Windows Analysis Report
http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download

Overview

General Information

Sample URL:	http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download
Analysis ID:	1419158
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Downloads suspicious files via Chrome

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Tries to load missing DLLs

Classification

Signatures

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\license.txt

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.196.177.159:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.196.177.159:443 -> 192.168.2.4:49743 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown	TCP traffic detected without corresponding DNS query: 104.89.170.181
Source: unknown	TCP traffic detected without corresponding DNS query: 104.89.170.181
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 03 Apr 2024 05:37:32 GMTServer: Apache/2.4.29 (Ubuntu)Set-Cookie: oc0m4jav1y6q=f0v2v8p5hopslc21sc0jealdr2; path=/; HttpOnlyExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Pragma: publicX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Frame-Options: SameoriginContent-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *; connect-src *X-Robots-Tag: noneContent-Disposition: attachment; filename*=UTF-8''MotionPro_Windows_1.2.25%20%281%29.zip; filename="MotionPro_Windows_1.2.25%20%281%29.zip"Content-Transfer-Encoding: binaryContent-Length: 56270833Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zipData Raw: 50 4b 03 04 0a 00 00 00 00 00 0c a4 8c 57 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 00 00 4d 6f 74 69 6f 6e 50 72 6f 53 65 74 75 70 2f 50 4b 03 04 14 00 00 00 08 00 8d a1 8c 57 0e 76 c0 a1 c7 12 00 00 3e 20 04 00 1e 00 00 00 4d 6f 74 69 6f 6e 50 72 6f 53 65 74 75 70 2f 61 70 70 6c 69 63 61 74 69 6f 6e 2e 69 63 6f ed dd 0b 94 94 f5 79 c7 f1 3f 17 01 11 88 07 51 10 05 d6 14 0d f6 a6 cd 49 a2 69 cd e1 d8 a4 1e 4f 62 1b a3 22 97 05 11 6f 88 09 20 20 de 62 aa 82 17 b4 d6 62 b4 46 31 7a 34 98 63 6a da a3 56 ab 56 13 c1 6a b0 96 1c 1b 2f b1 8a b2 f7 0b 77 f6 c6 b2 c0 ba 4f 9f ff 3b 2f b8 41 f6 9d 57 76 e7 d9 f7 9d f7 fb c9 f9 1d 8d 0b bb 3b 33 ef 77 66 76 66 77 d6 b9 3e fa 3f af 8f 2b 71 13 4a fa bb a3 f4 df 27 e4 fe 83 73 7d 73 ff 3d a0 6f 3b e2 30 17 2c 89 44 64 88 ee 14 dd 6c dd 2d ba 95 ba 55 ba 77 74 d5 ba cd ba 46 5d 13 63 09 5c 63 78 8c 56 87 c7 ec aa f0 18 f6 c7 f2 a5 ba af ea 86 3a 04 f4 bc 18 a0 9b a8 5b a2 7b 59 d7 20 40 71 6b 08 8f f5 25 e1 b1 3f c0 65 8c 9e e6 33 74 f7 e9 6a 05 c8 b6 da b0 85 33 5c 11 d3 d3 77 94 ee 2a dd bb 02 e0 40 7c 1b 8b 75 a3 5c 91 d0 d3 52 a2 5b 1e 7e 7d 04 20 bf 16 dd 8f 7d 3b 2e a5 fc e3 1c ba 65 ba 36 01 70 30 da c2 86 52 f5 98 a1 7e be 33 c2 c7 40 01 74 9f 6f e9 02 97 70 fa 39 9e a0 7b 41 00 14 82 6f eb 04 97 dc db fc 16 01 50 48 3b 92 76 5f 40 3f 9f 15 02 c0 d2 0a d7 cb f4 73 18 a9 5b 23 00 Data Ascii: PKWMotionProSetup/PKWv> MotionProSetup/application.icoy?QIiOb"o bbF1z4cjVVj/wO;/AWv;3wfvfw>?+qJ's}s=o;0,Ddl-UwtF]c\cxV:[{Y @qk%?e3tj3\w*@|u\R[~} };.e6p0R~3@top9{AoPH;v_@?s[#

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /index.php/s/0jEImnXiQQYBh5D/download HTTP/1.1Host: nxtgen.infinitevaults.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: nxtgen.infinitevaults.com

Source: MotionProSetup.exe.6.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MotionProSetup.exe.6.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: OEM.ini.6.dr	String found in binary or memory: http://www.arraynetworks.net

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443

Source: unknown	HTTPS traffic detected: 23.196.177.159:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.196.177.159:443 -> 192.168.2.4:49743 version: TLS 1.2

System Summary

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip (copy)

Jump to dropped file

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: classification engine

Classification label: sus23.win@22/15@4/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\56f01623-0cbf-4c0f-b639-a76b581c07a5.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1912,i,11780309818604107129,14762667450560493039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1912,i,11780309818604107129,14762667450560493039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"	Jump to behavior

Source: C:\Windows\SysWOW64\7za.exe

File written: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\motionpro_templete.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Drops PE files

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\MotionProSetup.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\license.txt

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 3640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 5640000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\7za.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\MotionProSetup.exe

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6272

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 5_2_0189B1D6 GetSystemInfo,

5_2_0189B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: MotionPro_Windows_1.2.25 (1).zip.crdownload.0.dr, MotionProSetup.exe.6.dr

Binary or memory string: QEMUa

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
103.230.39.225	nxtgen.infinitevaults.com	Singapore	132717	NDCTPL-INNxtGenDatacenterCloudTechnologiesPvtLtd	false
142.250.189.132	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.214.172	true
nxtgen.infinitevaults.com	103.230.39.225	true
www.google.com	142.250.189.132	true
fp2e7a.wpc.phicdn.net	192.229.211.108	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download	false		unknown

ID:	1419158
Product:	CloudBasic
Start time:	07:39:22
Start date:	03.04.2024
Cookbook:	browseurl.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\MotionProSetup.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	B1A5CA3294E2FD3D84FB0A904B49E2AC	C952E9D75FAC5FE31E916222CBA19E9E4D901580	B1B8A093F284DA0E4734093BB77716D62EA1D173BA3B87F6AD2CA712EEFD4860
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\OEM.ini	Generic INItialization configuration [Settings]	6A7E4B1B133021912921A29C82F70D1E	F69E85185711C6BE4C601491C4E2AC904648DCFE	8C0519BDF254105D9E87DCB0BFBCB2949DC3F6717AD8DB26EF6621DACD9698A5
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\OEM_Help.pdf	PDF document, version 1.7, 10 pages	53A68235AC3F422A050AA00A24DFFB7F	9C92A2C4FE21769616E2C034CB8CFDE8B1D402DC	8676428D34B078DBCE5DB246C1E286E7B958F02212338463B67B5AE279F88231
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\application.ico	MS Windows icon resource - 1 icon, 256x256, 32 bits/pixel	BECCF5D4C9B150458EB681F49308AB02	55BA41E7110AAE84BCBFBE44E49499735D336E1A	D63212E0BA7900F4275F6F2CDA75BEEF5020BFFF6610E1CF50677B2447A62C37
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\connected.ico	MS Windows icon resource - 4 icons, 256x256, 32 bits/pixel, 48x48, 32 bits/pixel	6C8CCDD60D0FB852C01DDAB3021587DB	3FE1ED96B651C824A08FCE358F2BE67C9B7F16A2	AD1EC87083F325461219A8B5CDE50DD891E07431A14C9BFF171FE2015B74EB5B
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\disconnected.ico	MS Windows icon resource - 4 icons, 256x256, 32 bits/pixel, 48x48, 32 bits/pixel	10EAE696FDD23CC5B60A92B84FF84BE2	DE4ADDA1CC15ABBFB642F5A3BBCFAFD38F0E505F	C7DADB88234F951E521C253103C7379740E44F7406A1C9C9CE68085C78BA022F
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\license.txt	ASCII text, with very long lines (1786), with CRLF line terminators	66B25EF01A85BFF0F0405902125B91D5	33669A079CECF9CDEF06B9E3593A5C5E64613A63	69E6449F43A3E6A94BBAD53AEFF4037502BA08A9D0B8A9F62AEF249C026D424A
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\logo.bmp	PC bitmap, Windows 3.x format, 190 x 56 x 24, image size 32032, resolution 3780 x 3780 px/m, cbSize 32086, bits offset 54	ECB17B8B1865BB8579052425E62FD641	9FB66DF0D2801ECC246229F71638EBA7D3706D64	918939AF8ECC484071AC6406AE3DA5F4EF02B700F8DCB3605BBAD14F6D6FA989
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\motionpro_templete.ini	Microsoft Windows Autorun file	7F30C757E4061B1624EDD51E79CCD6F4	6B5C5911E32582D32C709ABB326073D380626443	D439C865557EA57BE2701DA0BC155140D9FDAEAC84BAF17B90A764CDF7627837
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\oauth.png	PNG image data, 120 x 120, 8-bit/color RGBA, non-interlaced	8EC778789C802990694595C9650DC1CF	E361A2F2BF934363823DC0A12E5824447A96567A	430588244B519B73FF72CCDC8A403BA023F9E62A5B3AAB25C29E90BEC6DF6FB1
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\reconnecting.ico	MS Windows icon resource - 4 icons, 256x256, 32 bits/pixel, 48x48, 32 bits/pixel	481EF75896E5883B85ECEB5FE44DE7B3	8AF89E24578901D855B432CCF91275CF43F9936F	2592AC19986332C06451E9AC7226C6618F087EF8CB9D10EBC9DDBA7F314B074B
C:\Users\user\AppData\Local\Temp\unarchiver.log	ASCII text, with CRLF line terminators	7E79B57CBBB897AB8C3E792B3C1CD03D	14AAD758F6762FC070E58A04AC39741AED77D330	929AAC1DB20F924E8E403F2149F12A79A317A4C097E531911E6B65B17DA0C413
C:\Users\user\Downloads\56f01623-0cbf-4c0f-b639-a76b581c07a5.tmp	Zip archive data, at least v1.0 to extract, compression method=store	7F725AB7E7090513C4F8EAE58F0A30D8	C09C27C18C9A0CAAA27687AA9D67093599420478	801C974AC506794A76E5608E486E7A5B8A6611AF435006BA45559B8072E6872E
C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip (copy)	Zip archive data, at least v1.0 to extract, compression method=store	E0DBF15571108481F642249CA872B3C2	C69C00586EB57E68C58399E008F8970EA364067F	2E56DFB330A6FD3E444DAFF427C3F8ADB2912D8BC1053344043DA88F46CBDC81
C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip.crdownload	Zip archive data, at least v1.0 to extract, compression method=store	E0DBF15571108481F642249CA872B3C2	C69C00586EB57E68C58399E008F8970EA364067F	2E56DFB330A6FD3E444DAFF427C3F8ADB2912D8BC1053344043DA88F46CBDC81

Windows Analysis Report
http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download