Malware Analysis Report

2025-06-16 01:46

Sample ID 240406-lktx8aga56
Target e180347578de3564e7dea536a9af509b_JaffaCakes118
SHA256 393d7ddd34d8d91c29a94de6f2c0a648deafd20c851d478e0073cd9430a96554
Tags
redline sectoprat live discovery infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

393d7ddd34d8d91c29a94de6f2c0a648deafd20c851d478e0073cd9430a96554

Threat Level: Known bad

The file e180347578de3564e7dea536a9af509b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

redline sectoprat live discovery infostealer rat trojan

RedLine

RedLine payload

SectopRAT

SectopRAT payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Looks up external IP address via web service

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 09:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 09:35

Reported

2024-04-06 09:38

Platform

win7-20240221-en

Max time kernel

132s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 332 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
PID 332 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
PID 332 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
PID 332 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
PID 332 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
PID 332 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
PID 332 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
PID 332 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
PID 332 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
PID 332 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
PID 332 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
PID 2732 wrote to memory of 2880 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe C:\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp
PID 2732 wrote to memory of 2880 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe C:\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp
PID 2732 wrote to memory of 2880 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe C:\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp
PID 2732 wrote to memory of 2880 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe C:\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp
PID 2732 wrote to memory of 2880 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe C:\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp
PID 2732 wrote to memory of 2880 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe C:\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp
PID 2732 wrote to memory of 2880 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe C:\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp
PID 2684 wrote to memory of 2932 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe C:\Users\Admin\AppData\Local\Temp\SMart.exe
PID 2684 wrote to memory of 2932 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe C:\Users\Admin\AppData\Local\Temp\SMart.exe
PID 2684 wrote to memory of 2932 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe C:\Users\Admin\AppData\Local\Temp\SMart.exe
PID 2684 wrote to memory of 2932 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe C:\Users\Admin\AppData\Local\Temp\SMart.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe"

C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe

"C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"

C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe

"C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent

C:\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp

"C:\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp" /SL5="$301F0,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent

C:\Users\Admin\AppData\Local\Temp\SMart.exe

"C:\Users\Admin\AppData\Local\Temp\SMart.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:80 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 ipqualityscore.com udp
US 172.67.72.12:443 ipqualityscore.com tcp
US 172.67.72.12:443 ipqualityscore.com tcp
US 8.8.8.8:53 c115ccef-fcb1-4039-a9a5-8e09a6993f8d.s3.eu-west-2.amazonaws.com udp
GB 52.95.143.110:80 c115ccef-fcb1-4039-a9a5-8e09a6993f8d.s3.eu-west-2.amazonaws.com tcp
GB 52.95.143.110:80 c115ccef-fcb1-4039-a9a5-8e09a6993f8d.s3.eu-west-2.amazonaws.com tcp
US 18.118.84.99:1050 tcp
US 18.118.84.99:1050 tcp
US 18.118.84.99:1050 tcp
US 18.118.84.99:1050 tcp
US 18.118.84.99:1050 tcp
US 18.118.84.99:1050 tcp
US 18.118.84.99:1050 tcp

Files

C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe

MD5 e4ce3b2f37e7ba8cdd28e00cb79c8db9
SHA1 5d74e57477afc66a0578d1227de9d9e28bd588d5
SHA256 a13daef3e2de76cb00b9a746e75eaf1226fe5a2f2be98b80162c173b2005a33b
SHA512 5b0fd9f3385768e9a3590aa908ea09caa9ca8cdd2c4e0f7064ceddd85c61df5c0144e6751394fa850dfd090377bd7c6701206fa52133c75486128443f99385f3

\Program Files (x86)\SmartPDF\SmartPDF\stats.exe

MD5 266395599ca5e0a6b0cb2fc0dea283b5
SHA1 990164b2f7646b38fc8a4abf62c3cc1d64f8839d
SHA256 99d12483e75a7615286e49e3df257033f8365431d57258ef763976cd1c2c2577
SHA512 0637b8a1074dee57b3611c6594a0ee4259415538d39203c086d5d80eb5e01ef5e29205c692d1abeb7585c91a4efaa53083aa72ae1288713fab9767862350cf38

memory/332-25-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2732-26-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2732-29-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-P464M.tmp\stats.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

\Users\Admin\AppData\Local\Temp\is-1FMER.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2684-41-0x0000000000D10000-0x0000000000D26000-memory.dmp

memory/2880-44-0x0000000001FA0000-0x0000000001FDC000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-1FMER.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/2684-46-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2880-50-0x0000000002200000-0x0000000002201000-memory.dmp

memory/2880-53-0x0000000002230000-0x0000000002231000-memory.dmp

memory/2880-61-0x0000000003830000-0x0000000003831000-memory.dmp

memory/2880-64-0x0000000003860000-0x0000000003861000-memory.dmp

memory/2880-65-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2880-63-0x0000000003850000-0x0000000003851000-memory.dmp

memory/2880-62-0x0000000003840000-0x0000000003841000-memory.dmp

memory/2880-60-0x0000000003820000-0x0000000003821000-memory.dmp

memory/2880-59-0x0000000003810000-0x0000000003811000-memory.dmp

memory/2880-58-0x0000000003800000-0x0000000003801000-memory.dmp

memory/2880-57-0x00000000037F0000-0x00000000037F1000-memory.dmp

memory/2880-56-0x0000000002260000-0x0000000002261000-memory.dmp

memory/2880-55-0x0000000002250000-0x0000000002251000-memory.dmp

memory/2880-54-0x0000000002240000-0x0000000002241000-memory.dmp

memory/2880-52-0x0000000002220000-0x0000000002221000-memory.dmp

memory/2880-51-0x0000000002210000-0x0000000002211000-memory.dmp

memory/2880-49-0x00000000021F0000-0x00000000021F1000-memory.dmp

memory/2880-48-0x0000000002030000-0x0000000002031000-memory.dmp

memory/2880-47-0x0000000002020000-0x0000000002021000-memory.dmp

memory/2684-66-0x00000000003D0000-0x0000000000450000-memory.dmp

memory/2684-67-0x00000000003D0000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SMart.exe

MD5 2133233e31518892b3937fef038453ab
SHA1 d30104d49b739a5c2b426f22c5068251959684d2
SHA256 30057b4659a3b3ebc5e10e67f0f09511ecdd1a501cd2d3bfafc8c64518306e2b
SHA512 848525726422a75d6a0821d4342a0443bf6113fc308d0c3f4157cf17664aecd22b53bf47083299556b83352b9ad55dfe587c1e03b01444eb9a457834601c0c1c

memory/2932-75-0x0000000000ED0000-0x0000000000EF2000-memory.dmp

memory/2932-76-0x00000000739E0000-0x00000000740CE000-memory.dmp

memory/2932-77-0x00000000009F0000-0x0000000000A30000-memory.dmp

memory/2732-78-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2880-79-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2880-80-0x0000000001FA0000-0x0000000001FDC000-memory.dmp

memory/2880-84-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2732-86-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2684-87-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2684-88-0x00000000003D0000-0x0000000000450000-memory.dmp

memory/2932-89-0x00000000739E0000-0x00000000740CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 09:35

Reported

2024-04-06 09:38

Platform

win10v2004-20240319-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7GE0Q.tmp\stats.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7GE0Q.tmp\stats.tmp N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7GE0Q.tmp\stats.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3460 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
PID 3460 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
PID 3460 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
PID 3460 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
PID 3460 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
PID 4376 wrote to memory of 3156 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe C:\Users\Admin\AppData\Local\Temp\is-7GE0Q.tmp\stats.tmp
PID 4376 wrote to memory of 3156 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe C:\Users\Admin\AppData\Local\Temp\is-7GE0Q.tmp\stats.tmp
PID 4376 wrote to memory of 3156 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe C:\Users\Admin\AppData\Local\Temp\is-7GE0Q.tmp\stats.tmp
PID 3772 wrote to memory of 400 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe C:\Users\Admin\AppData\Local\Temp\SMart.exe
PID 3772 wrote to memory of 400 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe C:\Users\Admin\AppData\Local\Temp\SMart.exe
PID 3772 wrote to memory of 400 N/A C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe C:\Users\Admin\AppData\Local\Temp\SMart.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e180347578de3564e7dea536a9af509b_JaffaCakes118.exe"

C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe

"C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"

C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe

"C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent

C:\Users\Admin\AppData\Local\Temp\is-7GE0Q.tmp\stats.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7GE0Q.tmp\stats.tmp" /SL5="$901F8,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent

C:\Users\Admin\AppData\Local\Temp\SMart.exe

"C:\Users\Admin\AppData\Local\Temp\SMart.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2260,i,4762972005863767630,9297428255150568035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:80 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 ipqualityscore.com udp
US 104.26.3.60:443 ipqualityscore.com tcp
US 8.8.8.8:53 c115ccef-fcb1-4039-a9a5-8e09a6993f8d.s3.eu-west-2.amazonaws.com udp
GB 52.95.142.14:80 c115ccef-fcb1-4039-a9a5-8e09a6993f8d.s3.eu-west-2.amazonaws.com tcp
GB 52.95.142.14:80 c115ccef-fcb1-4039-a9a5-8e09a6993f8d.s3.eu-west-2.amazonaws.com tcp
US 8.8.8.8:53 60.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 14.142.95.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 18.118.84.99:1050 tcp
NL 142.251.39.110:443 tcp
NL 142.250.179.138:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 18.118.84.99:1050 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 18.118.84.99:1050 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.184.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.184.250.142.in-addr.arpa udp
US 18.118.84.99:1050 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 18.118.84.99:1050 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 18.118.84.99:1050 tcp
US 18.118.84.99:1050 tcp
US 8.8.8.8:53 108.116.69.13.in-addr.arpa udp

Files

C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe

MD5 e4ce3b2f37e7ba8cdd28e00cb79c8db9
SHA1 5d74e57477afc66a0578d1227de9d9e28bd588d5
SHA256 a13daef3e2de76cb00b9a746e75eaf1226fe5a2f2be98b80162c173b2005a33b
SHA512 5b0fd9f3385768e9a3590aa908ea09caa9ca8cdd2c4e0f7064ceddd85c61df5c0144e6751394fa850dfd090377bd7c6701206fa52133c75486128443f99385f3

C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe

MD5 266395599ca5e0a6b0cb2fc0dea283b5
SHA1 990164b2f7646b38fc8a4abf62c3cc1d64f8839d
SHA256 99d12483e75a7615286e49e3df257033f8365431d57258ef763976cd1c2c2577
SHA512 0637b8a1074dee57b3611c6594a0ee4259415538d39203c086d5d80eb5e01ef5e29205c692d1abeb7585c91a4efaa53083aa72ae1288713fab9767862350cf38

memory/3772-30-0x0000000000370000-0x0000000000386000-memory.dmp

memory/3460-34-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3772-37-0x00007FF9BBF30000-0x00007FF9BC9F1000-memory.dmp

memory/4376-35-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3772-41-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

memory/3772-43-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

memory/3772-42-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

memory/3772-40-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

memory/4376-44-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7GE0Q.tmp\stats.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/3156-56-0x0000000003950000-0x000000000398C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-H0AR9.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/3156-51-0x0000000000660000-0x0000000000661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SMart.exe

MD5 2133233e31518892b3937fef038453ab
SHA1 d30104d49b739a5c2b426f22c5068251959684d2
SHA256 30057b4659a3b3ebc5e10e67f0f09511ecdd1a501cd2d3bfafc8c64518306e2b
SHA512 848525726422a75d6a0821d4342a0443bf6113fc308d0c3f4157cf17664aecd22b53bf47083299556b83352b9ad55dfe587c1e03b01444eb9a457834601c0c1c

memory/3156-109-0x0000000005F20000-0x0000000005F21000-memory.dmp

memory/3156-108-0x0000000005F10000-0x0000000005F11000-memory.dmp

memory/3156-110-0x0000000005F40000-0x0000000005F41000-memory.dmp

memory/3156-111-0x0000000005F50000-0x0000000005F51000-memory.dmp

memory/3156-112-0x0000000005F60000-0x0000000005F61000-memory.dmp

memory/3156-113-0x0000000005F70000-0x0000000005F71000-memory.dmp

memory/3156-114-0x0000000005F80000-0x0000000005F81000-memory.dmp

memory/3156-115-0x0000000005F90000-0x0000000005F91000-memory.dmp

memory/3156-117-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

memory/3156-119-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

memory/3156-118-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

memory/3156-121-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

memory/3156-120-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

memory/3156-116-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

memory/3156-123-0x0000000006010000-0x0000000006011000-memory.dmp

memory/3156-122-0x0000000006000000-0x0000000006001000-memory.dmp

memory/3156-124-0x0000000006020000-0x0000000006021000-memory.dmp

memory/3156-125-0x0000000005F30000-0x0000000005F31000-memory.dmp

memory/400-136-0x0000000000160000-0x0000000000182000-memory.dmp

memory/400-137-0x0000000072EE0000-0x0000000073690000-memory.dmp

memory/400-138-0x0000000005120000-0x0000000005738000-memory.dmp

memory/400-139-0x0000000004B30000-0x0000000004B42000-memory.dmp

memory/400-140-0x0000000004C60000-0x0000000004D6A000-memory.dmp

memory/400-141-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/400-142-0x0000000004B90000-0x0000000004BCC000-memory.dmp

memory/400-143-0x0000000004BD0000-0x0000000004C1C000-memory.dmp

memory/3156-147-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4376-149-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3772-150-0x00007FF9BBF30000-0x00007FF9BC9F1000-memory.dmp

memory/3772-151-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

memory/3772-152-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

memory/3772-153-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

memory/400-154-0x0000000072EE0000-0x0000000073690000-memory.dmp

memory/400-155-0x0000000004F30000-0x0000000004F40000-memory.dmp