Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Notion Setup 4.3.0 (4).exe

Overview

General Information

Sample name:Notion Setup 4.3.0 (4).exe
Analysis ID:1599301
MD5:849e4475405de2f405ec0c987c796791
SHA1:ad67cda4c294705ecd45b5e1f14d49b32deb7a1a
SHA256:4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db
Tags:exeuser-smica83
Infos:

Detection

DarkGate, MailPassView
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected DarkGate
Yara detected MailPassView
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Notion Setup 4.3.0 (4).exe (PID: 5632 cmdline: "C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe" MD5: 849E4475405DE2F405EC0C987C796791)
    • Autoit3.exe (PID: 4712 cmdline: "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)
      • cmd.exe (PID: 5400 cmdline: "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\aagekfg\fbadddg MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 6464 cmdline: wmic ComputerSystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkGateFirst documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2146236229.0000000004708000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DarkGateYara detected DarkGateJoe Security
    00000002.00000002.2146236229.00000000046A1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DarkGateYara detected DarkGateJoe Security
          00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            Click to see the 3 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Notion Setup 4.3.0 (4).exeVirustotal: Detection: 11%Perma Link
            Source: Notion Setup 4.3.0 (4).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: Notion Setup 4.3.0 (4).exeStatic PE information: certificate valid
            Source: Notion Setup 4.3.0 (4).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_043F411C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_043F411C
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A94005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00A94005
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00A9C2FF
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9494A GetFileAttributesW,FindFirstFileW,FindClose,2_2_00A9494A
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00A9CD9F
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9CD14 FindFirstFileW,FindClose,2_2_00A9CD14
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00A9F5D8
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00A9F735
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00A9FA36
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A93CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00A93CE2
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_017ACF75 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_017ACF75
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046FA584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,2_2_046FA584
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046A89F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,2_2_046A89F4
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046A8AFC FindFirstFileA,GetLastError,2_2_046A8AFC
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046F31F8 FindFirstFileW,FindNextFileW,FindClose,2_2_046F31F8
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046D3D68 FindFirstFileW,FindNextFileW,FindClose,2_2_046D3D68
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046BBD8C FindFirstFileA,FindNextFileA,FindClose,2_2_046BBD8C
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046A5974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_046A5974
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046FBA70 FindFirstFileW,FindNextFileW,FindClose,2_2_046FBA70
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AA29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,2_2_00AA29BA
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2108087654.00000000062EA000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
            Source: Autoit3.exe, Autoit3.exe, 00000002.00000002.2146236229.00000000046A1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
            Source: Autoit3.exe, 00000002.00000002.2146236229.00000000046A1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ipU
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://ocsps.ssl.com0
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://ocsps.ssl.com0?
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://ocsps.ssl.com0P
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://www.autoitscript.com/autoit3/
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000000.2096950473.0000000000AF9000.00000002.00000001.01000000.00000004.sdmp, Autoit3.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://www.innosetup.com/
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://www.remobjects.com/ps
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
            Source: Autoit3.exe, 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/u/0/#inbox
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
            Source: Autoit3.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2108087654.00000000062EA000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/06
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: https://www.ssl.com/repository0
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AA4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_00AA4632
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AA4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00AA4830
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AA4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_00AA4632
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046DB188 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,2_2_046DB188
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A90508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,2_2_00A90508
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00ABD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00ABD164
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046D3A74 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,2_2_046D3A74
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046F4478 NtOpenProcess,2_2_046F4478
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046F4420 NtQueryObject,NtQueryObject,2_2_046F4420
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046F44C8 NtQuerySystemInformation,NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,2_2_046F44C8
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046F476C Sleep,TerminateThread,NtClose,NtClose,2_2_046F476C
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046F43EC NtDuplicateObject,NtClose,2_2_046F43EC
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046D2CF0 BeginPaint,SetBkMode,TextOutA,EndPaint,PostQuitMessage,NtdllDefWindowProc_A,2_2_046D2CF0
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046CAF84 GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,2_2_046CAF84
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046CB2A4 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,2_2_046CB2A4
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A942D5: CreateFileW,DeviceIoControl,CloseHandle,2_2_00A942D5
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A88F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_00A88F2E
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A95778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00A95778
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_062906720_3_06290672
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_0623D7DD0_3_0623D7DD
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_062374FB0_3_062374FB
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_062485F70_3_062485F7
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_062422960_3_06242296
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_062312EC0_3_062312EC
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_0623BC0E0_3_0623BC0E
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06246C1E0_3_06246C1E
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06278A7C0_3_06278A7C
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_0623C9890_3_0623C989
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_0626E9EA0_3_0626E9EA
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_0441A6540_2_0441A654
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_0442466A0_2_0442466A
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_044262390_2_04426239
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_0441A23C0_2_0441A23C
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_044323790_2_04432379
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_044163BC0_2_044163BC
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_0442ACF20_2_0442ACF2
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_04406D840_2_04406D84
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_0441AEBE0_2_0441AEBE
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A3B0202_2_00A3B020
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A316632_2_00A31663
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A39C802_2_00A39C80
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A523F52_2_00A523F5
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AB84002_2_00AB8400
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A665022_2_00A66502
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A3E6F02_2_00A3E6F0
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A6265E2_2_00A6265E
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A5282A2_2_00A5282A
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A689BF2_2_00A689BF
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AB0A3A2_2_00AB0A3A
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A66A742_2_00A66A74
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A8EDB22_2_00A8EDB2
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A5CD512_2_00A5CD51
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AB0EB72_2_00AB0EB7
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A98E442_2_00A98E44
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A66FE62_2_00A66FE6
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A533B72_2_00A533B7
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A394E02_2_00A394E0
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A5F4092_2_00A5F409
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A4D45D2_2_00A4D45D
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A3F6A02_2_00A3F6A0
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A516B42_2_00A516B4
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A4F6282_2_00A4F628
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A578C32_2_00A578C3
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A5DBA52_2_00A5DBA5
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A51BA82_2_00A51BA8
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A69CE52_2_00A69CE5
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A4DD282_2_00A4DD28
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A51FC02_2_00A51FC0
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A5BFD62_2_00A5BFD6
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_017BAA292_2_017BAA29
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046C64382_2_046C6438
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046CA79C2_2_046CA79C
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046DEC002_2_046DEC00
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046EB1B82_2_046EB1B8
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046E9BD02_2_046E9BD0
            Source: Joe Sandbox ViewDropped File: C:\temp\test\Autoit3.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
            Source: C:\temp\test\Autoit3.exeCode function: String function: 00A50D17 appears 70 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 046D21B8 appears 35 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 046A6980 appears 77 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 00A58B30 appears 42 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 046A4668 appears 47 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 00A41A36 appears 34 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 046A4394 appears 100 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 046A4904 appears 92 times
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: String function: 06238768 appears 32 times
            Source: Notion Setup 4.3.0 (4).exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: Notion Setup 4.3.0 (4).exeBinary or memory string: OriginalFilename vs Notion Setup 4.3.0 (4).exe
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs Notion Setup 4.3.0 (4).exe
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs Notion Setup 4.3.0 (4).exe
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs Notion Setup 4.3.0 (4).exe
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs Notion Setup 4.3.0 (4).exe
            Source: Notion Setup 4.3.0 (4).exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: classification engineClassification label: mal60.troj.spyw.evad.winEXE@8/4@0/0
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9A6AD GetLastError,FormatMessageW,2_2_00A9A6AD
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A88DE9 AdjustTokenPrivileges,CloseHandle,2_2_00A88DE9
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A89399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00A89399
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,2_2_00A9B976
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A94148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,2_2_00A94148
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9C9DA CoInitialize,CoCreateInstance,CoUninitialize,2_2_00A9C9DA
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,2_2_00A9443D
            Source: C:\temp\test\Autoit3.exeFile created: C:\Users\user\AppData\Roaming\GhHcHddJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeFile created: c:\temp\testJump to behavior
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\temp\test\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\temp\test\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Notion Setup 4.3.0 (4).exeVirustotal: Detection: 11%
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: -Helper process exited with failure code: 0x%x
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
            Source: Notion Setup 4.3.0 (4).exeString found in binary or memory: /LoadInf=
            Source: unknownProcess created: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe "C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe"
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeProcess created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
            Source: C:\temp\test\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\aagekfg\fbadddg
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeProcess created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3xJump to behavior
            Source: C:\temp\test\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\aagekfg\fbadddgJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domainJump to behavior
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeSection loaded: apphelp.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: version.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: netutils.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Notion Setup 4.3.0 (4).exeStatic PE information: certificate valid
            Source: Notion Setup 4.3.0 (4).exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: Notion Setup 4.3.0 (4).exeStatic file information: File size 4266056 > 1048576
            Source: Notion Setup 4.3.0 (4).exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x258200
            Source: Notion Setup 4.3.0 (4).exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1aa400
            Source: Notion Setup 4.3.0 (4).exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AAC6D9 LoadLibraryA,GetProcAddress,2_2_00AAC6D9
            Source: Notion Setup 4.3.0 (4).exeStatic PE information: section name: .didata
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06216768 push ss; ret 0_3_06216800
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06216768 push ss; ret 0_3_06216800
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_062167AB push ss; ret 0_3_06216800
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_062167AB push ss; ret 0_3_06216800
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_062387AD push ecx; ret 0_3_062387C0
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06214C79 push es; ret 0_3_06214C7B
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06214C79 push es; ret 0_3_06214C7B
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06219A32 push 7A3F3F3Eh; ret 0_3_06219C1E
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06219A32 push 7A3F3F3Eh; ret 0_3_06219C1E
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06219BDB push 7A3F3F3Eh; ret 0_3_06219C1E
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06219BDB push 7A3F3F3Eh; ret 0_3_06219C1E
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_0621689F push es; iretd 0_3_062168A3
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_0621689F push es; iretd 0_3_062168A3
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06216768 push ss; ret 0_3_06216800
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06216768 push ss; ret 0_3_06216800
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_062167AB push ss; ret 0_3_06216800
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_062167AB push ss; ret 0_3_06216800
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06214C79 push es; ret 0_3_06214C7B
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06214C79 push es; ret 0_3_06214C7B
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06219A32 push 7A3F3F3Eh; ret 0_3_06219C1E
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06219A32 push 7A3F3F3Eh; ret 0_3_06219C1E
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06219BDB push 7A3F3F3Eh; ret 0_3_06219C1E
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06219BDB push 7A3F3F3Eh; ret 0_3_06219C1E
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_0621689F push es; iretd 0_3_062168A3
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_0621689F push es; iretd 0_3_062168A3
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_043F8540 push 043F8607h; ret 0_2_043F85FF
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_043F84D4 push 043F84FEh; ret 0_2_043F84F6
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_043F84D0 push 043F84FEh; ret 0_2_043F84F6
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_043F8500 push 043F8607h; ret 0_2_043F85FF
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_043F474C push 043F479Dh; ret 0_2_043F4795
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_043F8090 push 043F820Ch; ret 0_2_043F8204
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeFile created: C:\temp\test\Autoit3.exeJump to dropped file
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AB59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00AB59B3
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A45EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00A45EDA
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A533B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00A533B7
            Source: C:\temp\test\Autoit3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect sleep reduction / modifications
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046FC8282_2_046FC828
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: Autoit3.exe, Autoit3.exe, 00000002.00000002.2146236229.00000000046A1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SUPERANTISPYWARE.EXE
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeAPI coverage: 7.0 %
            Source: C:\temp\test\Autoit3.exeAPI coverage: 5.2 %
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046FC8282_2_046FC828
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_043F411C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_043F411C
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A94005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00A94005
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00A9C2FF
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9494A GetFileAttributesW,FindFirstFileW,FindClose,2_2_00A9494A
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00A9CD9F
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9CD14 FindFirstFileW,FindClose,2_2_00A9CD14
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00A9F5D8
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00A9F735
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A9FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00A9FA36
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A93CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00A93CE2
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_017ACF75 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_017ACF75
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046FA584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,2_2_046FA584
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046A89F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,2_2_046A89F4
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046A8AFC FindFirstFileA,GetLastError,2_2_046A8AFC
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046F31F8 FindFirstFileW,FindNextFileW,FindClose,2_2_046F31F8
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046D3D68 FindFirstFileW,FindNextFileW,FindClose,2_2_046D3D68
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046BBD8C FindFirstFileA,FindNextFileA,FindClose,2_2_046BBD8C
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046A5974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_046A5974
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046FBA70 FindFirstFileW,FindNextFileW,FindClose,2_2_046FBA70
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A45D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_00A45D13
            Source: Autoit3.exe, 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
            Source: Autoit3.exe, Autoit3.exe, 00000002.00000002.2146236229.00000000046A1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: microsoft hyper-v video
            Source: Autoit3.exe, 00000002.00000002.2144624385.00000000017BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\temp\test\Autoit3.exeAPI call chain: ExitProcess graph end nodegraph_2-139102
            Source: C:\temp\test\Autoit3.exeAPI call chain: ExitProcess graph end nodegraph_2-139032
            Source: C:\temp\test\Autoit3.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AA45D5 BlockInput,2_2_00AA45D5
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A45240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_00A45240
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A65CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,2_2_00A65CAC
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AAC6D9 LoadLibraryA,GetProcAddress,2_2_00AAC6D9
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_017B9B76 mov eax, dword ptr fs:[00000030h]2_2_017B9B76
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046CA79C mov eax, dword ptr fs:[00000030h]2_2_046CA79C
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046CA79C mov eax, dword ptr fs:[00000030h]2_2_046CA79C
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046C80A4 mov eax, dword ptr fs:[00000030h]2_2_046C80A4
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A888CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_00A888CD
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A5A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00A5A385
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A5A354 SetUnhandledExceptionFilter,2_2_00A5A354

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Contains functionality to inject code into remote processes
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046CDCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,2_2_046CDCB8
            Contains functionality to inject threads in other processes
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046CDCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,2_2_046CDCB8
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A89369 LogonUserW,2_2_00A89369
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A45240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_00A45240
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A91AC6 SendInput,keybd_event,2_2_00A91AC6
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A951E2 mouse_event,2_2_00A951E2
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeProcess created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3xJump to behavior
            Source: C:\temp\test\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\aagekfg\fbadddgJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domainJump to behavior
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A888CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,2_2_00A888CD
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A94F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,2_2_00A94F1C
            Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000268E000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062C6000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: Notion Setup 4.3.0 (4).exe, Autoit3.exeBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_3_06238493 cpuid 0_3_06238493
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_043F42F4
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: GetLocaleInfoA,0_2_043F65A8
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: GetLocaleInfoA,0_2_043F65F4
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: GetLocaleInfoA,0_2_043F46D8
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_043F43FF
            Source: C:\temp\test\Autoit3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_017AD14D
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,2_2_017AF3E5
            Source: C:\temp\test\Autoit3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_017AD257
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,2_2_017AD55D
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,GetACP,2_2_017B0589
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,2_2_017AF431
            Source: C:\temp\test\Autoit3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_046A5B4C
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,2_2_046A6470
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,GetACP,2_2_046ACC88
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,2_2_046AB66C
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,2_2_046AB620
            Source: C:\temp\test\Autoit3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_046A5C56
            Source: C:\temp\test\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\temp\test\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\temp\test\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\temp\test\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A70030 GetLocalTime,__swprintf,2_2_00A70030
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A70722 GetUserNameW,2_2_00A70722
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00A6416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_00A6416A
            Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exeCode function: 0_2_043F47A1 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,0_2_043F47A1
            Source: Autoit3.exe, Autoit3.exe, 00000002.00000002.2146236229.00000000046A1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mcshield.exe
            Source: Autoit3.exe, Autoit3.exe, 00000002.00000002.2146236229.00000000046A1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: superantispyware.exe

            Stealing of Sensitive Information

            barindex
            Yara detected DarkGate
            Source: Yara matchFile source: 00000002.00000002.2146236229.0000000004708000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 4712, type: MEMORYSTR
            Yara detected MailPassView
            Source: Yara matchFile source: 00000002.00000002.2146236229.00000000046A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 4712, type: MEMORYSTR
            Source: Autoit3.exeBinary or memory string: WIN_81
            Source: Autoit3.exeBinary or memory string: WIN_XP
            Source: Autoit3.exeBinary or memory string: WIN_XPe
            Source: Autoit3.exeBinary or memory string: WIN_VISTA
            Source: Autoit3.exeBinary or memory string: WIN_7
            Source: Autoit3.exeBinary or memory string: WIN_8
            Source: Autoit3.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected DarkGate
            Source: Yara matchFile source: 00000002.00000002.2146236229.0000000004708000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 4712, type: MEMORYSTR
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AA696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00AA696E
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_00AA6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00AA6E32
            Source: C:\temp\test\Autoit3.exeCode function: 2_2_046BCCB4 bind,2_2_046BCCB4

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		21
            Input Capture            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Create Account            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol1
            Screen Capture            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		2
            Valid Accounts            		2
            Valid Accounts            		2
            Obfuscated Files or Information            		Security Account Manager1
            File and Directory Discovery            		SMB/Windows Admin Shares21
            Input Capture            		SteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
            Access Token Manipulation            		1
            DLL Side-Loading            		NTDS55
            System Information Discovery            		Distributed Component Object Model3
            Clipboard Data            		Protocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
            Process Injection            		1
            Masquerading            		LSA Secrets261
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Valid Accounts            		Cached Domain Credentials1
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Notion Setup 4.3.0 (4).exe11%VirustotalBrowse
            Notion Setup 4.3.0 (4).exe0%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\temp\test\Autoit3.exe3%ReversingLabs
            C:\temp\test\Autoit3.exe4%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0Notion Setup 4.3.0 (4).exefalse
              		high
              http://www.innosetup.com/Notion Setup 4.3.0 (4).exefalse
                		high
                http://www.autoitscript.com/autoit3/JNotion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000000.2096950473.0000000000AF9000.00000002.00000001.01000000.00000004.sdmp, Autoit3.exe.0.drfalse
                  		high
                  http://crls.ssl.com/ssl.com-rsa-RootCA.crl0Notion Setup 4.3.0 (4).exefalse
                    		high
                    http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0Notion Setup 4.3.0 (4).exefalse
                      		high
                      http://ipinfo.io/ipAutoit3.exe, Autoit3.exe, 00000002.00000002.2146236229.00000000046A1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://www.ssl.com/repository0Notion Setup 4.3.0 (4).exefalse
                          		high
                          http://ocsps.ssl.com0?Notion Setup 4.3.0 (4).exefalse
                            		high
                            http://ipinfo.io/ipUAutoit3.exe, 00000002.00000002.2146236229.00000000046A1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0Notion Setup 4.3.0 (4).exefalse
                                		high
                                http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0QNotion Setup 4.3.0 (4).exefalse
                                  		high
                                  http://ocsps.ssl.com0Notion Setup 4.3.0 (4).exefalse
                                    		high
                                    http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0Notion Setup 4.3.0 (4).exefalse
                                      		high
                                      http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0Notion Setup 4.3.0 (4).exefalse
                                        		high
                                        http://www.autoitscript.com/autoit3/Notion Setup 4.3.0 (4).exefalse
                                          		high
                                          http://www.remobjects.com/psNotion Setup 4.3.0 (4).exefalse
                                            		high
                                            https://mail.google.com/mail/u/0/#inboxAutoit3.exe, 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.autoitscript.com/autoit3/Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095809545.00000000062D4000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.2095543300.00000000063B3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2098806416.000000000269C000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.2105478041.00000000044BC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drfalse
                                                		high
                                                http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0Notion Setup 4.3.0 (4).exefalse
                                                  		high
                                                  http://ocsps.ssl.com0PNotion Setup 4.3.0 (4).exefalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    No contacted IP infos

                                                    General Information

                                                    Joe Sandbox version:42.0.0 Malachite
                                                    Analysis ID:1599301
                                                    Start date and time:2025-01-25 15:47:05 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 5m 21s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:6
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:Notion Setup 4.3.0 (4).exe
                                                    Detection:MAL
                                                    Classification:mal60.troj.spyw.evad.winEXE@8/4@0/0
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 116
                                                    • Number of non-executed functions: 272
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Stop behavior analysis, all processes terminated

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    09:48:04API Interceptor1x Sleep call for process: WMIC.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASNs

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\temp\test\Autoit3.exeJiH0aUfOU6.exeGet hashmaliciousUnknownBrowse
                                                      JiH0aUfOU6.exeGet hashmaliciousUnknownBrowse
                                                        2YLM6BQ9S3.exeGet hashmaliciousRedLineBrowse
                                                          sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                                            ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                              payload_1.htaGet hashmaliciousRedLineBrowse
                                                                fsg5PWtTm2.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                                  Whatsapp-GUI.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                                                                    Whatsapp-GUI.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                                                                      Agreement for Cooperation.PDF.lnk.download.lnkGet hashmaliciousRedLineBrowse

                                                                        Created / dropped Files

                                                                        C:\ProgramData\aagekfg\fbadddg

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):42
                                                                        Entropy (8bit):2.914979271060093
                                                                        Encrypted:false
                                                                        SSDEEP:3:Qh9eolFl+Hfl2n:Q7eY+wn
                                                                        MD5:9A28A13BD18B71AA79482B4DB1B5EF74
                                                                        SHA1:E763FFD8E261FF27B8C8153D1C7BEDB1E1BF6A53
                                                                        SHA-256:F95FC0CD7B51DB6F7B51D44B7E2A190A634A74E1DB36EAFE694ADCC4D80A5803
                                                                        SHA-512:93E6618E3DB07CE0B14A698CE21A9451BD063989E451BF260D844B9F48C16C95A697F4F1AB434E44318579F31D4690FDE4E12755A8F6938EE4B1AA7C5EE73D44
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:..D.o.m.a.i.n. . .....C.O.2.2.F. . . .....

                                                                        C:\Users\user\AppData\Roaming\GhHcHdd

                                                                        Download File
                                                                        Process:C:\temp\test\Autoit3.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):32
                                                                        Entropy (8bit):3.440120407472074
                                                                        Encrypted:false
                                                                        SSDEEP:3:O4F2bDammwn:OTabw
                                                                        MD5:22D4AA6BF176871281188DF6EC102C7B
                                                                        SHA1:95ADC41DB343D9C5AFA4C50391C6AB3DB42A24DD
                                                                        SHA-256:B29AE695662128C321D5628F6557A1172306F670189295F6C4062C56633E99A3
                                                                        SHA-512:0AC16EB14CD7C394498A45A3011289F629EBE8169D619B45008BB48113A893B7A40E2BF6C66BCAD4192FDED499F8B8D2717AD205BA29E08C91B9208DDDB757F2
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:AbCFECEeCEBFDdCABKDGGfeKKCBCCecB

                                                                        C:\temp\test\Autoit3.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):893608
                                                                        Entropy (8bit):6.620131693023677
                                                                        Encrypted:false
                                                                        SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                                                        MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                                                        SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                                                        SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                                                        SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                        • Antivirus: Virustotal, Detection: 4%, Browse
                                                                        Joe Sandbox View:
                                                                        • Filename: JiH0aUfOU6.exe, Detection: malicious, Browse
                                                                        • Filename: JiH0aUfOU6.exe, Detection: malicious, Browse
                                                                        • Filename: 2YLM6BQ9S3.exe, Detection: malicious, Browse
                                                                        • Filename: sEOELQpFOB.lnk, Detection: malicious, Browse
                                                                        • Filename: ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk, Detection: malicious, Browse
                                                                        • Filename: payload_1.hta, Detection: malicious, Browse
                                                                        • Filename: fsg5PWtTm2.lnk, Detection: malicious, Browse
                                                                        • Filename: Whatsapp-GUI.exe, Detection: malicious, Browse
                                                                        • Filename: Whatsapp-GUI.exe, Detection: malicious, Browse
                                                                        • Filename: Agreement for Cooperation.PDF.lnk.download.lnk, Detection: malicious, Browse
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                        C:\temp\test\script.a3x

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):598250
                                                                        Entropy (8bit):6.847347226287514
                                                                        Encrypted:false
                                                                        SSDEEP:12288:hQxqgrQxqgjneQJAvPstG0WtFNXenxmM5yN059S2Ai6IwbLqNKG7tY:ercrjtGXY6enxHyG5uizOo7m
                                                                        MD5:B94C5E38BBF4B6EF11E0442CE58C3131
                                                                        SHA1:00B5A444BC5E52F7DD9753383317EB2497EC4B38
                                                                        SHA-256:037E15B09413722B48802E6268848D0698B9ED468CD447B40E31EFA5CDB3C313
                                                                        SHA-512:546C148FAFD8298F79BF0B02C707AB88F5E15B099903ED725D11DF6345F2A73121BB385E5E094A8EF2A165284A760C104CD03B25804CC55B11A6F22B64A90914
                                                                        Malicious:false
                                                                        Preview:P)y............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P)y......................................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.111233519237969
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 98.88%
                                                                        • Inno Setup installer (109748/4) 1.08%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:Notion Setup 4.3.0 (4).exe
                                                                        File size:4'266'056 bytes
                                                                        MD5:849e4475405de2f405ec0c987c796791
                                                                        SHA1:ad67cda4c294705ecd45b5e1f14d49b32deb7a1a
                                                                        SHA256:4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db
                                                                        SHA512:e4232435e69dd6aaa2b81a3fcbfadaeb2b98093d35cdff088e41c38a6d4a8e26082262b62be7ec2e16cb50252afcdf0ca17d7ded914c4cace77ad0c730744324
                                                                        SSDEEP:49152:nR/KpmZubPf2S8W2ILeWl+C1pvjWy5Snd0eigXNJDLrkThL5X4GmxfUP0FKKsvje:R/jtYLP1Yy5E0eD2vPmuPBZugKdH
                                                                        TLSH:67168E177288A43AD0EA0B338933C2A059377E62B532CC4B5BF47E1D9F751643A7A716
                                                                        File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                        File Icon

                                                                        Icon Hash:162854445c542180

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x65c4a4
                                                                        Entrypoint Section:.itext
                                                                        Digitally signed:true
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x5EC61809 [Thu May 21 05:56:25 2020 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:6
                                                                        OS Version Minor:0
                                                                        File Version Major:6
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:6
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:16c8c7a62c852018ed02e453e144c998

                                                                        Authenticode Signature

                                                                        Signature Valid:true
                                                                        Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                                                        Signature Validation Error:The operation completed successfully
                                                                        Error Number:0
                                                                        Not Before, Not After
                                                                        • 12/12/2024 21:14:51 12/12/2025 21:14:51
                                                                        Subject Chain
                                                                        • OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=KDL CENTRAL LIMITED, SERIALNUMBER=09105940, O=KDL CENTRAL LIMITED, L=Bracknell, C=GB
                                                                        Version:3
                                                                        Thumbprint MD5:850C5E9FC42F81DB71E8C96DE1B520A9
                                                                        Thumbprint SHA-1:48DDD2BF1AF8052156E4D14AA24FCD59E1E70C4C
                                                                        Thumbprint SHA-256:2A279B16102E3DD8989AB8EC37C63EEF6780E05B38864A427A50CA0DDEFF70C1
                                                                        Serial:762BE19F15589A12D79577BEB7DD421E

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        add esp, FFFFFFF0h
                                                                        push ebx
                                                                        push esi
                                                                        push edi
                                                                        mov eax, 00651408h
                                                                        call 00007F7BE49B4C72h
                                                                        mov eax, dword ptr [00662788h]
                                                                        mov eax, dword ptr [eax]
                                                                        mov eax, dword ptr [eax+00000188h]
                                                                        push FFFFFFECh
                                                                        push eax
                                                                        call 00007F7BE49B8CD1h
                                                                        mov edx, dword ptr [00662788h]
                                                                        mov edx, dword ptr [edx]
                                                                        mov edx, dword ptr [edx+00000188h]
                                                                        and eax, FFFFFF7Fh
                                                                        push eax
                                                                        push FFFFFFECh
                                                                        push edx
                                                                        call 00007F7BE49B8CBDh
                                                                        xor eax, eax
                                                                        push ebp
                                                                        push 0065C528h
                                                                        push dword ptr fs:[eax]
                                                                        mov dword ptr fs:[eax], esp
                                                                        push 00000001h
                                                                        call 00007F7BE49B8028h
                                                                        call 00007F7BE4BF7103h
                                                                        mov eax, dword ptr [00651030h]
                                                                        push eax
                                                                        push 006510C8h
                                                                        mov eax, dword ptr [00662788h]
                                                                        mov eax, dword ptr [eax]
                                                                        call 00007F7BE4B48EA8h
                                                                        call 00007F7BE4BF7157h
                                                                        xor eax, eax
                                                                        pop edx
                                                                        pop ecx
                                                                        pop ecx
                                                                        mov dword ptr fs:[eax], edx
                                                                        jmp 00007F7BE4C024ABh
                                                                        jmp 00007F7BE49AD9E8h
                                                                        call 00007F7BE4BF6E9Fh
                                                                        mov eax, 00000001h
                                                                        call 00007F7BE49AE4D1h
                                                                        call 00007F7BE49ADE2Ch
                                                                        mov eax, dword ptr [00662788h]
                                                                        mov eax, dword ptr [eax]
                                                                        mov edx, 0065C6BCh
                                                                        call 00007F7BE4B4897Fh
                                                                        push 00000005h
                                                                        mov eax, dword ptr [00662788h]
                                                                        mov eax, dword ptr [eax]
                                                                        mov eax, dword ptr [eax+00000188h]
                                                                        push eax
                                                                        call 00007F7BE49B89E6h
                                                                        mov eax, dword ptr [00662788h]

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x2700000x97.edata
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x26b0000x35d8.idata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2730000x1aa248.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x40f2000x2648.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x2720000x18.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x26b94c0x848.idata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x26f0000x9ee.didata
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x2581fc0x2582000e7b63d16510773dd06e1112d09c9179unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .itext0x25a0000x26c80x2800367bc90dd8be7c6a1056ad2a82281084False0.503125data6.119631643767066IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .data0x25d0000x5a640x5c00c20c3606951695cd5626a53022531398False0.40281080163043476data5.055173307610014IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .bss0x2630000x780c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .idata0x26b0000x35d80x36006cbfeeac8d17ca3b356e9c16e6f19fc1False0.33622685185185186data5.280395234482991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .didata0x26f0000x9ee0xa002726dff14c86e88d2aaa4303cf2dc681False0.36328125data4.360393246158077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .edata0x2700000x970x2008c377a4128fcc7899b263e28899a337bFalse0.251953125data1.7456444612923019IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .tls0x2710000x440x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rdata0x2720000x5d0x2002b8e9fb13c20620073c959d665481e28False0.189453125data1.4286087209019303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x2730000x1aa2480x1aa400ca2afbfccc6524a9b4cfe988f0426b27False0.7110783999266862data7.671271070073615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        EKYXKPA62BJZH3QNRUC0x273dd80x177c08data0.7741422653198242
                                                                        RT_CURSOR0x3eb9e00x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                        RT_CURSOR0x3ebb140x134dataEnglishUnited States0.4642857142857143
                                                                        RT_CURSOR0x3ebc480x134dataEnglishUnited States0.4805194805194805
                                                                        RT_CURSOR0x3ebd7c0x134dataEnglishUnited States0.38311688311688313
                                                                        RT_CURSOR0x3ebeb00x134dataEnglishUnited States0.36038961038961037
                                                                        RT_CURSOR0x3ebfe40x134dataEnglishUnited States0.4090909090909091
                                                                        RT_CURSOR0x3ec1180x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                        RT_BITMAP0x3ec24c0xd28Device independent bitmap graphic, 48 x 48 x 8, image size 0, resolution 3780 x 3780 px/m, 256 important colors0.16508313539192399
                                                                        RT_BITMAP0x3ecf740x32aDevice independent bitmap graphic, 16 x 16 x 24, image size 770, resolution 3779 x 3779 px/m0.2074074074074074
                                                                        RT_ICON0x3ed2a00x2a47PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9626720872216575
                                                                        RT_ICON0x3efce80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/mEnglishUnited States0.07821187743996215
                                                                        RT_ICON0x4005100x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/mEnglishUnited States0.10350536052133698
                                                                        RT_ICON0x4099b80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/mEnglishUnited States0.15653046764289089
                                                                        RT_ICON0x40dbe00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/mEnglishUnited States0.21597510373443984
                                                                        RT_ICON0x4101880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/mEnglishUnited States0.3219981238273921
                                                                        RT_ICON0x4112300x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/mEnglishUnited States0.42745901639344264
                                                                        RT_ICON0x411bb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/mEnglishUnited States0.5966312056737588
                                                                        RT_STRING0x4120200x6cdata0.6018518518518519
                                                                        RT_STRING0x41208c0x250data0.46790540540540543
                                                                        RT_STRING0x4122dc0x204data0.46705426356589147
                                                                        RT_STRING0x4124e00x3ecdata0.3894422310756972
                                                                        RT_STRING0x4128cc0x410data0.41634615384615387
                                                                        RT_STRING0x412cdc0x160data0.59375
                                                                        RT_STRING0x412e3c0xd0data0.6778846153846154
                                                                        RT_STRING0x412f0c0x2f4data0.43253968253968256
                                                                        RT_STRING0x4132000x3fcdata0.37941176470588234
                                                                        RT_STRING0x4135fc0x49cdata0.35338983050847456
                                                                        RT_STRING0x413a980x29cdata0.31736526946107785
                                                                        RT_STRING0x413d340x3f0data0.43154761904761907
                                                                        RT_STRING0x4141240x438data0.3731481481481482
                                                                        RT_STRING0x41455c0x3acdata0.3861702127659574
                                                                        RT_STRING0x4149080x404data0.3764591439688716
                                                                        RT_STRING0x414d0c0x2acdata0.38742690058479534
                                                                        RT_STRING0x414fb80xb8data0.657608695652174
                                                                        RT_STRING0x4150700xd0data0.6201923076923077
                                                                        RT_STRING0x4151400x354data0.4284037558685446
                                                                        RT_STRING0x4154940x3acdata0.3425531914893617
                                                                        RT_STRING0x4158400x354data0.3826291079812207
                                                                        RT_STRING0x415b940x2c0data0.41051136363636365
                                                                        RT_RCDATA0x415e540x10data1.5
                                                                        RT_RCDATA0x415e640x1800PE32+ executable (console) x86-64, for MS WindowsEnglishUnited States0.3924153645833333
                                                                        RT_RCDATA0x4176640xac4data0.5446298984034833
                                                                        RT_RCDATA0x4181280x147Delphi compiled form 'TMainForm'0.746177370030581
                                                                        RT_RCDATA0x4182700x480Delphi compiled form 'TNewDiskForm'0.5034722222222222
                                                                        RT_RCDATA0x4186f00x400Delphi compiled form 'TSelectFolderForm'0.5087890625
                                                                        RT_RCDATA0x418af00x4b5Delphi compiled form 'TSelectLanguageForm'0.5004149377593361
                                                                        RT_RCDATA0x418fa80x7ffDelphi compiled form 'TUninstallProgressForm'0.4054714215925745
                                                                        RT_RCDATA0x4197a80x55cDelphi compiled form 'TUninstSharedFileForm'0.41690962099125367
                                                                        RT_RCDATA0x419d040x2ac9Delphi compiled form 'TWizardForm'0.19811923673879303
                                                                        RT_GROUP_CURSOR0x41c7d00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                        RT_GROUP_CURSOR0x41c7e40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                        RT_GROUP_CURSOR0x41c7f80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                        RT_GROUP_CURSOR0x41c80c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                        RT_GROUP_CURSOR0x41c8200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                        RT_GROUP_CURSOR0x41c8340x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                        RT_GROUP_CURSOR0x41c8480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                        RT_GROUP_ICON0x41c85c0x76dataEnglishUnited States0.7457627118644068
                                                                        RT_VERSION0x41c8d40x24cdataEnglishUnited States0.47959183673469385
                                                                        RT_MANIFEST0x41cb200x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4005464480874317

                                                                        Imports

                                                                        DLLImport
                                                                        mpr.dllWNetEnumResourceW, WNetGetUniversalNameW, WNetGetConnectionW, WNetCloseEnum, WNetOpenEnumW
                                                                        comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                        comctl32.dllFlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove
                                                                        shell32.dllSHBrowseForFolderW, ExtractIconW, SHGetMalloc, SHGetFileInfoW, SHChangeNotify, Shell_NotifyIconW, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW
                                                                        user32.dllCopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, GetMessageW, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, ScrollWindowEx, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, OffsetRect, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, GetSystemMenu, WaitForInputIdle, ShowOwnedPopups, GetScrollRange, GetScrollPos, SetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, InflateRect, GetKeyboardLayoutList, OemToCharBuffA, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, SendNotifyMessageW, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, SetWindowLongW, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, ClientToScreen, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ExitWindowsEx, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, GetClassLongW, ActivateKeyboardLayout, GetParent, CharToOemBuffA, DrawTextW, SetScrollRange, InsertMenuItemW, PeekMessageA, GetPropW, SetClassLongW, MessageBoxW, MessageBeep, SetPropW, SetRectEmpty, UpdateWindow, RemovePropW, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, SendMessageTimeoutW, BringWindowToTop, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowPos, SetWindowRgn, GetMenuItemCount, RemoveMenu, AppendMenuW, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, DestroyCursor, ReplyMessage, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, FindWindowW, DeleteMenu, GetKeyboardLayout
                                                                        version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                        oleaut32.dllSafeArrayPutElement, LoadTypeLib, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType, VariantCopyInd
                                                                        advapi32.dllRegSetValueExW, RegEnumKeyExW, AdjustTokenPrivileges, OpenThreadToken, GetUserNameW, RegDeleteKeyW, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegQueryInfoKeyW, AllocateAndInitializeSid, FreeSid, EqualSid, RegDeleteValueW, RegFlushKey, RegQueryValueExW, RegEnumValueW, GetTokenInformation, InitializeSecurityDescriptor, RegCloseKey, RegCreateKeyExW, SetSecurityDescriptorDacl
                                                                        netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                        kernel32.dllSetFileAttributesW, SetFileTime, GetACP, GetExitCodeProcess, IsBadWritePtr, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, QueryPerformanceFrequency, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, WriteProfileStringW, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, CompareFileTime, ReadFile, CreateProcessW, TransactNamedPipe, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, OpenMutexW, CreateThread, CompareStringW, CopyFileW, CreateMutexW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, SetNamedPipeHandleState, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, MoveFileExW, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GetStartupInfoW, GlobalDeleteAtom, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateNamedPipeW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetOverlappedResult, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, IsDBCSLeadByte, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
                                                                        ole32.dllStgCreateDocfileOnILockBytes, CoCreateInstance, CLSIDFromString, CoUninitialize, IsEqualGUID, OleInitialize, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, CLSIDFromProgID, OleUninitialize, CoDisconnectObject, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
                                                                        gdi32.dllArc, Pie, SetBkMode, SelectPalette, CreateCompatibleBitmap, ExcludeClipRect, RectVisible, SetWindowOrgEx, MaskBlt, AngleArc, Chord, SetTextColor, StretchBlt, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, CreateBrushIndirect, PatBlt, LineDDA, PolyBezierTo, GetStockObject, CreateSolidBrush, Polygon, Rectangle, MoveToEx, DeleteDC, SaveDC, BitBlt, Ellipse, FrameRgn, GetDeviceCaps, GetBitmapBits, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, GetSystemPaletteEntries, CreateBitmap, AddFontResourceW, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, CreatePenIndirect, SetStretchBltMode, GetDIBits, CreateFontIndirectW, PolyBezier, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, SetBkColor, CreateCompatibleDC, GetObjectW, GetBrushOrgEx, GetCurrentPositionEx, SetROP2, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, ArcTo, GdiFlush, SetPixel, EnumFontFamiliesExW, GetPaletteEntries

                                                                        Exports

                                                                        NameOrdinalAddress
                                                                        TMethodImplementationIntercept30x4aefc0
                                                                        __dbk_fcall_wrapper20x40eb68
                                                                        dbkFCallWrapperAddr10x66663c

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        No network behavior found

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:09:48:00
                                                                        Start date:25/01/2025
                                                                        Path:C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe"
                                                                        Imagebase:0x400000
                                                                        File size:4'266'056 bytes
                                                                        MD5 hash:849E4475405DE2F405EC0C987C796791
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:Borland Delphi
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:09:48:01
                                                                        Start date:25/01/2025
                                                                        Path:C:\temp\test\Autoit3.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
                                                                        Imagebase:0xa30000
                                                                        File size:893'608 bytes
                                                                        MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:Borland Delphi
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000002.00000002.2146236229.0000000004708000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.2146236229.00000000046A1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000002.00000002.2145696171.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000002.00000002.2146102182.00000000045A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        Antivirus matches:
                                                                        • Detection: 3%, ReversingLabs
                                                                        • Detection: 4%, Virustotal, Browse
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:09:48:04
                                                                        Start date:25/01/2025
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\aagekfg\fbadddg
                                                                        Imagebase:0x790000
                                                                        File size:236'544 bytes
                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:09:48:04
                                                                        Start date:25/01/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:09:48:04
                                                                        Start date:25/01/2025
                                                                        Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:wmic ComputerSystem get domain
                                                                        Imagebase:0x890000
                                                                        File size:427'008 bytes
                                                                        MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >