Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Whatsapp-GUI.exe

Overview

General Information

Sample name:Whatsapp-GUI.exe
Analysis ID:1575235
MD5:8c3ef2eba970f543f0ebe6dced908402
SHA1:431157eaf15244e5d8cc167511b4611f4dfae85c
SHA256:9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02
Tags:DarkGateexeuser-smica83
Infos:

Detection

DarkGate, MailPassView
Score:57
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:63
Range:0 - 100

Signatures

Yara detected DarkGate
Yara detected MailPassView
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • Whatsapp-GUI.exe (PID: 1288 cmdline: "C:\Users\user\Desktop\Whatsapp-GUI.exe" MD5: 8C3EF2EBA970F543F0EBE6DCED908402)
    • UpdaterService.exe (PID: 2876 cmdline: "C:\ProgramData\Updater\UpdaterService.exe" "C:\ProgramData\Updater\ConfigUpdater.a3x" MD5: C56B5F0201A3B3DE53E561FE76912BFD)
      • cmd.exe (PID: 5796 cmdline: "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\addbage\gcdkfcc MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 940 cmdline: wmic ComputerSystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)
  • Autoit3.exe (PID: 4416 cmdline: "C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)
  • Autoit3.exe (PID: 7156 cmdline: "C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkGateFirst documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2391824798.0000000004758000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DarkGateYara detected DarkGateJoe Security
    00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DarkGateYara detected DarkGateJoe Security
          00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            Click to see the 27 entries

            Sigma Signatures

            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x, EventID: 13, EventType: SetValue, Image: C:\ProgramData\Updater\UpdaterService.exe, ProcessId: 2876, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cefccga

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 82.1% probability

            Compliance

            barindex
            PE / OLE file has a valid certificate
            Source: Whatsapp-GUI.exeStatic PE information: certificate valid
            Uses secure TLS version for HTTPS connections
            Source: unknownHTTPS traffic detected: 162.125.65.18:443 -> 192.168.2.5:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.5:49712 version: TLS 1.2
            Contains modern PE file flags such as dynamic base (ASLR) or NX
            Source: Whatsapp-GUI.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Binary contains paths to debug symbols
            Source: Binary string: C:\Users\Work\source\repos\Whatsapp-GUI\Whatsapp-GUI\obj\Debug\Whatsapp-GUI.pdb source: Whatsapp-GUI.exe
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00CA4005
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CAC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_00CAC2FF
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA494A GetFileAttributesW,FindFirstFileW,FindClose,8_2_00CA494A
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,8_2_00CACD9F
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CACD14 FindFirstFileW,FindClose,8_2_00CACD14
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CAF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00CAF5D8
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CAF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00CAF735
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CAFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_00CAFA36
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00CA3CE2
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179BD35 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,8_2_0179BD35
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0474A584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,8_2_0474A584
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_046F89F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,8_2_046F89F4
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_046F8AFC FindFirstFileA,GetLastError,8_2_046F8AFC
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_047431F8 FindFirstFileW,FindNextFileW,FindClose,8_2_047431F8
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_04723D68 FindFirstFileW,FindNextFileW,FindClose,8_2_04723D68
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0470BD8C FindFirstFileA,FindNextFileA,FindClose,8_2_0470BD8C
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_046F5974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,8_2_046F5974
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0474BA70 FindFirstFileW,FindNextFileW,FindClose,8_2_0474BA70
            Source: global trafficHTTP traffic detected: GET /scl/fi/puclhgu65e9r37o3vcp9m/yutighh.zip?rlkey=csgz30n1xx1twdk9ue4m4p16s&st=nll27ti7&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cd/0/get/CgQAiHznR0-yJXtQgIcAQDe00JEJnYiaT0oc5SDFG-Q_f17zZOYwtbElAtBx9tczKziQAR17ipbY3BXl7uvQEULuDJYfx524fWrqmFpUco76qNtDQVu86eEev0aoq4uaSXfphqHI8Aq1eH1z9Bj6TBgo/file?dl=1 HTTP/1.1Host: uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 162.125.65.18 162.125.65.18
            Source: Joe Sandbox ViewIP Address: 162.125.69.15 162.125.69.15
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.16.83
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CB29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,8_2_00CB29BA
            Source: global trafficHTTP traffic detected: GET /scl/fi/puclhgu65e9r37o3vcp9m/yutighh.zip?rlkey=csgz30n1xx1twdk9ue4m4p16s&st=nll27ti7&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cd/0/get/CgQAiHznR0-yJXtQgIcAQDe00JEJnYiaT0oc5SDFG-Q_f17zZOYwtbElAtBx9tczKziQAR17ipbY3BXl7uvQEULuDJYfx524fWrqmFpUco76qNtDQVu86eEev0aoq4uaSXfphqHI8Aq1eH1z9Bj6TBgo/file?dl=1 HTTP/1.1Host: uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.comConnection: Keep-Alive
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Policy: frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; media-src https://* blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; base-uri 'self' ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; font-src https://* data: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-ancestors 'self' https://*.dropbox.com ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: equals www.yahoo.com (Yahoo)
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: api-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; media-src https://* blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; base-uri 'self' ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; font-src https://* data: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-ancestors 'self' https://*.dropbox.com ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: equals www.yahoo.com (Yahoo)
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; media-src https://* blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; base-uri 'self' ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; font-src https://* data: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-ancestors 'self' https://*.dropbox.com ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: www.dropbox.com
            Source: global trafficDNS traffic detected: DNS query: uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com
            Source: Whatsapp-GUI.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
            Source: Whatsapp-GUI.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
            Source: Whatsapp-GUI.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0&
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
            Source: Whatsapp-GUI.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-block-www-env.dropbox-dns.com
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edge-block-www-env.dropbox-dns.comd
            Source: UpdaterService.exe, UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
            Source: UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ipU
            Source: Whatsapp-GUI.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
            Source: Whatsapp-GUI.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
            Source: Whatsapp-GUI.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
            Source: Whatsapp-GUI.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000335E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Whatsapp-GUI.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
            Source: Whatsapp-GUI.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
            Source: Whatsapp-GUI.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.comd
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www-env.dropbox-dns.com
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www-env.dropbox-dns.comd
            Source: UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3939301227.0000000000399000.00000002.00000001.01000000.0000000C.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmp, Autoit3.exe, 00000009.00000000.2439797326.0000000000D09000.00000002.00000001.01000000.0000000E.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.dropbox.com
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.dropbox.comd
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.sprig.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/gsi/client
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.login.yahoo.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.hellofax.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://app.hellosign.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://canny.io/sdk.js
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cfl.dropboxstatic.com/static/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl-web.dropbox.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/fsip/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/fsip/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/fsip/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/document/fsip/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docsend.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://experience.dropbox.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.dropbox.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.yahoo.com/
            Source: Autoit3.exe, 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/u/0/#inbox
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://navi.dropbox.jp/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://officeapps-df.live.com
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/picker
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pal-test.adyen.com
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.dropbox.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sales.dropboxbusiness.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://showcase.dropbox.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com/cd/0/get/CgQAiHznR0-yJXtQgIcAQDe00JEJ
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.drString found in binary or memory: https://www.autoitscript.com/autoit3/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.docsend.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000335E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/page_success/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/pithos/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/playlist/
            Source: Whatsapp-GUI.exeString found in binary or memory: https://www.dropbox.com/scl/fi/puclhgu65e9r37o3vcp9m/yutighh.zip?rlkey=csgz30n1xx1twdk9ue4m4p16s&st=
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/service_worker.js
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/api/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/static/serviceworker/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/v/s/playlist/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dropboxstatic.com/static/
            Source: Autoit3.exe.3.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.drString found in binary or memory: https://www.globalsign.com/repository/06
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hellofax.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hellosign.com/
            Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.paypal.com/sdk/js
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 162.125.65.18:443 -> 192.168.2.5:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.5:49712 version: TLS 1.2
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CB4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,8_2_00CB4632
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CB4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,8_2_00CB4830
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CB4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,8_2_00CB4632
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0472B188 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,8_2_0472B188
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA0508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,8_2_00CA0508
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CCD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,8_2_00CCD164
            Source: Yara matchFile source: Process Memory Space: UpdaterService.exe PID: 2876, type: MEMORYSTR
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_04742170 OpenDesktopA,CreateDesktopA,SetThreadDesktop,CreateProcessA,8_2_04742170
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_04744478 NtOpenProcess,8_2_04744478
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_04744420 NtQueryObject,NtQueryObject,8_2_04744420
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_047444C8 NtQuerySystemInformation,NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,8_2_047444C8
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0474476C Sleep,TerminateThread,NtClose,NtClose,8_2_0474476C
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_047443EC NtDuplicateObject,NtClose,8_2_047443EC
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_04722CF0 BeginPaint,SetBkMode,TextOutA,EndPaint,PostQuitMessage,NtdllDefWindowProc_A,8_2_04722CF0
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0471AF84 GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,8_2_0471AF84
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0471B2A4 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,8_2_0471B2A4
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA42D5: CreateFileW,DeviceIoControl,CloseHandle,8_2_00CA42D5
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C98F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,8_2_00C98F2E
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,8_2_00CA5778
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeCode function: 0_2_0190D55C0_2_0190D55C
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeCode function: 0_2_091EB75A0_2_091EB75A
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeCode function: 0_2_0A520AB00_2_0A520AB0
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeCode function: 0_2_0A52CB100_2_0A52CB10
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeCode function: 0_2_0A5258D00_2_0A5258D0
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0464B46F3_3_0464B46F
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0464B46F3_3_0464B46F
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_046934EA3_3_046934EA
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_046934EA3_3_046934EA
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_046406553_3_04640655
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_046406553_3_04640655
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_046341643_3_04634164
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_046341643_3_04634164
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0464510E3_3_0464510E
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0464510E3_3_0464510E
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0463A3733_3_0463A373
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0463A3733_3_0463A373
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_046718623_3_04671862
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_046718623_3_04671862
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0463F8013_3_0463F801
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0463F8013_3_0463F801
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0467B8F43_3_0467B8F4
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0467B8F43_3_0467B8F4
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0463EA863_3_0463EA86
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0463EA863_3_0463EA86
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_04649A963_3_04649A96
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_04649A963_3_04649A96
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0464B46F3_3_0464B46F
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0464B46F3_3_0464B46F
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_046934EA3_3_046934EA
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_046934EA3_3_046934EA
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C4B0208_2_00C4B020
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C416638_2_00C41663
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C49C808_2_00C49C80
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C623F58_2_00C623F5
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CC84008_2_00CC8400
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C765028_2_00C76502
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C4E6F08_2_00C4E6F0
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C7265E8_2_00C7265E
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C6282A8_2_00C6282A
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C789BF8_2_00C789BF
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C76A748_2_00C76A74
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CC0A3A8_2_00CC0A3A
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C9EDB28_2_00C9EDB2
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C6CD518_2_00C6CD51
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CC0EB78_2_00CC0EB7
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA8E448_2_00CA8E44
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C76FE68_2_00C76FE6
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C633B78_2_00C633B7
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C494E08_2_00C494E0
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C5D45D8_2_00C5D45D
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C6F4098_2_00C6F409
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C4F6A08_2_00C4F6A0
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C616B48_2_00C616B4
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C5F6288_2_00C5F628
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C678C38_2_00C678C3
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C6DBA58_2_00C6DBA5
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C61BA88_2_00C61BA8
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C79CE58_2_00C79CE5
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C5DD288_2_00C5DD28
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C61FC08_2_00C61FC0
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C6BFD68_2_00C6BFD6
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_047164388_2_04716438
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0471A79C8_2_0471A79C
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0472EC008_2_0472EC00
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0473B1B88_2_0473B1B8
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_04739BD08_2_04739BD0
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: String function: 04644620 appears 52 times
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: String function: 0463CA55 appears 36 times
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: String function: 0463B5E0 appears 64 times
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: String function: 046F4904 appears 92 times
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: String function: 00C68B30 appears 42 times
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: String function: 046F4394 appears 101 times
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: String function: 047221B8 appears 36 times
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: String function: 00C60D17 appears 70 times
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: String function: 00C51A36 appears 34 times
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: String function: 046F4668 appears 48 times
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: String function: 046F6980 appears 111 times
            Source: Whatsapp-GUI.exe, 00000000.00000002.3099328555.00000000015AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Whatsapp-GUI.exe
            Source: classification engineClassification label: mal57.troj.spyw.evad.winEXE@10/12@2/3
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CAA6AD GetLastError,FormatMessageW,8_2_00CAA6AD
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C98DE9 AdjustTokenPrivileges,CloseHandle,8_2_00C98DE9
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C99399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,8_2_00C99399
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CAB976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,8_2_00CAB976
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,8_2_00CA4148
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CAC9DA CoInitialize,CoCreateInstance,CoUninitialize,8_2_00CAC9DA
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,8_2_00CA443D
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Whatsapp-GUI.exe.logJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:120:WilError_03
            Source: C:\ProgramData\Updater\UpdaterService.exeFile created: C:\temp\Jump to behavior
            Source: Whatsapp-GUI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\ProgramData\Updater\UpdaterService.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: Whatsapp-GUI.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Whatsapp-GUI.exe "C:\Users\user\Desktop\Whatsapp-GUI.exe"
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess created: C:\ProgramData\Updater\UpdaterService.exe "C:\ProgramData\Updater\UpdaterService.exe" "C:\ProgramData\Updater\ConfigUpdater.a3x"
            Source: C:\ProgramData\Updater\UpdaterService.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\addbage\gcdkfcc
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain
            Source: unknownProcess created: C:\ProgramData\addbage\Autoit3.exe "C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x
            Source: unknownProcess created: C:\ProgramData\addbage\Autoit3.exe "C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess created: C:\ProgramData\Updater\UpdaterService.exe "C:\ProgramData\Updater\UpdaterService.exe" "C:\ProgramData\Updater\ConfigUpdater.a3x"Jump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\addbage\gcdkfccJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domainJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: version.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: mpr.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: userenv.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: netutils.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: version.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: netutils.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: version.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: netutils.dllJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Whatsapp-GUI.exeStatic PE information: certificate valid
            Source: Whatsapp-GUI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Whatsapp-GUI.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Whatsapp-GUI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\Users\Work\source\repos\Whatsapp-GUI\Whatsapp-GUI\obj\Debug\Whatsapp-GUI.pdb source: Whatsapp-GUI.exe
            Source: Whatsapp-GUI.exeStatic PE information: 0x8CE2628A [Fri Nov 25 00:30:02 2044 UTC]
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CBC6D9 LoadLibraryA,GetProcAddress,8_2_00CBC6D9
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeCode function: 0_2_0190EED2 push eax; iretd 0_2_0190EED9
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeCode function: 0_2_091EFCFE pushad ; retf 0_2_091EFD01
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeCode function: 0_2_0A52030A push 8405B2CFh; iretd 0_2_0A520311
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeCode function: 0_2_0A522809 push A005B2E4h; ret 0_2_0A522815
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeCode function: 0_2_0AE139BD push FFFFFF8Bh; iretd 0_2_0AE139BF
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0463B625 push ecx; ret 3_3_0463B638
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0463B625 push ecx; ret 3_3_0463B638
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C68B75 push ecx; ret 8_2_00C68B88
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179C9D9 push 0179CA05h; ret 8_2_0179C9FD
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179C998 push 0179CA05h; ret 8_2_0179C9FD
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179A3F5 push eax; ret 8_2_0179A431
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179C391 push 0179C3E2h; ret 8_2_0179C3DA
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_017A0579 push 017A059Fh; ret 8_2_017A0597
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179C5D9 push 0179C605h; ret 8_2_0179C5FD
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179FC8D push 0179FE09h; ret 8_2_0179FE01
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179C721 push 0179C74Dh; ret 8_2_0179C745
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179CF25 push ecx; iretd 8_2_0179CF26
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179CF03 push ecx; iretd 8_2_0179CF06
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_017A1799 push ecx; iretd 8_2_017A179A
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179C611 push 0179C63Dh; ret 8_2_0179C635
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179FE0B push 0179FE7Ch; ret 8_2_0179FE74
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179FE0D push 0179FE7Ch; ret 8_2_0179FE74
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179D691 push ecx; mov dword ptr [esp], eax8_2_0179D692
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_04700454 push 04700480h; ret 8_2_04700478
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_04748448 push 04748474h; ret 8_2_0474846C
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0470C436 push 0470C464h; ret 8_2_0470C45C
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0470C438 push 0470C464h; ret 8_2_0470C45C
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_04748410 push 0474843Ch; ret 8_2_04748434
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_047484F0 push 0474851Ch; ret 8_2_04748514
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_046F64E4 push 046F6535h; ret 8_2_046F652D
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_047204E0 push 0472055Eh; ret 8_2_04720556
            Source: C:\ProgramData\Updater\UpdaterService.exeFile created: C:\ProgramData\addbage\Autoit3.exeJump to dropped file
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeFile created: C:\ProgramData\Updater\UpdaterService.exe (copy)Jump to dropped file
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeFile created: C:\ProgramData\Updater\Autoit3.exeJump to dropped file
            Source: C:\ProgramData\Updater\UpdaterService.exeFile created: C:\ProgramData\addbage\Autoit3.exeJump to dropped file
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeFile created: C:\ProgramData\Updater\UpdaterService.exe (copy)Jump to dropped file
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeFile created: C:\ProgramData\Updater\Autoit3.exeJump to dropped file
            Source: C:\ProgramData\Updater\UpdaterService.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cefccgaJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cefccgaJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CC59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,8_2_00CC59B3
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C55EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,8_2_00C55EDA
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C633B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_00C633B7
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect sleep reduction / modifications
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0474C8288_2_0474C828
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: UpdaterService.exe, UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SUPERANTISPYWARE.EXE
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeMemory allocated: 1900000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeMemory allocated: 32C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeMemory allocated: 3200000 memory reserve | memory write watchJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_045F2CB9 rdtsc 3_3_045F2CB9
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeThread delayed: delay time: 1800000Jump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeWindow / User API: threadDelayed 459Jump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeWindow / User API: threadDelayed 545Jump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeWindow / User API: threadDelayed 2336Jump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeWindow / User API: foregroundWindowGot 1345Jump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeAPI coverage: 5.0 %
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0474C8288_2_0474C828
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exe TID: 6192Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exe TID: 6192Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exe TID: 5428Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exe TID: 2460Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exe TID: 2924Thread sleep time: -1800000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem
            Source: C:\ProgramData\addbage\Autoit3.exeLast function: Thread delayed
            Source: C:\ProgramData\addbage\Autoit3.exeLast function: Thread delayed
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00CA4005
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CAC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_00CAC2FF
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA494A GetFileAttributesW,FindFirstFileW,FindClose,8_2_00CA494A
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,8_2_00CACD9F
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CACD14 FindFirstFileW,FindClose,8_2_00CACD14
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CAF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00CAF5D8
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CAF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,8_2_00CAF735
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CAFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,8_2_00CAFA36
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,8_2_00CA3CE2
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0179BD35 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,8_2_0179BD35
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0474A584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,8_2_0474A584
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_046F89F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,8_2_046F89F4
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_046F8AFC FindFirstFileA,GetLastError,8_2_046F8AFC
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_047431F8 FindFirstFileW,FindNextFileW,FindClose,8_2_047431F8
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_04723D68 FindFirstFileW,FindNextFileW,FindClose,8_2_04723D68
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0470BD8C FindFirstFileA,FindNextFileA,FindClose,8_2_0470BD8C
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_046F5974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,8_2_046F5974
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0474BA70 FindFirstFileW,FindNextFileW,FindClose,8_2_0474BA70
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C55D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,8_2_00C55D13
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeThread delayed: delay time: 1800000Jump to behavior
            Source: Autoit3.exe, 00000009.00000002.2472312343.00000000017CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
            Source: Autoit3.exe, 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: vmware
            Source: UpdaterService.exe, UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: microsoft hyper-v video
            Source: Whatsapp-GUI.exe, 00000000.00000002.3099652523.000000000167F000.00000004.00000020.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3939848242.0000000000F2C000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2390439932.00000000017A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\ProgramData\addbage\Autoit3.exeAPI call chain: ExitProcess graph end nodegraph_8-139237
            Source: C:\ProgramData\addbage\Autoit3.exeAPI call chain: ExitProcess graph end nodegraph_8-139307
            Source: C:\ProgramData\Updater\UpdaterService.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_045F2CB9 rdtsc 3_3_045F2CB9
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CB45D5 BlockInput,8_2_00CB45D5
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C55240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,8_2_00C55240
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C75CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,8_2_00C75CAC
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CBC6D9 LoadLibraryA,GetProcAddress,8_2_00CBC6D9
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_017A8936 mov eax, dword ptr fs:[00000030h]8_2_017A8936
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0471A79C mov eax, dword ptr fs:[00000030h]8_2_0471A79C
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0471A79C mov eax, dword ptr fs:[00000030h]8_2_0471A79C
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_047180A4 mov eax, dword ptr fs:[00000030h]8_2_047180A4
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C988CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,8_2_00C988CD
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess token adjusted: DebugJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C6A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00C6A385
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C6A354 SetUnhandledExceptionFilter,8_2_00C6A354
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Contains functionality to inject code into remote processes
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0471DCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,8_2_0471DCB8
            Contains functionality to inject threads in other processes
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0471DCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,8_2_0471DCB8
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C99369 LogonUserW,8_2_00C99369
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C55240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,8_2_00C55240
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA1AC6 SendInput,keybd_event,8_2_00CA1AC6
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA51E2 mouse_event,8_2_00CA51E2
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeProcess created: C:\ProgramData\Updater\UpdaterService.exe "C:\ProgramData\Updater\UpdaterService.exe" "C:\ProgramData\Updater\ConfigUpdater.a3x"Jump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\addbage\gcdkfccJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domainJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C988CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,8_2_00C988CD
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CA4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,8_2_00CA4F1C
            Source: UpdaterService.exe, 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230420564.0000000004610000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3939194413.0000000000386000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: UpdaterService.exe, 00000003.00000002.3942036146.0000000004A34000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942163331.000000000568E000.00000004.00000010.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942132454.000000000528E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: UpdaterService.exe, Autoit3.exeBinary or memory string: Shell_TrayWnd
            Source: UpdaterService.exe, 00000003.00000002.3939848242.0000000000F2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerbage\}Y<
            Source: UpdaterService.exe, 00000003.00000002.3942036146.0000000004A34000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: program managerN
            Source: UpdaterService.exe, 00000003.00000002.3939848242.0000000000F2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerhos
            Source: UpdaterService.exe, 00000003.00000002.3939848242.0000000000F2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertxt
            Source: UpdaterService.exe, 00000003.00000002.3942036146.0000000004A34000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: program manager
            Source: C:\ProgramData\Updater\UpdaterService.exeCode function: 3_3_0463B30B cpuid 3_3_0463B30B
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,8_2_0179BF0D
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: GetLocaleInfoA,8_2_0179E1F1
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: GetLocaleInfoA,8_2_0179E1A5
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,8_2_0179C017
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: GetLocaleInfoA,GetACP,8_2_0179F349
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: GetLocaleInfoA,8_2_0179C31D
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,8_2_046F5B4C
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: GetLocaleInfoA,8_2_046F6470
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: GetLocaleInfoA,GetACP,8_2_046FCC88
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: GetLocaleInfoA,8_2_046FB66C
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: GetLocaleInfoA,8_2_046FB620
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,8_2_046F5C56
            Source: C:\ProgramData\Updater\UpdaterService.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\ProgramData\Updater\UpdaterService.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeQueries volume information: C:\Users\user\Desktop\Whatsapp-GUI.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C80030 GetLocalTime,__swprintf,8_2_00C80030
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C80722 GetUserNameW,8_2_00C80722
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C7416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,8_2_00C7416A
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00C55D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,8_2_00C55D13
            Source: C:\Users\user\Desktop\Whatsapp-GUI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: UpdaterService.exe, UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mcshield.exe
            Source: UpdaterService.exe, UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: superantispyware.exe

            Stealing of Sensitive Information

            barindex
            Yara detected DarkGate
            Source: Yara matchFile source: 00000008.00000002.2391824798.0000000004758000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2473753332.0000000004568000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3941184211.0000000003F28000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2230520854.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: UpdaterService.exe PID: 2876, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 4416, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7156, type: MEMORYSTR
            Yara detected MailPassView
            Source: Yara matchFile source: 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: UpdaterService.exe PID: 2876, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 4416, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7156, type: MEMORYSTR
            Source: Autoit3.exeBinary or memory string: WIN_81
            Source: Autoit3.exeBinary or memory string: WIN_XP
            Source: Autoit3.exeBinary or memory string: WIN_XPe
            Source: Autoit3.exeBinary or memory string: WIN_VISTA
            Source: Autoit3.exeBinary or memory string: WIN_7
            Source: Autoit3.exeBinary or memory string: WIN_8
            Source: Autoit3.exe.3.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected DarkGate
            Source: Yara matchFile source: 00000008.00000002.2391824798.0000000004758000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2473753332.0000000004568000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3941184211.0000000003F28000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2230520854.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: UpdaterService.exe PID: 2876, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 4416, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7156, type: MEMORYSTR
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CB696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,8_2_00CB696E
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_00CB6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,8_2_00CB6E32
            Source: C:\ProgramData\addbage\Autoit3.exeCode function: 8_2_0470CCB4 bind,8_2_0470CCB4

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		11
            Disable or Modify Tools            		21
            Input Capture            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Create Account            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol1
            Screen Capture            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt2
            Valid Accounts            		2
            Valid Accounts            		2
            Obfuscated Files or Information            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares21
            Input Capture            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron1
            Registry Run Keys / Startup Folder            		21
            Access Token Manipulation            		1
            Timestomp            		NTDS66
            System Information Discovery            		Distributed Component Object Model3
            Clipboard Data            		3
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
            Process Injection            		1
            DLL Side-Loading            		LSA Secrets271
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
            Registry Run Keys / Startup Folder            		1
            Masquerading            		Cached Domain Credentials41
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Valid Accounts            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
            Virtualization/Sandbox Evasion            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
            Access Token Manipulation            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575235 Sample: Whatsapp-GUI.exe Startdate: 14/12/2024 Architecture: WINDOWS Score: 57 34 www.dropbox.com 2->34 36 www-env.dropbox-dns.com 2->36 38 2 other IPs or domains 2->38 46 Yara detected DarkGate 2->46 48 Yara detected MailPassView 2->48 50 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->50 52 AI detected suspicious sample 2->52 9 Autoit3.exe 1 2->9         started        12 Whatsapp-GUI.exe 15 8 2->12         started        16 Autoit3.exe 2->16         started        signatures3 process4 dnsIp5 54 Contains functionality to inject threads in other processes 9->54 56 Contains functionality to inject code into remote processes 9->56 58 Contains functionality to detect sleep reduction / modifications 9->58 42 www-env.dropbox-dns.com 162.125.65.18, 443, 49710 DROPBOXUS United States 12->42 44 edge-block-www-env.dropbox-dns.com 162.125.69.15, 443, 49712 DROPBOXUS United States 12->44 30 C:\ProgramData\...\UpdaterService.exe (copy), PE32 12->30 dropped 32 C:\ProgramData\Updater\Autoit3.exe, PE32 12->32 dropped 18 UpdaterService.exe 1 10 12->18         started        file6 signatures7 process8 dnsIp9 40 154.216.16.83, 49716, 80 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 18->40 28 C:\ProgramData\addbage\Autoit3.exe, PE32 18->28 dropped 22 cmd.exe 2 18->22         started        file10 process11 process12 24 WMIC.exe 1 22->24         started        26 conhost.exe 22->26         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.