Edit tour

Windows Analysis Report
Notion Setup 4.3.0 (4).exe

Overview

General Information

Sample name:	Notion Setup 4.3.0 (4).exe
Analysis ID:	1599301
MD5:	849e4475405de2f405ec0c987c796791
SHA1:	ad67cda4c294705ecd45b5e1f14d49b32deb7a1a
SHA256:	4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db
Tags:	exeuser-smica83
Infos:

Detection

DarkGate, MailPassView

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected DarkGate

Yara detected MailPassView

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the product ID of Windows

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Notion Setup 4.3.0 (4).exe (PID: 7296 cmdline: "C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe" MD5: 849E4475405DE2F405EC0C987C796791)

Autoit3.exe (PID: 7332 cmdline: "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

cmd.exe (PID: 7372 cmdline: "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fhdhcge\bbchchd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7420 cmdline: wmic ComputerSystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkGate	First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.	No Attribution	https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/ https://blog.sekoia.io/darkgate-internals/ https://blog.talosintelligence.com/darkgate-remote-template-injection/ https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/ https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1768944174.0000000003DD1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.1768944174.0000000003E38000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Process Memory Space: Autoit3.exe PID: 7332	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Autoit3.exe PID: 7332	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Click to see the 3 entries

Code function: 1_2_00FC4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_00FC4632

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FC4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00FC4830

Source: C:\temp\test\Autoit3.exe

1_2_00FC4632

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_03E0B188 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

1_2_03E0B188

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FB0508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_00FB0508

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FDD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_00FDD164

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_03E03A74 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

1_2_03E03A74

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E243EC NtDuplicateObject,NtClose,	1_2_03E243EC
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E2476C Sleep,TerminateThread,NtClose,NtClose,	1_2_03E2476C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E244C8 NtQuerySystemInformation,NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,	1_2_03E244C8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E24478 NtOpenProcess,	1_2_03E24478
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E24420 NtQueryObject,NtQueryObject,	1_2_03E24420
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DFAF84 GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	1_2_03DFAF84
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E02CF0 BeginPaint,SetBkMode,TextOutA,EndPaint,PostQuitMessage,NtdllDefWindowProc_A,	1_2_03E02CF0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DFB2A4 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	1_2_03DFB2A4

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FB42D5: CreateFileW,DeviceIoControl,CloseHandle,

1_2_00FB42D5

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FA8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00FA8F2E

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FB5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_00FB5778

Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CF12EC	0_3_00CF12EC
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00D02296	0_3_00D02296
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CF74FB	0_3_00CF74FB
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00D085F7	0_3_00D085F7
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00D50672	0_3_00D50672
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CFD7DD	0_3_00CFD7DD
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00D2E9EA	0_3_00D2E9EA
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CFC989	0_3_00CFC989
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00D38A7C	0_3_00D38A7C
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CFBC0E	0_3_00CFBC0E
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00D06C1E	0_3_00D06C1E
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CF12EC	0_3_00CF12EC
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00D02296	0_3_00D02296
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CF74FB	0_3_00CF74FB
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00D085F7	0_3_00D085F7
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00D50672	0_3_00D50672
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CFD7DD	0_3_00CFD7DD
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00D2E9EA	0_3_00D2E9EA
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CFC989	0_3_00CFC989
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00D38A7C	0_3_00D38A7C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F5B020	1_2_00F5B020
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F51663	1_2_00F51663
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F59C80	1_2_00F59C80
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F723F5	1_2_00F723F5
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FD8400	1_2_00FD8400
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F86502	1_2_00F86502
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F5E6F0	1_2_00F5E6F0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F8265E	1_2_00F8265E
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F7282A	1_2_00F7282A
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F889BF	1_2_00F889BF
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F86A74	1_2_00F86A74
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FD0A3A	1_2_00FD0A3A
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F60BE0	1_2_00F60BE0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FAEDB2	1_2_00FAEDB2
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F7CD51	1_2_00F7CD51
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FD0EB7	1_2_00FD0EB7
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FB8E44	1_2_00FB8E44
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F86FE6	1_2_00F86FE6
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F733B7	1_2_00F733B7
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F594E0	1_2_00F594E0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F6D45D	1_2_00F6D45D
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F7F409	1_2_00F7F409
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F716B4	1_2_00F716B4
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F5F6A0	1_2_00F5F6A0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F6F628	1_2_00F6F628
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F778C3	1_2_00F778C3
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F7DBA5	1_2_00F7DBA5
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F71BA8	1_2_00F71BA8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F89CE5	1_2_00F89CE5
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F6DD28	1_2_00F6DD28
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F7BFD6	1_2_00F7BFD6
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F71FC0	1_2_00F71FC0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DFA79C	1_2_03DFA79C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DF6438	1_2_03DF6438
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E0EC00	1_2_03E0EC00
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E1B1B8	1_2_03E1B1B8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E19BD0	1_2_03E19BD0

Source: Joe Sandbox View

Dropped File: C:\temp\test\Autoit3.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: C:\temp\test\Autoit3.exe	Code function: String function: 03DD4904 appears 92 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 00F61A36 appears 34 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 03E021B8 appears 36 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 03DD4394 appears 101 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 00F70D17 appears 70 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 03DD6980 appears 111 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 00F78B30 appears 42 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 03DD4668 appears 48 times
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: String function: 00D017A8 appears 40 times
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: String function: 00CF8768 appears 56 times
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: String function: 00CF9BDD appears 33 times

Source: Notion Setup 4.3.0 (4).exe

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: Notion Setup 4.3.0 (4).exe	Binary or memory string: OriginalFilename vs Notion Setup 4.3.0 (4).exe
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs Notion Setup 4.3.0 (4).exe
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs Notion Setup 4.3.0 (4).exe
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs Notion Setup 4.3.0 (4).exe
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs Notion Setup 4.3.0 (4).exe

Source: Notion Setup 4.3.0 (4).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal60.troj.spyw.evad.winEXE@8/4@0/0

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FBA6AD GetLastError,FormatMessageW,

1_2_00FBA6AD

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FA8DE9 AdjustTokenPrivileges,CloseHandle,		1_2_00FA8DE9
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FA9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_00FA9399

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FBB976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_00FBB976

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FB4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_00FB4148

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FBC9DA CoInitialize,CoCreateInstance,CoUninitialize,

1_2_00FBC9DA

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FB443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

1_2_00FB443D

Source: C:\temp\test\Autoit3.exe

File created: C:\Users\user\AppData\Roaming\FCaBdFG

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03

Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe

File created: c:\temp\test

Jump to behavior

Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Notion Setup 4.3.0 (4).exe	ReversingLabs: Detection: 23%
Source: Notion Setup 4.3.0 (4).exe	Virustotal: Detection: 11%

Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: -Helper process exited with failure code: 0x%x
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: /LoadInf=

Source: unknown	Process created: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe "C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe"
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Process created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
Source: C:\temp\test\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fhdhcge\bbchchd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Process created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fhdhcge\bbchchd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain	Jump to behavior

Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Notion Setup 4.3.0 (4).exe

Static PE information: certificate valid

Source: Notion Setup 4.3.0 (4).exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Notion Setup 4.3.0 (4).exe

Static file information: File size 4266056 > 1048576

Source: Notion Setup 4.3.0 (4).exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x258200
Source: Notion Setup 4.3.0 (4).exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1aa400

Source: Notion Setup 4.3.0 (4).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FCC6D9 LoadLibraryA,GetProcAddress,

1_2_00FCC6D9

Source: Notion Setup 4.3.0 (4).exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CF87AD push ecx; ret	0_3_00CF87C0
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CD48C2 push esi; ret	0_3_00CD48C5
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CD48C2 push esi; ret	0_3_00CD48C5
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CF87AD push ecx; ret	0_3_00CF87C0
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CD48C2 push esi; ret	0_3_00CD48C5
Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Code function: 0_3_00CD48C2 push esi; ret	0_3_00CD48C5
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F7E93F push edi; ret	1_2_00F7E941
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F7EA58 push esi; ret	1_2_00F7EA5A
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FB8A4A push FFFFFF8Bh; iretd	1_2_00FB8A4C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F78B75 push ecx; ret	1_2_00F78B88
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F7EC33 push esi; ret	1_2_00F7EC35
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F7ED1C push edi; ret	1_2_00F7ED1E
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011ED129 push 011ED3D5h; ret	1_2_011ED3CD
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011EE061 push ecx; mov dword ptr [esp], eax	1_2_011EE062
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011ED0F1 push 011ED11Dh; ret	1_2_011ED115
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011ED3A9 push 011ED3D5h; ret	1_2_011ED3CD
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011ECD61 push 011ECDB2h; ret	1_2_011ECDAA
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011EADC5 push eax; ret	1_2_011EAE01
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011F0F49 push 011F0F6Fh; ret	1_2_011F0F67
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011ECFA9 push 011ECFD5h; ret	1_2_011ECFCD
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011F07DD push 011F084Ch; ret	1_2_011F0844
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011F07DB push 011F084Ch; ret	1_2_011F0844
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011ECFE1 push 011ED00Dh; ret	1_2_011ED005
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011F065D push 011F07D9h; ret	1_2_011F07D1
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E283D8 push 03E28404h; ret	1_2_03E283FC
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E283A0 push 03E283CCh; ret	1_2_03E283C4
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E243A4 push 03E243D0h; ret	1_2_03E243C8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DEC388 push 03DEC3B4h; ret	1_2_03DEC3AC
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DEC380 push 03DEC3B4h; ret	1_2_03DEC3AC
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E28368 push 03E28394h; ret	1_2_03E2838C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E28330 push 03E2835Ch; ret	1_2_03E28354

Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe

File created: C:\temp\test\Autoit3.exe

Jump to dropped file

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FD59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_00FD59B3
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F65EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_00F65EDA

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00F733B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00F733B7

Source: C:\temp\test\Autoit3.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_03E2C828

1_2_03E2C828

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1768944174.0000000003DD1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SUPERANTISPYWARE.EXE

Source: C:\temp\test\Autoit3.exe

API coverage: 5.3 %

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_03E2C828

1_2_03E2C828

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FB4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00FB4005
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FBC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00FBC2FF
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FB494A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00FB494A
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FBCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00FBCD9F
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FBCD14 FindFirstFileW,FindClose,	1_2_00FBCD14
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FBF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00FBF5D8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FBF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00FBF735
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FBFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00FBFA36
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FB3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00FB3CE2
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011EC705 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	1_2_011EC705
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E2A584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,	1_2_03E2A584
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DD8AFC FindFirstFileA,GetLastError,	1_2_03DD8AFC
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DD89F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	1_2_03DD89F4
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E231F8 FindFirstFileW,FindNextFileW,FindClose,	1_2_03E231F8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E2BA70 FindFirstFileW,FindNextFileW,FindClose,	1_2_03E2BA70
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DD5974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	1_2_03DD5974
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DEBD8C FindFirstFileA,FindNextFileA,FindClose,	1_2_03DEBD8C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03E03D68 FindFirstFileW,FindNextFileW,FindClose,	1_2_03E03D68

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00F65D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00F65D13

Source: Autoit3.exe, 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1768944174.0000000003DD1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: Autoit3.exe, 00000001.00000002.1767670859.0000000001204000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\temp\test\Autoit3.exe

API call chain: ExitProcess graph end node

graph_1-139052

Source: C:\temp\test\Autoit3.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FC45D5 BlockInput,

1_2_00FC45D5

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00F65240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00F65240

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00F85CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00F85CAC

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FCC6D9 LoadLibraryA,GetProcAddress,

1_2_00FCC6D9

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_011F9306 mov eax, dword ptr fs:[00000030h]	1_2_011F9306
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DF80A4 mov eax, dword ptr fs:[00000030h]	1_2_03DF80A4
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DFA79C mov eax, dword ptr fs:[00000030h]	1_2_03DFA79C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DFA79C mov eax, dword ptr fs:[00000030h]	1_2_03DFA79C

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FA88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_00FA88CD

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F7A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00F7A385
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00F7A354 SetUnhandledExceptionFilter,		1_2_00F7A354

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_03DFDCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,

1_2_03DFDCB8

Contains functionality to inject threads in other processes

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_03DFDCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,

1_2_03DFDCB8

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FA9369 LogonUserW,

1_2_00FA9369

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00F65240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00F65240

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FB1AC6 SendInput,keybd_event,

1_2_00FB1AC6

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FB51E2 mouse_event,

1_2_00FB51E2

Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe	Process created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fhdhcge\bbchchd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain	Jump to behavior

Source: C:\temp\test\Autoit3.exe

1_2_00FA88CD

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00FB4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00FB4F1C

Source: Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D86000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.000000000279E000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063D5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Notion Setup 4.3.0 (4).exe, Autoit3.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe

Code function: 0_3_00CF8493 cpuid

0_3_00CF8493

Source: C:\temp\test\Autoit3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	1_2_011EC8DD
Source: C:\temp\test\Autoit3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	1_2_011EC9E7
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	1_2_011EEB75
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	1_2_011EEBC1
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,GetACP,	1_2_011EFD19
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	1_2_011ECCED
Source: C:\temp\test\Autoit3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	1_2_03DD5B4C
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	1_2_03DD6470
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,GetACP,	1_2_03DDCC88
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	1_2_03DDB66C
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	1_2_03DDB620
Source: C:\temp\test\Autoit3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	1_2_03DD5C56

Source: C:\temp\test\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\temp\test\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\temp\test\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior
Source: C:\temp\test\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00F90030 GetLocalTime,__swprintf,

1_2_00F90030

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00F90722 GetUserNameW,

1_2_00F90722

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00F8416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_00F8416A

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00F65D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00F65D13

Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1768944174.0000000003DD1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1768944174.0000000003DD1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: superantispyware.exe

Stealing of Sensitive Information

Yara detected DarkGate

Source: Yara match	File source: 00000001.00000002.1768944174.0000000003E38000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7332, type: MEMORYSTR

Yara detected MailPassView

Source: Yara match	File source: 00000001.00000002.1768944174.0000000003DD1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7332, type: MEMORYSTR

Source: Autoit3.exe	Binary or memory string: WIN_81
Source: Autoit3.exe	Binary or memory string: WIN_XP
Source: Autoit3.exe	Binary or memory string: WIN_XPe
Source: Autoit3.exe	Binary or memory string: WIN_VISTA
Source: Autoit3.exe	Binary or memory string: WIN_7
Source: Autoit3.exe	Binary or memory string: WIN_8
Source: Autoit3.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected DarkGate

Source: Yara match	File source: 00000001.00000002.1768944174.0000000003E38000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7332, type: MEMORYSTR

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FC696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	1_2_00FC696E
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00FC6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_00FC6E32
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03DECCB4 bind,	1_2_03DECCB4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	55 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	261 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Notion Setup 4.3.0 (4).exe	24%	ReversingLabs	Win32.Trojan.Nekark
Notion Setup 4.3.0 (4).exe	11%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\temp\test\Autoit3.exe	3%	ReversingLabs
C:\temp\test\Autoit3.exe	4%	Virustotal		Browse

Name	Source	Malicious	Reputation
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	Notion Setup 4.3.0 (4).exe	false	high
http://www.innosetup.com/	Notion Setup 4.3.0 (4).exe	false	high
http://www.autoitscript.com/autoit3/J	Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1767039637.0000000001019000.00000002.00000001.01000000.00000004.sdmp, Autoit3.exe.0.dr	false	high
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	Notion Setup 4.3.0 (4).exe	false	high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	Notion Setup 4.3.0 (4).exe	false	high
http://ipinfo.io/ip	Autoit3.exe, Autoit3.exe, 00000001.00000002.1768944174.0000000003DD1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp	false	high
https://www.ssl.com/repository0	Notion Setup 4.3.0 (4).exe	false	high
http://ocsps.ssl.com0?	Notion Setup 4.3.0 (4).exe	false	high
http://ipinfo.io/ipU	Autoit3.exe, 00000001.00000002.1768944174.0000000003DD1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp	false	high
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	Notion Setup 4.3.0 (4).exe	false	high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	Notion Setup 4.3.0 (4).exe	false	high
http://ocsps.ssl.com0	Notion Setup 4.3.0 (4).exe	false	high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0	Notion Setup 4.3.0 (4).exe	false	high
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	Notion Setup 4.3.0 (4).exe	false	high
http://www.autoitscript.com/autoit3/	Notion Setup 4.3.0 (4).exe	false	high
http://www.remobjects.com/ps	Notion Setup 4.3.0 (4).exe	false	high
https://mail.google.com/mail/u/0/#inbox	Autoit3.exe, 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp	false	high
https://www.autoitscript.com/autoit3/	Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	false	high
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	Notion Setup 4.3.0 (4).exe	false	high
http://ocsps.ssl.com0P	Notion Setup 4.3.0 (4).exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1599301
Start date and time:	2025-01-25 15:53:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Notion Setup 4.3.0 (4).exe
Detection:	MAL
Classification:	mal60.troj.spyw.evad.winEXE@8/4@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 101 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target Notion Setup 4.3.0 (4).exe, PID 7296 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\temp\test\Autoit3.exe	JiH0aUfOU6.exe	Get hash	malicious	Unknown	Browse
	JiH0aUfOU6.exe	Get hash	malicious	Unknown	Browse
	2YLM6BQ9S3.exe	Get hash	malicious	RedLine	Browse
	sEOELQpFOB.lnk	Get hash	malicious	RedLine	Browse
	ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk	Get hash	malicious	RedLine, SectopRAT	Browse
	payload_1.hta	Get hash	malicious	RedLine	Browse
	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse

Created / dropped Files

C:\ProgramData\fhdhcge\bbchchd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.914979271060093
Encrypted:	false
SSDEEP:	3:Qh9eolFl+RS8XfYn:Q7eY+RPQn
MD5:	07F0AC5DEF70C05FBA140A23321D6D27
SHA1:	ACD7F0A1BBD8730689DA97181EB5AB41DDF4B07C
SHA-256:	50569968EC1840A56AF516BE0E961C16B97BAE9FA8031928AAB48C4B67938698
SHA-512:	0330C984EE90E049FFCBE9FD4A60148E2142226473E8427FFB940BC0826941A9BF527B5F97AEE46D91A59C74EF3029071D7A654271591FAD35D4022FDDA4B992
Malicious:	false
Reputation:	low
Preview:	..D.o.m.a.i.n. . .....e.6.w.Y.Y. . . .....

C:\Users\user\AppData\Roaming\FCaBdFG

Download File

Process:	C:\temp\test\Autoit3.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.5931390622295662
Encrypted:	false
SSDEEP:	3:FT8DLAjlEE43u5mn:V8DLAjlET3u4n
MD5:	BC77E77B1998D2A771FBDBC4EFA074FC
SHA1:	ECCB1CB4FC7BF54F0EB975393E2EC9205173B39C
SHA-256:	8A4180AEF9267779D755432CC63CF8BADFB1D5585CC9F2850722E6E49F9A6505
SHA-512:	9D67F8C500740DE79B865B0AC73CB789C035658D6FB23C2CE2E636C76427243A271251ABC9DF424B14AE5D2333502DFE59539B5D8097011C487003EDD81E89DA
Malicious:	false
Reputation:	low
Preview:	EeCAFefhHeHhFAeFEEaaDKBaGfKCfBCC

C:\temp\test\Autoit3.exe

Download File

Process:	C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 4%, Browse
Joe Sandbox View:	Filename: JiH0aUfOU6.exe, Detection: malicious, Browse Filename: JiH0aUfOU6.exe, Detection: malicious, Browse Filename: 2YLM6BQ9S3.exe, Detection: malicious, Browse Filename: sEOELQpFOB.lnk, Detection: malicious, Browse Filename: ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk, Detection: malicious, Browse Filename: payload_1.hta, Detection: malicious, Browse Filename: fsg5PWtTm2.lnk, Detection: malicious, Browse Filename: Whatsapp-GUI.exe, Detection: malicious, Browse Filename: Whatsapp-GUI.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\temp\test\script.a3x

Download File

Process:	C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe
File Type:	data
Category:	dropped
Size (bytes):	598250
Entropy (8bit):	6.847347226287514
Encrypted:	false
SSDEEP:	12288:hQxqgrQxqgjneQJAvPstG0WtFNXenxmM5yN059S2Ai6IwbLqNKG7tY:ercrjtGXY6enxHyG5uizOo7m
MD5:	B94C5E38BBF4B6EF11E0442CE58C3131
SHA1:	00B5A444BC5E52F7DD9753383317EB2497EC4B38
SHA-256:	037E15B09413722B48802E6268848D0698B9ED468CD447B40E31EFA5CDB3C313
SHA-512:	546C148FAFD8298F79BF0B02C707AB88F5E15B099903ED725D11DF6345F2A73121BB385E5E094A8EF2A165284A760C104CD03B25804CC55B11A6F22B64A90914
Malicious:	false
Preview:	P)y............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P)y......................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.111233519237969
TrID:	Win32 Executable (generic) a (10002005/4) 98.88% Inno Setup installer (109748/4) 1.08% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Notion Setup 4.3.0 (4).exe
File size:	4'266'056 bytes
MD5:	849e4475405de2f405ec0c987c796791
SHA1:	ad67cda4c294705ecd45b5e1f14d49b32deb7a1a
SHA256:	4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db
SHA512:	e4232435e69dd6aaa2b81a3fcbfadaeb2b98093d35cdff088e41c38a6d4a8e26082262b62be7ec2e16cb50252afcdf0ca17d7ded914c4cace77ad0c730744324
SSDEEP:	49152:nR/KpmZubPf2S8W2ILeWl+C1pvjWy5Snd0eigXNJDLrkThL5X4GmxfUP0FKKsvje:R/jtYLP1Yy5E0eD2vPmuPBZugKdH
TLSH:	67168E177288A43AD0EA0B338933C2A059377E62B532CC4B5BF47E1D9F751643A7A716
File Content Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	162854445c542180

Static PE Info

General

Entrypoint:	0x65c4a4
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5EC61809 [Thu May 21 05:56:25 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	16c8c7a62c852018ed02e453e144c998

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/12/2024 20:14:51 12/12/2025 20:14:51
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=KDL CENTRAL LIMITED, SERIALNUMBER=09105940, O=KDL CENTRAL LIMITED, L=Bracknell, C=GB
Version:	3
Thumbprint MD5:	850C5E9FC42F81DB71E8C96DE1B520A9
Thumbprint SHA-1:	48DDD2BF1AF8052156E4D14AA24FCD59E1E70C4C
Thumbprint SHA-256:	2A279B16102E3DD8989AB8EC37C63EEF6780E05B38864A427A50CA0DDEFF70C1
Serial:	762BE19F15589A12D79577BEB7DD421E

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
push esi
push edi
mov eax, 00651408h
call 00007FF274A75542h
mov eax, dword ptr [00662788h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+00000188h]
push FFFFFFECh
push eax
call 00007FF274A795A1h
mov edx, dword ptr [00662788h]
mov edx, dword ptr [edx]
mov edx, dword ptr [edx+00000188h]
and eax, FFFFFF7Fh
push eax
push FFFFFFECh
push edx
call 00007FF274A7958Dh
xor eax, eax
push ebp
push 0065C528h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000001h
call 00007FF274A788F8h
call 00007FF274CB79D3h
mov eax, dword ptr [00651030h]
push eax
push 006510C8h
mov eax, dword ptr [00662788h]
mov eax, dword ptr [eax]
call 00007FF274C09778h
call 00007FF274CB7A27h
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
jmp 00007FF274CC2D7Bh
jmp 00007FF274A6E2B8h
call 00007FF274CB776Fh
mov eax, 00000001h
call 00007FF274A6EDA1h
call 00007FF274A6E6FCh
mov eax, dword ptr [00662788h]
mov eax, dword ptr [eax]
mov edx, 0065C6BCh
call 00007FF274C0924Fh
push 00000005h
mov eax, dword ptr [00662788h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+00000188h]
push eax
call 00007FF274A792B6h
mov eax, dword ptr [00662788h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x270000	0x97	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26b000	0x35d8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x273000	0x1aa248	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x40f200	0x2648	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x272000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x26b94c	0x848	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x26f000	0x9ee	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2581fc	0x258200	0e7b63d16510773dd06e1112d09c9179	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x25a000	0x26c8	0x2800	367bc90dd8be7c6a1056ad2a82281084	False	0.503125	data	6.119631643767066	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x25d000	0x5a64	0x5c00	c20c3606951695cd5626a53022531398	False	0.40281080163043476	data	5.055173307610014	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x263000	0x780c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x26b000	0x35d8	0x3600	6cbfeeac8d17ca3b356e9c16e6f19fc1	False	0.33622685185185186	data	5.280395234482991	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x26f000	0x9ee	0xa00	2726dff14c86e88d2aaa4303cf2dc681	False	0.36328125	data	4.360393246158077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x270000	0x97	0x200	8c377a4128fcc7899b263e28899a337b	False	0.251953125	data	1.7456444612923019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x271000	0x44	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x272000	0x5d	0x200	2b8e9fb13c20620073c959d665481e28	False	0.189453125	data	1.4286087209019303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x273000	0x1aa248	0x1aa400	ca2afbfccc6524a9b4cfe988f0426b27	False	0.7110783999266862	data	7.671271070073615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
EKYXKPA62BJZH3QNRUC	0x273dd8	0x177c08	data			0.7741422653198242
RT_CURSOR	0x3eb9e0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x3ebb14	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x3ebc48	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x3ebd7c	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x3ebeb0	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x3ebfe4	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x3ec118	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x3ec24c	0xd28	Device independent bitmap graphic, 48 x 48 x 8, image size 0, resolution 3780 x 3780 px/m, 256 important colors			0.16508313539192399
RT_BITMAP	0x3ecf74	0x32a	Device independent bitmap graphic, 16 x 16 x 24, image size 770, resolution 3779 x 3779 px/m			0.2074074074074074
RT_ICON	0x3ed2a0	0x2a47	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9626720872216575
RT_ICON	0x3efce8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	English	United States	0.07821187743996215
RT_ICON	0x400510	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m	English	United States	0.10350536052133698
RT_ICON	0x4099b8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	English	United States	0.15653046764289089
RT_ICON	0x40dbe0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	United States	0.21597510373443984
RT_ICON	0x410188	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	United States	0.3219981238273921
RT_ICON	0x411230	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m	English	United States	0.42745901639344264
RT_ICON	0x411bb8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	United States	0.5966312056737588
RT_STRING	0x412020	0x6c	data			0.6018518518518519
RT_STRING	0x41208c	0x250	data			0.46790540540540543
RT_STRING	0x4122dc	0x204	data			0.46705426356589147
RT_STRING	0x4124e0	0x3ec	data			0.3894422310756972
RT_STRING	0x4128cc	0x410	data			0.41634615384615387
RT_STRING	0x412cdc	0x160	data			0.59375
RT_STRING	0x412e3c	0xd0	data			0.6778846153846154
RT_STRING	0x412f0c	0x2f4	data			0.43253968253968256
RT_STRING	0x413200	0x3fc	data			0.37941176470588234
RT_STRING	0x4135fc	0x49c	data			0.35338983050847456
RT_STRING	0x413a98	0x29c	data			0.31736526946107785
RT_STRING	0x413d34	0x3f0	data			0.43154761904761907
RT_STRING	0x414124	0x438	data			0.3731481481481482
RT_STRING	0x41455c	0x3ac	data			0.3861702127659574
RT_STRING	0x414908	0x404	data			0.3764591439688716
RT_STRING	0x414d0c	0x2ac	data			0.38742690058479534
RT_STRING	0x414fb8	0xb8	data			0.657608695652174
RT_STRING	0x415070	0xd0	data			0.6201923076923077
RT_STRING	0x415140	0x354	data			0.4284037558685446
RT_STRING	0x415494	0x3ac	data			0.3425531914893617
RT_STRING	0x415840	0x354	data			0.3826291079812207
RT_STRING	0x415b94	0x2c0	data			0.41051136363636365
RT_RCDATA	0x415e54	0x10	data			1.5
RT_RCDATA	0x415e64	0x1800	PE32+ executable (console) x86-64, for MS Windows	English	United States	0.3924153645833333
RT_RCDATA	0x417664	0xac4	data			0.5446298984034833
RT_RCDATA	0x418128	0x147	Delphi compiled form 'TMainForm'			0.746177370030581
RT_RCDATA	0x418270	0x480	Delphi compiled form 'TNewDiskForm'			0.5034722222222222
RT_RCDATA	0x4186f0	0x400	Delphi compiled form 'TSelectFolderForm'			0.5087890625
RT_RCDATA	0x418af0	0x4b5	Delphi compiled form 'TSelectLanguageForm'			0.5004149377593361
RT_RCDATA	0x418fa8	0x7ff	Delphi compiled form 'TUninstallProgressForm'			0.4054714215925745
RT_RCDATA	0x4197a8	0x55c	Delphi compiled form 'TUninstSharedFileForm'			0.41690962099125367
RT_RCDATA	0x419d04	0x2ac9	Delphi compiled form 'TWizardForm'			0.19811923673879303
RT_GROUP_CURSOR	0x41c7d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x41c7e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x41c7f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x41c80c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x41c820	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x41c834	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x41c848	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x41c85c	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0x41c8d4	0x24c	data	English	United States	0.47959183673469385
RT_MANIFEST	0x41cb20	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4005464480874317

Imports

DLL	Import
mpr.dll	WNetEnumResourceW, WNetGetUniversalNameW, WNetGetConnectionW, WNetCloseEnum, WNetOpenEnumW
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
comctl32.dll	FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove
shell32.dll	SHBrowseForFolderW, ExtractIconW, SHGetMalloc, SHGetFileInfoW, SHChangeNotify, Shell_NotifyIconW, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW
user32.dll	CopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, GetMessageW, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, ScrollWindowEx, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, OffsetRect, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, GetSystemMenu, WaitForInputIdle, ShowOwnedPopups, GetScrollRange, GetScrollPos, SetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, InflateRect, GetKeyboardLayoutList, OemToCharBuffA, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, SendNotifyMessageW, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, SetWindowLongW, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, ClientToScreen, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ExitWindowsEx, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, GetClassLongW, ActivateKeyboardLayout, GetParent, CharToOemBuffA, DrawTextW, SetScrollRange, InsertMenuItemW, PeekMessageA, GetPropW, SetClassLongW, MessageBoxW, MessageBeep, SetPropW, SetRectEmpty, UpdateWindow, RemovePropW, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, SendMessageTimeoutW, BringWindowToTop, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowPos, SetWindowRgn, GetMenuItemCount, RemoveMenu, AppendMenuW, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, DestroyCursor, ReplyMessage, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, FindWindowW, DeleteMenu, GetKeyboardLayout
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
oleaut32.dll	SafeArrayPutElement, LoadTypeLib, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType, VariantCopyInd
advapi32.dll	RegSetValueExW, RegEnumKeyExW, AdjustTokenPrivileges, OpenThreadToken, GetUserNameW, RegDeleteKeyW, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegQueryInfoKeyW, AllocateAndInitializeSid, FreeSid, EqualSid, RegDeleteValueW, RegFlushKey, RegQueryValueExW, RegEnumValueW, GetTokenInformation, InitializeSecurityDescriptor, RegCloseKey, RegCreateKeyExW, SetSecurityDescriptorDacl
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
kernel32.dll	SetFileAttributesW, SetFileTime, GetACP, GetExitCodeProcess, IsBadWritePtr, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, QueryPerformanceFrequency, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, WriteProfileStringW, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, CompareFileTime, ReadFile, CreateProcessW, TransactNamedPipe, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, OpenMutexW, CreateThread, CompareStringW, CopyFileW, CreateMutexW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, SetNamedPipeHandleState, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, MoveFileExW, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GetStartupInfoW, GlobalDeleteAtom, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateNamedPipeW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetOverlappedResult, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, IsDBCSLeadByte, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
ole32.dll	StgCreateDocfileOnILockBytes, CoCreateInstance, CLSIDFromString, CoUninitialize, IsEqualGUID, OleInitialize, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, CLSIDFromProgID, OleUninitialize, CoDisconnectObject, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
gdi32.dll	Arc, Pie, SetBkMode, SelectPalette, CreateCompatibleBitmap, ExcludeClipRect, RectVisible, SetWindowOrgEx, MaskBlt, AngleArc, Chord, SetTextColor, StretchBlt, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, CreateBrushIndirect, PatBlt, LineDDA, PolyBezierTo, GetStockObject, CreateSolidBrush, Polygon, Rectangle, MoveToEx, DeleteDC, SaveDC, BitBlt, Ellipse, FrameRgn, GetDeviceCaps, GetBitmapBits, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, GetSystemPaletteEntries, CreateBitmap, AddFontResourceW, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, CreatePenIndirect, SetStretchBltMode, GetDIBits, CreateFontIndirectW, PolyBezier, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, SetBkColor, CreateCompatibleDC, GetObjectW, GetBrushOrgEx, GetCurrentPositionEx, SetROP2, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, ArcTo, GdiFlush, SetPixel, EnumFontFamiliesExW, GetPaletteEntries

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4aefc0
__dbk_fcall_wrapper	2	0x40eb68
dbkFCallWrapperAddr	1	0x66663c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	09:54:08
Start date:	25/01/2025
Path:	C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Notion Setup 4.3.0 (4).exe"
Imagebase:	0x400000
File size:	4'266'056 bytes
MD5 hash:	849E4475405DE2F405EC0C987C796791
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:54:10
Start date:	25/01/2025
Path:	C:\temp\test\Autoit3.exe
Wow64 process (32bit):	true
Commandline:	"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
Imagebase:	0xf50000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1768944174.0000000003DD1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1768944174.0000000003E38000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs Detection: 4%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:54:12
Start date:	25/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fhdhcge\bbchchd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:54:12
Start date:	25/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:54:12
Start date:	25/01/2025
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic ComputerSystem get domain
Imagebase:	0xd20000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1768944174.0000000003DD1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ip
Source: Autoit3.exe, 00000001.00000002.1768944174.0000000003DD1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768870411.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ipU
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://ocsps.ssl.com0
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://ocsps.ssl.com0?
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://ocsps.ssl.com0P
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1767039637.0000000001019000.00000002.00000001.01000000.00000004.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://www.innosetup.com/
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://www.remobjects.com/ps
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: Autoit3.exe, 00000001.00000002.1768583485.0000000003C1C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/u/0/#inbox
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Autoit3.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Notion Setup 4.3.0 (4).exe, 00000000.00000002.1723805990.00000000027AC000.00000040.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000002.1725610849.00000000045CC000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1715643500.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, Notion Setup 4.3.0 (4).exe, 00000000.00000003.1716242855.0000000000D94000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: Notion Setup 4.3.0 (4).exe	String found in binary or memory: https://www.ssl.com/repository0

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Notion Setup 4.3.0 (4).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\fhdhcge\bbchchd

C:\Users\user\AppData\Roaming\FCaBdFG

C:\temp\test\Autoit3.exe

C:\temp\test\script.a3x

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Windows Analysis Report
Notion Setup 4.3.0 (4).exe