9d1
SHA512 cb9cef89e24e7f552055aea3bbf4a41198e579bd99a61cbed0392377e044ebbde098a5a05c4453157721b3293a4fa97b89e1087961045913892c33cebe626057

C:\Windows\Temp\{4BC4C7E2-6057-4E70-988A-FF142A91B23D}\.cr\VC_redist.x64.exe

MD5 7f28c88875700454d8fb733341658edd
SHA1 434159872b168112b86e91cf84f4d9d545ab0410
SHA256 92d6a54089399fab9f00f25ccf568bdc2f4838aefbf37d51bc1ac94ed41508b9
SHA512 7b0d332ef78506e116ad620eb34424d7ca168822f768c30fe54a55168075e88d9fb40f1c4eb02498c3379843f50ac79bcc3d42a77b82d6157bfbd3fc4bd462fb

C:\Windows\Temp\{5664C433-4162-4EC4-B3DB-17C21769881C}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{5664C433-4162-4EC4-B3DB-17C21769881C}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/5008-268-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 d03ad72b685952f2a93d15009344761e
SHA1 129e387d997b8974f66987cd3e1d71d14c332b5d
SHA256 6d0a9886c8cfe12c83498a609c86acf8af0b68f0264edfe5cb8f49e4e1b91777
SHA512 201037b914ee9d1b56e55d58e13d83fc758620003c2aee45f618e9299ebfbe1333fcaeee0e6162ee5d5044ed7480b690eb5a8d18177aad94353da210efa506f3

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 6079968d9202a78a86d83fe7423f8fdf
SHA1 0ec307b0ef5f10b6dd2fdc23e87b808ee590fb02
SHA256 1ac719ec362633463f5dbf450f95b84aa34c8be7971f88825d8a1fda684d87c9
SHA512 6ee9a286afa69e976bd2a0bdbbc584fde8bbbd4cb450942575c44539f641fa4343de381029c56b79d8b2c4975dd143d541eafb77f0e802b2e05921d1cebb960e

C:\Program Files\JangaFX\EmberGen\TurboFloat.dll

MD5 e63679298cbf7273e4ac8f4bf720f68a
SHA1 b4ef94f680090e17b46ed1b4f1d3ebc4ee9bf7ea
SHA256 1475605b46351616689811a3fbcbbaae1bb40b62612986edfbae5e05df096963
SHA512 892e6256d4eaa1e6d31d06b33729def3eb8abfccf2b345dc717ff540a27987956a67bcbf7ad159879ee516beeb2b532676cc220c32f2f36d4cdff37ab470770f

C:\Program Files\JangaFX\EmberGen\TurboActivate.dll

MD5 5bbec33f549e9e44389be11ceb3c3f02
SHA1 3aeb71f10f5fa8b5df59358e0c6e3b7a21a23217
SHA256 f53487d184b268f5ddcecff98c2f62e5141ec0030b54a65f02cc4e7057d5c7ad
SHA512 91df575a850276d9eb4aa19ff32b74e4947a5b5836ee874a95a793603aef3330e7b73e1cca43cfcc432558800f46749e9bb51cb9504847c98e85fdcb81bbe571

memory/2068-276-0x00007FF6446A0000-0x00007FF646EF8000-memory.dmp

memory/5008-278-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2512-279-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2068-281-0x00007FF6446A0000-0x00007FF646EF8000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-22 20:14

Reported

2024-02-22 20:18

Platform

win7-20240221-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\JangaFX\EmberGen\is-8ERUG.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\meshes\is-PVQ2C.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-QKJ51.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-VEAPB.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-IB4RN.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-OHQ5G.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-35HRR.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-OOQDS.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\templates\is-B0ODR.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-R78LM.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-GSQL3.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\license_manager.exe C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-TT1NN.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-ON3UN.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-K8787.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-MDAUL.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-FSTHT.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-IR5MR.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-UQAQV.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-D4S3U.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-O6702.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-LLUI2.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\TurboFloat.dll C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-QG64I.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-AL5EO.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-IJ2J5.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-TPRDT.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-QRTL1.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-D3JN8.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-LFFJC.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-IAJG0.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-IKPH3.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-41177.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-AAK62.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\TurboActivate.dll C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\meshes\is-UKCIC.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-7JHGD.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-97G3C.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-CGB8E.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-3J5MJ.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-QF40P.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-Q7SIJ.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-N7F5V.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-KF58O.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File opened for modification C:\Program Files\JangaFX\EmberGen\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-6AECJ.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\meshes\is-A5NDA.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\meshes\is-BFII9.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\templates\is-ATHN3.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-FDKNU.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-T7TAV.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-IOCFG.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-AACG8.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-ME9CO.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-RRDRA.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-1IV30.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-TP9V3.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-6K18N.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\is-D61S2.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-0GEUT.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-G6M05.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-QK1FL.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A
File created C:\Program Files\JangaFX\EmberGen\presets_1_0_0\is-EFSJT.tmp C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp
PID 3048 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp
PID 3048 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp
PID 3048 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp
PID 3048 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp
PID 3048 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp
PID 3048 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp
PID 2116 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2116 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2116 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2116 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2116 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2116 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2116 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe
PID 2888 wrote to memory of 1988 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{7FF0C0B6-4A62-4840-A1AA-C6EFE302821F}\.cr\VC_redist.x64.exe
PID 2888 wrote to memory of 1988 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{7FF0C0B6-4A62-4840-A1AA-C6EFE302821F}\.cr\VC_redist.x64.exe
PID 2888 wrote to memory of 1988 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{7FF0C0B6-4A62-4840-A1AA-C6EFE302821F}\.cr\VC_redist.x64.exe
PID 2888 wrote to memory of 1988 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{7FF0C0B6-4A62-4840-A1AA-C6EFE302821F}\.cr\VC_redist.x64.exe
PID 2888 wrote to memory of 1988 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{7FF0C0B6-4A62-4840-A1AA-C6EFE302821F}\.cr\VC_redist.x64.exe
PID 2888 wrote to memory of 1988 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{7FF0C0B6-4A62-4840-A1AA-C6EFE302821F}\.cr\VC_redist.x64.exe
PID 2888 wrote to memory of 1988 N/A C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe C:\Windows\Temp\{7FF0C0B6-4A62-4840-A1AA-C6EFE302821F}\.cr\VC_redist.x64.exe
PID 2116 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\EmberGen.exe
PID 2116 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\EmberGen.exe
PID 2116 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\EmberGen.exe
PID 2116 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp C:\Program Files\JangaFX\EmberGen\EmberGen.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe

"C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe"

C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp" /SL5="$7011E,59153228,832512,C:\Users\Admin\AppData\Local\Temp\JangaFX EmberGen Enterprise v1.0.4 WIN\embergen_1_0_4_installer.exe"

C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

"C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe" /install /quiet /norestart

C:\Windows\Temp\{7FF0C0B6-4A62-4840-A1AA-C6EFE302821F}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{7FF0C0B6-4A62-4840-A1AA-C6EFE302821F}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet /norestart

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

"C:\Program Files\JangaFX\EmberGen\EmberGen.exe"

Network

N/A

Files

memory/3048-1-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp

MD5 8c313af172b21e782d42119c3237f760
SHA1 c772b4b78044541ae376220a294d2908a0e8138e
SHA256 17892bdc10e7a6522db44c7c54909d8bd5710253c5c35f90570f97423967edf8
SHA512 021f90fb8c676fdf3b3e91b1a144d5084ae0a5cdd1659e6b3b1c5922e005410c0d42ec458c6bd9a2443ef2f939dc4568406c60a01a8a6d8696382bd4bd0bfc5e

C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp

MD5 f73c3a9fbb5f10df460cacff2e11b4f1
SHA1 03c01b8971c6d5f886f53a7c9b6af6e035b9871a
SHA256 547d52b0d414086ecc1912fa3d38f42e2d151b87c717790ed76bc0bb75d5c53b
SHA512 eba7ec1f560a71ee2f140190b2e3728459aeef772831938beac69a553da3ed3a13b05746168814484d153fac30c76ed55a4ef36e3f6d7145ebdbdc191a4b9c30

memory/2116-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3048-10-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2116-11-0x0000000000400000-0x000000000071C000-memory.dmp

memory/2116-14-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TJIBP.tmp\embergen_1_0_4_installer.tmp

MD5 33e017fa55cece71daf2f1b7a289b380
SHA1 8a834d925e74e9c89f93e9b46c01791e84c2d966
SHA256 d478c7730c76bdb3250acd7f0c7ca5895df7710c3283e2507450ee72bf15f2c7
SHA512 a0457630d8735e07e1ab9832ed71379ccb2630f8ff17738ca706331abf81d0832925e5f14fd555a256268dc089ff81434bbb6afe305039999ef9e0316954f05f

memory/2116-43-0x0000000000400000-0x000000000071C000-memory.dmp

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 9f683e295245599ec2bb60b35705f072
SHA1 7be9e624c06b4fd48c50b6bacd82a391861d6304
SHA256 419ac9fc8a034176f195f6f951317985061cb8948ce5410d88485334faf828a2
SHA512 d1dfffa54c264dc3e835f85c6c4e4f66e05c5804781e026b974ff409e38e44f51a894fd58ba0be76a711cd3933bc3bf6cb58f849886c4836b8c201f16d89d8ab

memory/2116-177-0x00000000036F0000-0x0000000003700000-memory.dmp

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 486dad4f2582da48e00fbdc398ba4b50
SHA1 eadecfac6d4b44c733d034ff11463144253778bc
SHA256 c9ce03d7368d3cee0166d76dc74ccbcc718abdb45f9cc8012bdd03407e9e4ab0
SHA512 061aafc4cc7964627d5f9127ea1de80fb47b130fc308e4954d16b9edc3345f94898e3a548381564d328869c8e16f2e7cab140842c7a2c618f74a560085687742

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 8aab5209f0b8895d4974154ffeaaed01
SHA1 b3527d66ae9c297d7b7721ea7ccd5bd1eee7c5dc
SHA256 bf70c276dafbeb713b398f821fe7b4fa926f5b8b00189b5b800b2161cfea6de8
SHA512 8db5a71bd351b04c178e0ebe4fbfff2c3a9ae1412d831d52c6d354beb33d50d26775359919fa2e7fe9e8e3a31c4690db819d8f2cb50a6bfef80f35d4a23d853e

memory/2116-182-0x00000000036F0000-0x0000000003700000-memory.dmp

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 212b9700489d96c85d785e92a52fcaf9
SHA1 4eeecb162e388544323f07918c7b340bea25f6ec
SHA256 ce8abeafe05caf8f4f488b96925623272b72727a40ce6bda3adeb8f26d688c90
SHA512 7784125f516af6cc39378e76d9ba5914cd08e12b61d1a1b88facfa9c1b20b45e6877ef19902cc3e051129b2fab7d8b2571a726e60a649828dbb74704041a402e

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 99befd2748f51754fd5368380831bb9a
SHA1 9c2316e7cfdf7c9f04a57b5b5227f80615e22070
SHA256 f8e80d663884091286e8e8a15ce9eac669f3e8d9342ba917440de5dcd81b53f2
SHA512 2690f6326c0817373d7c03b13f61a658a9ea8ba66ca9e83325dd0d1d65a4a5d0a3aadbff96810ec3ab36476746e70cef197cc05cb67de867b843004d12421ec5

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 7dfe13f890ad379ad6c1fb4fe9cb4cd2
SHA1 5f9ecb6f8dceea2f91393550bb8268882af9243a
SHA256 b2ecde534a0d0e98b5529517bf3d3e1401e8a9ba77f8e3652fa82df029101891
SHA512 5c9ee1ffe66b2306f28dad0815a74d7b337c62fc805642f3659a13f73a1c8c39fbd230aa4c0bd2bebbd05c6431bfe29260b8712f9662a7805eb13133761db758

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 234db0eb9fdfa5e15fd452e84db6bd5a
SHA1 0530bc767b5fdda976ca75a6a87bc9f499d96a5a
SHA256 2bf81c76f860f363cb67f9a8a2b870f48d13f371d1175efb34f1087d2af82c81
SHA512 a746577fd4e38e1b1c51b276706be7e34584804bf39f28d7f9b74c8ea761479e6133d1f955af31340de2c015b83f27b9c4e530161b40624ccbb2cca25eae512c

\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

MD5 7d9f6fb0d7a6657860e5ed65ffb274f9
SHA1 be6e054237ca3c1918ce22e6b20eb85911eac99a
SHA256 80598fedd43f498cba4672d3997baa106d9d8a5c1aafad521a81727bfac56248
SHA512 85ace8c57d229a805165e85520787d1459c10d13db0dd57e34b5086aaae2bd0d6514dd23295c604d71b786872e0bd8a8750c95f464892936098fc86d8d600e12

C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

MD5 c7d539168461f651c9f8c7d209a0bcfe
SHA1 8a844815224e92e710eebe4c9b73bdb80db00537
SHA256 b809d93d76752b80a68dea9dbef12d0c79e1e8d6f4dd793a84c3e9832699af6e
SHA512 adbc9511419afe85c09be83f45e3b71655c1c6724e22009c054fc3726892d6d241930f982453af68106d5483fe5dee870e757b9a805803e25c08a568c86be174

C:\Program Files\JangaFX\EmberGen\VC_redist.x64.exe

MD5 9a5a0f7057b8d04dcc28031fefd6f63c
SHA1 aa8ad9963563ea66fc07c85be3442cb85967b653
SHA256 7e58bdf3960344186719e6265e5e514f2afb5e8214bbe9a569094dba40fd7129
SHA512 1f36544d442fc851e6e56fe8cb3cadff84ac4e2ffbc570fec6a5885b726ab849251c659c94de188ca27a0d1b57846f8d25e09326933a45572f6175d19b289d93

C:\Windows\Temp\{7FF0C0B6-4A62-4840-A1AA-C6EFE302821F}\.cr\VC_redist.x64.exe

MD5 7f28c88875700454d8fb733341658edd
SHA1 434159872b168112b86e91cf84f4d9d545ab0410
SHA256 92d6a54089399fab9f00f25ccf568bdc2f4838aefbf37d51bc1ac94ed41508b9
SHA512 7b0d332ef78506e116ad620eb34424d7ca168822f768c30fe54a55168075e88d9fb40f1c4eb02498c3379843f50ac79bcc3d42a77b82d6157bfbd3fc4bd462fb

\Windows\Temp\{EC9BF963-8A3C-488A-99B5-7ED10E53517D}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{EC9BF963-8A3C-488A-99B5-7ED10E53517D}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/2116-277-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 d6431d4866ab024bc77f64ff90dadd4e
SHA1 a6d1c2efb2e1eb961a91823c3666820f5d1a03e2
SHA256 c50527a3b78bb0f8b301620ca56136c13bf8e18273b5d39ad39f9928fb3d25b3
SHA512 fd56b9d68cac0366d27c9e4afce82ef3dee96cac788016237ea161cf21473d5d557ec151bbe9335236f868a5b7d2f7d3b32ad5474a42f4b16998359359b0e2a5

\Program Files\JangaFX\EmberGen\EmberGen.exe

MD5 a5206b08742b30e9ab863a294b7db896
SHA1 6cb71c762f2999bc57be6da0e82151d6abbf6f57
SHA256 eeb5f2f34a04f983784e166a96b1633860fef881bc84c3972106651644f91b8f
SHA512 b35d41578e2257c35cd74ea863d478af2cc752cb7aa5d263dcfb743a2998f218b4b73912430230fe0226d64f6f47808e59d8db0ad4b4b8c24bcd07712a3f6353

memory/2116-284-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3048-285-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2116-286-0x0000000004290000-0x0000000006AE8000-memory.dmp

memory/2184-287-0x000000013F9D0000-0x0000000142228000-memory.dmp

memory/2116-289-0x0000000004290000-0x0000000006AE8000-memory.dmp