{"id":3671,"date":"2016-06-05T01:03:12","date_gmt":"2016-06-05T01:03:12","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3671"},"modified":"2016-06-05T01:03:12","modified_gmt":"2016-06-05T01:03:12","slug":"real-coders-code-in-au3","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/06\/05\/real-coders-code-in-au3\/","title":{"rendered":"Real coders code in Au3"},"content":{"rendered":"

In my old post about malware writers I mentioned that lots of them code in VB<\/a>, Today I will explore the topic that has not been explored before – Autoit malware authors. Luckily (or not), Autoit preserves paths to original Autoit script inside some of the compiled Autoit .exes. As a result.. we can decompile these scripts and get an insight into the hard drives of the bad doers…<\/p>\n

So.. without further ado… this is how it looks like – see below.<\/p>\n

Note<\/strong>: some of these paths may be legitimate, this is from a large sampleset that may contain ‘clean’ legitimate files, also, note the presence of many languages: French, Spanish, German, English, Traditional Chinese, Vietnamese, Turkish:<\/p>\n

C:\\Documents and Settings\\Abdullah\\My Documents\\AU3\\fservice.au3
\nC:\\Documents and Settings\\Administrador\\Escritorio\\Run.au3
\nC:\\Documents and Settings\\Administrateur\\Bureau\\Nouveau AutoIt v3 Script.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\Auto Scripts\\Win.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\AutoSplash\\autosplash.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\CUOICUNG.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\Minh-programing\\maya\\ambr.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\New Folder\\telnet_batch.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\Portable Apps Creation Master 1.6\\Portable Apps Creation Master 1.6.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\RARDAN YAPMA.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\SRO Server\\EnCodeIt 2.0\\SRO AutoLoginAutoParty v1.97_EnCoded1.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\Total Uninstall 4.6.2\\%ProgramFilesDir%\\Total Uninstall 4\\RARDAN YAPMA.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\mokka\\mythwarbot.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\thunghiem.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\vd.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\wtf.au3
\nC:\\Documents and Settings\\Administrator\\Desktop\\wupdate.au3
\nC:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\aus.au3
\nC:\\Documents and Settings\\Administrator\\My Documents\\Autoit V3\\Include\\Constants.au3
\nC:\\Documents and Settings\\Administrator\\My Documents\\Autoit V3\\Include\\Process.au3
\nC:\\Documents and Settings\\Administrator\\My Documents\\test.au3
\nC:\\Documents and Settings\\Administrator\\\u684c\u9762\\DAEMON Tools Pro\\Daemon Tools.au3
\nC:\\Documents and Settings\\Administrator\\\u684c\u9762\\DAEMON Tools2\\setup.au3
\nC:\\Documents and Settings\\Administrator\\\u684c\u9762\\Wopti\\install.au3
\nC:\\Documents and Settings\\Administrator\\\u684c\u9762\\\u7121\u80cc\u666f+\u904b\u884c\u904a\u6232+\u7121\u8a08\u6642\u5668(\u53f3\u4e0a\u89d2)@\u311a\u8d85X10\\\u80cc\u666f+\u904b\u884c\u904a\u6232+\u7121\u8a08\u6642\u5668(\u53f3\u4e0a\u89d2)@\u311a\u8d85X10.au3
\nC:\\Documents and Settings\\Administrator\\\u886f?\uf78e\u8743\u5c93\\\u84cf\u617a \u6611\u7ce8\\AutoIt v3 Script \u6611\u7ce8.au3
\nC:\\Documents and Settings\\Administrator\\\u88a4\u91b1\\55.au3
\nC:\\Documents and Settings\\Administrator\\\u88a4\u91b1\\5avip_Obfuscated.au3
\nC:\\Documents and Settings\\Administrator\\\u88a4\u91b1\\StartRun6.4\u57ed\u93a2\\StartRun6.4\u57ed\u93a2\\ok\uf7f5\u8d7b\u96c4\u580d\u4ff4\u99b1\u64bf6.4.au3
\nC:\\Documents and Settings\\Administrator\\\u88a4\u91b1\\new.au3
\nC:\\Documents and Settings\\Administrator\\\u88a4\u91b1\\pubwin2007 \u7fd1\u5fd2_Obfuscated.au3
\nC:\\Documents and Settings\\Administrator\\\u88a4\u91b1\\qq.au3
\nC:\\Documents and Settings\\Administrator\\\u88a4\u91b1\\setup.au3
\nC:\\Documents and Settings\\Administrator\\\u88a4\u91b1\\\uf83b\uf700CGO2043\u8d7b\u96c4\u5883\u5a65\u55e3\u652b\\disk2.au3
\nC:\\Documents and Settings\\Administrator\\\u88a4\u91b1\\\u5209\u58fa\u639b\u6700\u5517.au3
\nC:\\Documents and Settings\\Administrator\\\u88a4\u91b1\\\u5399\u58fd\uf77d\u9059\\LineSwh.au3
\nC:\\Documents and Settings\\Administrator\\\u88a4\u91b1\\\u9654\u8198 AutoIt3\u8910\u639b.au3
\nC:\\Documents and Settings\\All Users\\Documenti\\valid wg\\File per autoit\\Setup.au3
\nC:\\Documents and Settings\\All\\Desktop\\Autoit\\TUL.au3
\nC:\\Documents and Settings\\Barbara\\Desktop\\X-SumatraPDF_source_rev3\\X-SumatraPDF.au3
\nC:\\Documents and Settings\\Barbara\\Desktop\\X-SumatraPDF_source_rev3\\x-launcher.au3
\nC:\\Documents and Settings\\Barbara\\Desktop\\X-SumatraPDF_source_rev3\\x-udf.au3
\nC:\\Documents and Settings\\Beliar\\Desktop\\tare rau.au3
\nC:\\Documents and Settings\\BrOnZ\\Desktop\\PlayerPlus\\PlayerPlus\\Real Player.v11.0.0167.Plus.Beta\\Pach_Real.au3
\nC:\\Documents and Settings\\Cedega\\My Documents\\downloads\\run-tvc.au3
\nC:\\Documents and Settings\\Chef\\Desktop\\Stuff\\v2.08\\hhc hotkeys v2.au3
\nC:\\Documents and Settings\\Dizzy\\Desktop\\bots\\Copy of Dizzy’s DL Bot 2.0 .au3
\nC:\\Documents and Settings\\Eniko\\Desktop\\decompilat.au3
\nC:\\Documents and Settings\\Fast3r\\Plocha\\AU3\\SroTools\\options2.au3
\nC:\\Documents and Settings\\FeFe BoSs\\Desktop\\fefe.au3
\nC:\\Documents and Settings\\Frognik\\FuckKO v0.5\\FuckKO.au3
\nC:\\Documents and Settings\\F\ue209t\ue205a&Ebru\\Desktop\\Yenlogmeini Klas\u9864 (2)\\2.au3
\nC:\\Documents and Settings\\GPC\\Desktop\\11\\auto.au3
\nC:\\Documents and Settings\\Gabe\\Desktop\\my-autoit\\aurastack.au3
\nC:\\Documents and Settings\\GodsPerfectBeing\\My Documents\\AU3 in progress\\ServerSwitch.au3
\nC:\\Documents and Settings\\GodsPerfectBeing\\My Documents\\AU3 in progress\\spambot.au3
\nC:\\Documents and Settings\\H\\Desktop\\hans’s\\Auto-it projects\\Loader\\InjectDLL.au3
\nC:\\Documents and Settings\\H\\Desktop\\hans’s\\Auto-it projects\\Loader\\Loader.au3
\nC:\\Documents and Settings\\Hai Long\\Desktop\\Robots.au3
\nC:\\Documents and Settings\\HaxLi\\Desktop\\wm\\JoyToKey.au3
\nC:\\Documents and Settings\\ILHAN\\Desktop\\kurprog.au3
\nC:\\Documents and Settings\\JOHN & NEO\\Desktop\\Explorer.au3
\nC:\\Documents and Settings\\JOHN & NEO\\Desktop\\da.au3
\nC:\\Documents and Settings\\Jeff Tan\\Desktop\\Pinnacle.au3
\nC:\\Documents and Settings\\Jonas\\Skrivbord\\Kopia av loader\\Loader\\Loader\\Loader.au3
\nC:\\Documents and Settings\\Joshua Taylor\\Desktop\\KeyLog\\KeyLog\\KeyLog.au3
\nC:\\Documents and Settings\\Joshua Taylor\\Desktop\\KeyLog\\KeyLog\\hotmail.au3
\nC:\\Documents and Settings\\Joshua Taylor\\Desktop\\KeyLog\\KeyLog\\readfile.au3
\nC:\\Documents and Settings\\KLOUDJ\\Desktop\\programs\\TechPol.au3
\nC:\\Documents and Settings\\Kissy\\Desktop\\My-AutoIt\\Gondus’s Crumble Undead Bot.au3
\nC:\\Documents and Settings\\Kyle\\Desktop\\glider key.au3
\nC:\\Documents and Settings\\Le Dinh Thanh\\Desktop\\zin.au3
\nC:\\Documents and Settings\\Le Quang Trung\\Desktop\\enet.au3
\nC:\\Documents and Settings\\MARD\\Desktop\\Pinnacle.au3
\nC:\\Documents and Settings\\Matthew1\\Desktop\\Scolex RavMonE Eliminator\\Scolex RavMonE Eliminator.au3
\nC:\\Documents and Settings\\Mohamed\\Desktop\\2\\New AutoIt v3 Script.au3
\nC:\\Documents and Settings\\Niels Maerten\\Mijn documenten\\Miniscripts\\sytemlock.au3
\nC:\\Documents and Settings\\OWNER\\Desktop\\cmdhide.au3
\nC:\\Documents and Settings\\Philip\\Desktop\\TB.au3
\nC:\\Documents and Settings\\Piotr\\Pulpit\\Pipen’s BOTS\\COMBO BOT[release]\\Pinnacle.au3
\nC:\\Documents and Settings\\Propri\u00e9taire\\Bureau\\Rayuran Project!\\gui_Obfuscated.au3
\nC:\\Documents and Settings\\Radek\\Pulpit\\combo\\combo.au3
\nC:\\Documents and Settings\\Radevic\\Desktop\\test\\Update.au3
\nC:\\Documents and Settings\\Radevic\\Desktop\\test\\update.au3
\nC:\\Documents and Settings\\RiCK\\My Documents\\My AutoIt v3 Scripts\\DJ Auto Bot Remote Control\\DJ Auto Bot Remote Control 2.au3
\nC:\\Documents and Settings\\Ruud\\Bureaublad\\0.4\\OEMLOGO.au3
\nC:\\Documents and Settings\\Ruud\\Bureaublad\\0.4\\oem_uninst.au3
\nC:\\Documents and Settings\\Ryan\\Desktop\\AutoItMultiTool\\MultiTool.au3
\nC:\\Documents and Settings\\Sange\\Desktop\\aaaaaaaaa.au3
\nC:\\Documents and Settings\\Sange\\Desktop\\g.au3
\nC:\\Documents and Settings\\SomeGUy\\Desktop\\Downloads\\GaiaAutoFisher [Red Bait].au3
\nC:\\Documents and Settings\\Student_net\\My Documents\\tkv.au3
\nC:\\Documents and Settings\\TSXP\\Desktop\\sound forge 10.au3
\nC:\\Documents and Settings\\TnC\\Desktop\\Lis\\lisans.au3
\nC:\\Documents and Settings\\Tony\\Desktop\\runie.au3
\nC:\\Documents and Settings\\USER\\\u8fc2?\u8f7b\u6c35\u55dc\\Computers\\AutoIt v3 Script \u6ed4\u7850.au3
\nC:\\Documents and Settings\\User\\Desktop\\yahoo.au3
\nC:\\Documents and Settings\\WelCome\\Desktop\\IEXPLORE.au3
\nC:\\Documents and Settings\\Whw\\Local Settings\\Temp\\aus.au3
\nC:\\Documents and Settings\\XMS\\Desktop\\Scripts\\Universal Portable Script.au3
\nC:\\Documents and Settings\\XPPRESP3.USER\\Desktop\\AutoBuffEnglishVer.au3
\nC:\\Documents and Settings\\XTZJ\\\u88a4\u91b1\\xpset1\\ChangeScreenRes.au3
\nC:\\Documents and Settings\\XTZJ\\\u88a4\u91b1\\xpset1\\xpset.au3
\nC:\\Documents and Settings\\abde\\Desktop\\Logger file\\Startup.au3
\nC:\\Documents and Settings\\akoutsouradis\\My Documents\\Scripts\\AutoIt\\Message.au3
\nC:\\Documents and Settings\\cface\\\u88a4\u91b1\\\u964e\u8afe\u834c\u57cf\u8d7b\u96c4\u814e\u7ffb\\3.au3
\nC:\\Documents and Settings\\cuong@\\Desktop\\svchost3333.au3
\nC:\\Documents and Settings\\cuong@\\Desktop\\svchost68.au3
\nC:\\Documents and Settings\\cuong@\\My Documents\\svchost64.au3
\nC:\\Documents and Settings\\cuongadsl\\Desktop\\vuive\\ads2.au3
\nC:\\Documents and Settings\\danger\\Desktop\\x4x.au3
\nC:\\Documents and Settings\\dbaez\\Escritorio\\scripts\\TCS_settings_server.au3
\nC:\\Documents and Settings\\deh0448\\My Documents\\asdf.au3
\nC:\\Documents and Settings\\eric\\Bureau\\Caderix\\scripts\\Transparency2.5.au3
\nC:\\Documents and Settings\\h\\Desktop\\IEXPLORE.au3
\nC:\\Documents and Settings\\h\\Desktop\\fuckall.au3
\nC:\\Documents and Settings\\huycuong\\My Documents\\111.au3
\nC:\\Documents and Settings\\jackal\\\u5925\u9c3b \uf7f7\u8cca\\kmp.au3
\nC:\\Documents and Settings\\lwc\\\u88a4\u91b1\\QQ\u8e87\u93a2hash\u7849\u86ccMD5.au3
\nC:\\Documents and Settings\\manage\\\u88a4\u91b1\\Gpedit\\CheckPWD.au3
\nC:\\Documents and Settings\\manage\\\u88a4\u91b1\\Gpedit\\System Optimize Tools.au3
\nC:\\Documents and Settings\\nabreu\\Ambiente de trabalho\\Share\\Bots\\Bot K2 DL\\Pinnacle.au3
\nC:\\Documents and Settings\\nhatquanglan\\Desktop\\cuoicung.au3
\nC:\\Documents and Settings\\nhatquanglan\\Desktop\\vietlai.au3
\nC:\\Documents and Settings\\nn\\Desktop\\test.au3
\nC:\\Documents and Settings\\pash-TET.PASHA\\Desktop\\123.au3
\nC:\\Documents and Settings\\pash-TET.PASHA\\Desktop\\1233213.au3
\nC:\\Documents and Settings\\pc\\Desktop\\PersonalScreenRes-Install.au3
\nC:\\Documents and Settings\\phuong anh\\Desktop\\CUOICUNG.au3
\nC:\\Documents and Settings\\phuong anh\\Desktop\\nhatquanglan.au3
\nC:\\Documents and Settings\\phuong anh\\Desktop\\nhatquanglan_Obfuscated.au3
\nC:\\Documents and Settings\\rallen\\Desktop\\Extend.au3
\nC:\\Documents and Settings\\robotics\\Desktop\\New Folder\\Aggro\\ABv0.2\\AggroBotv0.23.au3
\nC:\\Documents and Settings\\rsarner\\Desktop\\ROnce.AU3
\nC:\\Documents and Settings\\s0uLtaker\\My Documents\\Archlord Stuff\\bot\\auto IT\\MSN.au3
\nC:\\Documents and Settings\\tence\\Bureau\\KAV\\autoit\\kasperskys-cd-modif3.au3
\nC:\\Documents and Settings\\than sau\\Desktop\\Tu buff silkroad v1.01.au3
\nC:\\Documents and Settings\\thuy\\Desktop\\kill.au3
\nC:\\Documents and Settings\\thuy\\Desktop\\popup web an.au3
\nC:\\Documents and Settings\\trung\\My Documents\\YIMBot\\dkc.au3
\nC:\\Documents and Settings\\truong nhat\\Desktop\\CUOICUNG.au3
\nC:\\Documents and Settings\\truong nhat\\Desktop\\nhatquanglan.au3
\nC:\\Documents and Settings\\truong nhat\\Desktop\\nhatquanglan_Obfuscated.au3
\nC:\\Documents and Settings\\viet\\Desktop\\love.au3
\nC:\\Documents and Settings\\weibaichi\\\u88a4\u91b1\\123.au3
\nC:\\Documents and Settings\\x0wner\\Desktop\\florida\\PuffBotv1.03-priv(1)\\Include\\array.au3
\nC:\\Documents and Settings\\x0wner\\Desktop\\florida\\PuffBotv1.03-priv(1)\\core.au3
\nC:\\Documents and Settings\\x0wner\\Desktop\\florida\\PuffBotv1.03-priv(1)\\include\\File.au3
\nC:\\Documents and Settings\\x0wner\\Desktop\\florida\\PuffBotv1.03-priv(1)\\include\\IRC.au3
\nC:\\Documents and Settings\\x0wner\\Desktop\\florida\\PuffBotv1.03-priv(1)\\include\\config.au3
\nC:\\Documents and Settings\\x0wner\\Desktop\\florida\\PuffBotv1.03-priv(1)\\include\\iNet.au3
\nC:\\Documents and Settings\\x0wner\\Desktop\\florida\\PuffBotv1.03-priv(1)\\include\\im.au3
\nC:\\Documents and Settings\\x0wner\\Desktop\\florida\\PuffBotv1.03-priv(1)\\include\\lang.au3
\nC:\\Documents and Settings\\x0wner\\Desktop\\florida\\PuffBotv1.03-priv(1)\\include\\os.au3
\nC:\\Documents and Settings\\x0wner\\Desktop\\florida\\PuffBotv1.03-priv(1)\\include\\uptime.au3
\nC:\\Documents and Settings\\xp xp\\\u886f?\uf78e\u8743\u5c93\\\uf77b\u5f76\uf77e\uf777 \u886f?\uf78e\u8743\u5c93\\\u84cf\u617a \u6611\u7ce8\\AutoIt v3 Script \u6611\u7ce8.au3
\nC:\\Documents and Settings\\xp xp\\\u886f?\uf78e\u8743\u5c93\\\u84cf\u617a \u6611\u7ce8\\AutoIt v3 Script \u6611\u7ce8.au3
\nC:\\Documents and Settings\\\u9078\u986b\u846c\\\u5925\u9c3b \uf7f7\u8cca\\portable URLSnooper\\portable URLSnooper\\test.au3
\nC:\\Documents and Settings\\\u8f49\u5130\u9924\u5193\u643f\u7381?\u56a6\u9380\\Mad Dog.au3
\nC:\\Documents and Settings\\\uf79c\u62f8\u7aa9\\\u88a4\u91b1\\Search.au3
\nC:\\Documents and Settings\\\uf79c\u62f8\u7aa9\\\u88a4\u91b1\\UX-theme-patcher\\Path.au3
\nC:\\Documents and Settings\\\uf79c\u62f8\u7aa9\\\u88a4\u91b1\\UX-theme-patcher\\Restore.au3
\nC:\\Documents and Settings\\\uf79c\u62f8\u7aa9\\\u88a4\u91b1\\qqq.au3
\nC:\\Documents\\Scripts\\Flickr AutoDownloadr\\FAD frontend.au3
\nC:\\Dokumente und Einstellungen\\8\\Desktop\\Dupe AccHack\\Starter.au3
\nC:\\Dokumente und Einstellungen\\8\\Desktop\\Dupe AccHack\\csrss.au3
\nC:\\Dokumente und Einstellungen\\Administrator\\Desktop\\Botnew\\Packs\\2\\1Original\\Kopie von Bot.au3
\nC:\\Dokumente und Einstellungen\\Administrator\\Desktop\\Botnew\\Packs\\5\\Allok.AVI.to.DVD.SVCD.VCD.Converter.v2.1.4.WinAll.Regged-EiTheL\\1Original\\Kopie von Bot.au3
\nC:\\Dokumente und Einstellungen\\Administrator\\Desktop\\Botnew\\Packs\\AAF\\Adobe Creative Suite 2 Keygen (Photoshop Cs2, Illustrator Cs2, Golive Cs2, More)\\1\\Kopie von Bot.au3
\nC:\\Dokumente und Einstellungen\\Administrator\\Desktop\\Botnew\\Packs\\AAF\\Adobe Photoshop CS2 9.0 Final Keygen & Acitvater\\1\\Kopie von Bot.au3
\nC:\\Dokumente und Einstellungen\\Administrator\\Desktop\\P_NAB_source\\looter.au3
\nC:\\Dokumente und Einstellungen\\Besitzer\\Desktop\\tools\\lossbot\\blubtmo_lossbot1.20.au3
\nC:\\Dokumente und Einstellungen\\Daniel\\Desktop\\Fertige Bots\\High End\\Schoko\u6100 Bot\\Data\\IG5.au3
\nC:\\Dokumente und Einstellungen\\Daniel\\Desktop\\Fertige Bots\\High End\\Schoko\u6100 Bot\\Data\\IG6.au3
\nC:\\Dokumente und Einstellungen\\IroX\\Desktop\\PiroX B0t\\pirox.au3
\nC:\\Dokumente und Einstellungen\\Keller.Florian\\Desktop\\copy.au3
\nC:\\Dokumente und Einstellungen\\Lumsk\\Desktop\\Botnew\\Family Keylogger\\Family Keylogger v2.80 with Crack\\Limewire.au3
\nC:\\Dokumente und Einstellungen\\Sirus\\Desktop\\1 click Flasher\\test.au3
\nC:\\Dokumente und Einstellungen\\fearlumsk\\Desktop\\Bot\\Bot\\CLIENT.au3
\nC:\\Dokumente und Einstellungen\\fearlumsk\\Desktop\\Bot\\Bot\\IRCJoinNew.au3
\nC:\\Dokumente und Einstellungen\\fearlumsk\\Desktop\\Bot\\Bot\\IRCJoinNew2.au3
\nC:\\Dokumente und Einstellungen\\root\\Desktop\\spread\\Include\\array.au3
\nC:\\Dokumente und Einstellungen\\root\\Desktop\\spread\\core.au3
\nC:\\Dokumente und Einstellungen\\root\\Desktop\\spread\\include\\File.au3
\nC:\\Dokumente und Einstellungen\\root\\Desktop\\spread\\include\\IRC.au3
\nC:\\Dokumente und Einstellungen\\root\\Desktop\\spread\\include\\config.au3
\nC:\\Dokumente und Einstellungen\\root\\Desktop\\spread\\include\\iNet.au3
\nC:\\Dokumente und Einstellungen\\root\\Desktop\\spread\\include\\im.au3
\nC:\\Dokumente und Einstellungen\\root\\Desktop\\spread\\include\\lang.au3
\nC:\\Dokumente und Einstellungen\\root\\Desktop\\spread\\include\\os.au3
\nC:\\Dokumente und Einstellungen\\root\\Desktop\\spread\\include\\uptime.au3
\nC:\\Users\\Admin\\Desktop\\sss.au3
\nC:\\Users\\Administrator\\Desktop\\qwee.au3
\nC:\\Users\\Administrator\\Documents\\Projekte\\Zeiss\\CZ – Enterprise Discovery\\WinEDMSG\\Version 1.1.0\\SOURCE\\WinEDMsg.au3
\nC:\\Users\\BossTheTuga\\AppData\\Local\\Temp\\loaderstub.au3
\nC:\\Users\\Brunno\\Desktop\\antileecher.au3
\nC:\\Users\\Dhilip\\Desktop\\WGAN_Rmvr2.au3
\nC:\\Users\\Forever2008\\Desktop\\PORTABLE PhotoshopCS4 By ForeverXP\\Iniciar.au3
\nC:\\Users\\John\\Documents\\Portable Software\\AviScreenPortable\\Other\\AviScreen Portable Source\\AutoItTemplate.au3
\nC:\\Users\\John\\Documents\\Portable Software\\AviScreenPortable\\Other\\AviScreen Portable Source\\AviScreenPortable.au3
\nC:\\Users\\John\\Documents\\Portable Software\\AviScreenPortable\\Other\\AviScreen Portable Source\\BatchExec.au3
\nC:\\Users\\John\\Documents\\Portable Software\\AviScreenPortable\\Other\\AviScreen Portable Source\\Registry.au3
\nC:\\Users\\MediaDogg\\Desktop\\GUI-055xDev\\CopyGui.au3
\nC:\\Users\\MediaDogg\\Desktop\\GUI-055xDev\\FilterGUI.au3
\nC:\\Users\\MediaDogg\\Desktop\\GUI-055xDev\\GUI-057x.au3
\nC:\\Users\\NURZA\\Desktop\\Albator MDP Stealer\\7Zip.au3″ , EXECUTE ( $A0D0F612E41 ) & “\\7Zip.au3
\nC:\\Users\\NURZA\\Desktop\\Albator MDP Stealer\\FTP.au3” , EXECUTE ( $A180F81360F ) & “\\FTP.au3
\nC:\\Users\\NURZA\\Desktop\\Albator MDP Stealer\\Security.au3” , EXECUTE ( $A0EFE21213D ) & “\\Security.au3
\nC:\\Users\\NURZA\\Desktop\\Albator MDP Stealer\\SecurityConstants.au3” , EXECUTE ( $A280F21305C ) & “\\SecurityConstants.au3
\nC:\\Users\\NURZA\\Desktop\\Albator MDP Stealer\\SendMessage.au3” , EXECUTE ( $A58FEE14E3B ) & “\\SendMessage.au3
\nC:\\Users\\NURZA\\Desktop\\Albator MDP Stealer\\StructureConstants.au3” , EXECUTE ( $A4B0F013758 ) & “\\StructureConstants.au3
\nC:\\Users\\NURZA\\Desktop\\Albator MDP Stealer\\WinAPI.au3” , EXECUTE ( $A480FC13826 ) & “\\WinAPI.au3
\nC:\\Users\\NURZA\\Desktop\\Albator MDP Stealer\\WindowsConstants.au3” , EXECUTE ( $A350FE11B29 ) & “\\WindowsConstants.au3
\nC:\\Users\\NURZA\\Desktop\\Albator MDP Stealer\\file.au3” , EXECUTE ( $A580F41111C ) & “\\file.au3
\nC:\\Users\\Owner\\Desktop\\Deploy.au3
\nC:\\Users\\Paul\\Desktop\\OneKey\\closeKms.au3
\nC:\\Users\\S & M\\Desktop\\RDK\\RDK.au3
\nC:\\Users\\searchengine\\Desktop\\Display.au3
\nC:\\Users\\slipo\\Documents\\Mis archivos recibidos\\[HitX]\\[HitX]\\Include\\array.au3
\nC:\\Users\\slipo\\Documents\\Mis archivos recibidos\\[HitX]\\[HitX]\\core.au3
\nC:\\Users\\slipo\\Documents\\Mis archivos recibidos\\[HitX]\\[HitX]\\include\\File.au3
\nC:\\Users\\slipo\\Documents\\Mis archivos recibidos\\[HitX]\\[HitX]\\include\\IRC.au3
\nC:\\Users\\slipo\\Documents\\Mis archivos recibidos\\[HitX]\\[HitX]\\include\\config.au3
\nC:\\Users\\slipo\\Documents\\Mis archivos recibidos\\[HitX]\\[HitX]\\include\\iNet.au3
\nC:\\Users\\slipo\\Documents\\Mis archivos recibidos\\[HitX]\\[HitX]\\include\\im.au3
\nC:\\Users\\slipo\\Documents\\Mis archivos recibidos\\[HitX]\\[HitX]\\include\\lang.au3
\nC:\\Users\\slipo\\Documents\\Mis archivos recibidos\\[HitX]\\[HitX]\\include\\os.au3
\nC:\\Users\\slipo\\Documents\\Mis archivos recibidos\\[HitX]\\[HitX]\\include\\uptime.au3
\nC:\\Users\\slipo\\Documents\\Mis archivos recibidos\\[HitX]\\[HitX]\\include\\usb.au3
\nC:\\Users\\volkan\\Desktop\\4.au3
\nC:\\Users\\zouhir\\Desktop\\haching\\Nouveau AutoIt v3 Script.au3<\/p>\n","protected":false},"excerpt":{"rendered":"

In my old post about malware writers I mentioned that lots of them code in VB, Today I will explore the topic that has not been explored before – Autoit malware authors. Luckily (or not), Autoit preserves paths to original … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[21,19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3671"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3671"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3671\/revisions"}],"predecessor-version":[{"id":3672,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3671\/revisions\/3672"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}