IOC Report
http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download

loading gif

Files

File Path
Type
Category
Malicious
C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip (copy)
Zip archive data, at least v1.0 to extract, compression method=store
dropped
malicious
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\MotionProSetup.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
dropped
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\OEM.ini
Generic INItialization configuration [Settings]
dropped
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\OEM_Help.pdf
PDF document, version 1.7, 10 pages
dropped
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\application.ico
MS Windows icon resource - 1 icon, 256x256, 32 bits/pixel
dropped
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\connected.ico
MS Windows icon resource - 4 icons, 256x256, 32 bits/pixel, 48x48, 32 bits/pixel
dropped
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\disconnected.ico
MS Windows icon resource - 4 icons, 256x256, 32 bits/pixel, 48x48, 32 bits/pixel
dropped
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\license.txt
ASCII text, with very long lines (1786), with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\logo.bmp
PC bitmap, Windows 3.x format, 190 x 56 x 24, image size 32032, resolution 3780 x 3780 px/m, cbSize 32086, bits offset 54
dropped
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\motionpro_templete.ini
Microsoft Windows Autorun file
dropped
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\oauth.png
PNG image data, 120 x 120, 8-bit/color RGBA, non-interlaced
dropped
C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\reconnecting.ico
MS Windows icon resource - 4 icons, 256x256, 32 bits/pixel, 48x48, 32 bits/pixel
dropped
C:\Users\user\AppData\Local\Temp\unarchiver.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\Downloads\56f01623-0cbf-4c0f-b639-a76b581c07a5.tmp
Zip archive data, at least v1.0 to extract, compression method=store
dropped
C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip.crdownload
Zip archive data, at least v1.0 to extract, compression method=store
dropped
There are 6 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
malicious
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1912,i,11780309818604107129,14762667450560493039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
malicious
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download"
malicious
C:\Windows\SysWOW64\unarchiver.exe
"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"
C:\Windows\SysWOW64\7za.exe
"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name
IP
Malicious
http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download
http://nsis.sf.net/NSIS_Error
unknown
http://nsis.sf.net/NSIS_ErrorError
unknown
http://www.arraynetworks.net
unknown
http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download
103.230.39.225

Domains

Name
IP
Malicious
bg.microsoft.map.fastly.net
199.232.214.172
nxtgen.infinitevaults.com
103.230.39.225
www.google.com
142.250.189.132
fp2e7a.wpc.phicdn.net
192.229.211.108

IPs

IP
Domain
Country
Malicious
239.255.255.250
unknown
Reserved
103.230.39.225
nxtgen.infinitevaults.com
Singapore
142.250.189.132
www.google.com
United States
192.168.2.4
unknown
unknown

Memdumps

Base Address
Regiontype
Protect
Malicious
1892000
trusted library allocation
page execute and read and write
4641000
trusted library allocation
page read and write
14EE000
stack
page read and write
FBE000
stack
page read and write
152E000
stack
page read and write
36A9000
trusted library allocation
page read and write
3670000
trusted library allocation
page read and write
5BEF000
stack
page read and write
586E000
stack
page read and write
1AC0000
heap
page read and write
1A90000
trusted library allocation
page read and write
596D000
stack
page read and write
1540000
heap
page read and write
369E000
trusted library allocation
page read and write
367A000
trusted library allocation
page read and write
F30000
heap
page read and write
1690000
heap
page read and write
164E000
stack
page read and write
2D30000
heap
page read and write
14A0000
heap
page read and write
16CD000
heap
page read and write
1940000
heap
page read and write
18A2000
trusted library allocation
page execute and read and write
BBC000
stack
page read and write
16B7000
heap
page read and write
5AEE000
stack
page read and write
13C0000
heap
page read and write
18EB000
trusted library allocation
page execute and read and write
189A000
trusted library allocation
page execute and read and write
36A3000
trusted library allocation
page read and write
16E8000
heap
page read and write
1B50000
heap
page read and write
F7E000
stack
page read and write
1545000
heap
page read and write
135B000
stack
page read and write
59AE000
stack
page read and write
36B0000
trusted library allocation
page read and write
369B000
trusted library allocation
page read and write
18A0000
trusted library allocation
page read and write
368A000
trusted library allocation
page read and write
12AE000
stack
page read and write
18E7000
trusted library allocation
page execute and read and write
18E0000
trusted library allocation
page read and write
5C2E000
stack
page read and write
7F790000
trusted library allocation
page execute and read and write
3641000
trusted library allocation
page read and write
1A8F000
stack
page read and write
BF0000
heap
page read and write
5AAD000
stack
page read and write