Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
imagelogger.exe

Overview

General Information

Sample name:imagelogger.exe
Analysis ID:1575694
MD5:9655b8120c0d0469ee87eebdeeca3b4d
SHA1:88694919a39988857213bde785b5c591e1525a35
SHA256:d5355284b6411903ab344c3da20178ff2891b7c14b2cecf27943c9331e6fe652
Tags:AsyncRATexeXWormuser-lontze7
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • imagelogger.exe (PID: 3820 cmdline: "C:\Users\user\Desktop\imagelogger.exe" MD5: 9655B8120C0D0469EE87EEBDEECA3B4D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["among-publication.at.ply.gg"], "Port": 42209, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.0"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
imagelogger.exeJoeSecurity_XWormYara detected XWormJoe Security
    imagelogger.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      imagelogger.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xb7ec:$s6: VirtualBox
      • 0xb74a:$s8: Win32_ComputerSystem
      • 0xc68c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xc729:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xc83e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xc2ae:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\imageloggerJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Local\Temp\imageloggerJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\Temp\imageloggerMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xb7ec:$s6: VirtualBox
          • 0xb74a:$s8: Win32_ComputerSystem
          • 0xc68c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xc729:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xc83e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xc2ae:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1327178252.0000000000782000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.1327178252.0000000000782000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xb5ec:$s6: VirtualBox
            • 0xb54a:$s8: Win32_ComputerSystem
            • 0xc48c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xc529:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xc63e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xc0ae:$cnc4: POST / HTTP/1.1
            00000000.00000002.3787439473.0000000012A91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.3787439473.0000000012A91000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x1c264:$s6: VirtualBox
              • 0x1c1c2:$s8: Win32_ComputerSystem
              • 0x1d104:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x1d1a1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x1d2b6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x1cd26:$cnc4: POST / HTTP/1.1
              00000000.00000002.3786146895.0000000002A91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.imagelogger.exe.12aa1a78.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.2.imagelogger.exe.12aa1a78.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.2.imagelogger.exe.12aa1a78.1.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xb7ec:$s6: VirtualBox
                    • 0xb74a:$s8: Win32_ComputerSystem
                    • 0xc68c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xc729:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xc83e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xc2ae:$cnc4: POST / HTTP/1.1
                    0.0.imagelogger.exe.780000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      0.0.imagelogger.exe.780000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        Click to see the 3 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Startup Folder File Write
                        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\imagelogger.exe, ProcessId: 3820, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imagelogger.lnk

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-16T08:39:03.103686+010028531931Malware Command and Control Activity Detected192.168.2.949897147.185.221.22942209TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: imagelogger.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: among-publication.at.ply.ggAvira URL Cloud: Label: malware
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\imageloggerAvira: detection malicious, Label: HEUR/AGEN.1311620
                        Found malware configuration
                        Source: imagelogger.exeMalware Configuration Extractor: Xworm {"C2 url": ["among-publication.at.ply.gg"], "Port": 42209, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.0"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\imageloggerReversingLabs: Detection: 76%
                        Multi AV Scanner detection for submitted file
                        Source: imagelogger.exeVirustotal: Detection: 75%Perma Link
                        Source: imagelogger.exeReversingLabs: Detection: 76%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\imageloggerJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: imagelogger.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: imagelogger.exeString decryptor: among-publication.at.ply.gg
                        Source: imagelogger.exeString decryptor: 42209
                        Source: imagelogger.exeString decryptor: <123456789>
                        Source: imagelogger.exeString decryptor: <Xwormmm>
                        Source: imagelogger.exeString decryptor: XWorm V5.0
                        Source: imagelogger.exeString decryptor: USB.exe
                        Source: imagelogger.exeString decryptor: %Temp%
                        Source: imagelogger.exeString decryptor: imagelogger
                        Source: imagelogger.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: imagelogger.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49723 -> 147.185.221.229:42209
                        Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49897 -> 147.185.221.229:42209
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: among-publication.at.ply.gg
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: imagelogger.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.imagelogger.exe.780000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\imagelogger, type: DROPPED
                        Source: global trafficTCP traffic: 192.168.2.9:49723 -> 147.185.221.229:42209
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: among-publication.at.ply.gg
                        Source: imagelogger.exe, imagelogger.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: imagelogger.exe, 00000000.00000002.3786146895.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: C:\Users\user\Desktop\imagelogger.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                        Operating System Destruction

                        barindex
                        Protects its processes via BreakOnTermination flag
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: 01 00 00 00 Jump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: imagelogger.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.0.imagelogger.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.imagelogger.exe.12aa1a78.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000000.00000000.1327178252.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000000.00000002.3787439473.0000000012A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\imagelogger, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Initial sample is a PE file and has a suspicious name
                        Source: initial sampleStatic PE information: Filename: imagelogger.exe
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\imagelogger.exeCode function: 0_2_00007FF887B01C110_2_00007FF887B01C11
                        Source: C:\Users\user\Desktop\imagelogger.exeCode function: 0_2_00007FF887B06B020_2_00007FF887B06B02
                        Source: C:\Users\user\Desktop\imagelogger.exeCode function: 0_2_00007FF887B010FA0_2_00007FF887B010FA
                        Source: C:\Users\user\Desktop\imagelogger.exeCode function: 0_2_00007FF887B05D560_2_00007FF887B05D56
                        Source: imagelogger.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: imagelogger.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.0.imagelogger.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.imagelogger.exe.12aa1a78.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000000.00000000.1327178252.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000000.00000002.3787439473.0000000012A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Local\Temp\imagelogger, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: imagelogger.exe, iLHp10vxetrAVm5r7Ty3zS0f4.csCryptographic APIs: 'TransformFinalBlock'
                        Source: imagelogger.exe, xFEI6GFflrDoYGq8T7NvZ6oxo.csCryptographic APIs: 'TransformFinalBlock'
                        Source: imagelogger.exe, xFEI6GFflrDoYGq8T7NvZ6oxo.csCryptographic APIs: 'TransformFinalBlock'
                        Source: imagelogger.0.dr, iLHp10vxetrAVm5r7Ty3zS0f4.csCryptographic APIs: 'TransformFinalBlock'
                        Source: imagelogger.0.dr, xFEI6GFflrDoYGq8T7NvZ6oxo.csCryptographic APIs: 'TransformFinalBlock'
                        Source: imagelogger.0.dr, xFEI6GFflrDoYGq8T7NvZ6oxo.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, iLHp10vxetrAVm5r7Ty3zS0f4.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, xFEI6GFflrDoYGq8T7NvZ6oxo.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, xFEI6GFflrDoYGq8T7NvZ6oxo.csCryptographic APIs: 'TransformFinalBlock'
                        Source: imagelogger.exe, QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.csBase64 encoded string: 'rwnY/gw2Ybo8uWs0nr8b4bEyH7sHv54XzyDHXDWprHMnXW0osxu0dJS8o4KaktI4'
                        Source: imagelogger.0.dr, QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.csBase64 encoded string: 'rwnY/gw2Ybo8uWs0nr8b4bEyH7sHv54XzyDHXDWprHMnXW0osxu0dJS8o4KaktI4'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.csBase64 encoded string: 'rwnY/gw2Ybo8uWs0nr8b4bEyH7sHv54XzyDHXDWprHMnXW0osxu0dJS8o4KaktI4'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, P0zmgyAwIzWS1SNemBwKeisRM0m5a2gCpdQrDHNEpHWYooGu9s.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, P0zmgyAwIzWS1SNemBwKeisRM0m5a2gCpdQrDHNEpHWYooGu9s.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: imagelogger.0.dr, P0zmgyAwIzWS1SNemBwKeisRM0m5a2gCpdQrDHNEpHWYooGu9s.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: imagelogger.0.dr, P0zmgyAwIzWS1SNemBwKeisRM0m5a2gCpdQrDHNEpHWYooGu9s.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: imagelogger.exe, P0zmgyAwIzWS1SNemBwKeisRM0m5a2gCpdQrDHNEpHWYooGu9s.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: imagelogger.exe, P0zmgyAwIzWS1SNemBwKeisRM0m5a2gCpdQrDHNEpHWYooGu9s.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@2/2
                        Source: C:\Users\user\Desktop\imagelogger.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imagelogger.lnkJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeMutant created: NULL
                        Source: C:\Users\user\Desktop\imagelogger.exeMutant created: \Sessions\1\BaseNamedObjects\XoA0MqwQ1nAIklDm
                        Source: C:\Users\user\Desktop\imagelogger.exeFile created: C:\Users\user\AppData\Local\Temp\imageloggerJump to behavior
                        Source: imagelogger.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: imagelogger.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Users\user\Desktop\imagelogger.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: imagelogger.exeVirustotal: Detection: 75%
                        Source: imagelogger.exeReversingLabs: Detection: 76%
                        Source: C:\Users\user\Desktop\imagelogger.exeFile read: C:\Users\user\Desktop\imagelogger.exeJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: avicap32.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: msvfw32.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: imagelogger.lnk.0.drLNK file: ..\..\..\..\..\..\Local\Temp\imagelogger
                        Source: imagelogger.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: imagelogger.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: imagelogger.exe, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.A6Pa6WJLrbjhcbA4gRhylLdc7cK4M8AGrvpXi0Z0Tabt9TzorwueTMUTsLT3wteU9,QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.y167JS3m9QengzGgezAcVIITVP5ZsenwOrXtMuOkhGGlDzWK1zaC33ZrtJyOZdj4j,QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.os0mI79tY4AuRf1LtMhmQJj0Zy6Qz10bGpiBEUiwnH7Mt3wHb7iDReouccdcO1u7k,QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.b5u6ogM8W7noyvGdVlTSROF3wLJHzwDvR8nijCr5hkBblVBFiEbkHM7kmreMu9sCf,xFEI6GFflrDoYGq8T7NvZ6oxo.kzCseTU8DgMUs7rpfRccD230G()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: imagelogger.exe, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_1DE10xLs4SH4ueKjtdXFzsw8zBUGwJ9KdBBybrmmJHy4YYUTR6A7uZHPVHPyJbxqM8gya6dYswei0XRMYLq[2],xFEI6GFflrDoYGq8T7NvZ6oxo.OtQcn5ymMtuGiMgBBEPeKkxfm(Convert.FromBase64String(_1DE10xLs4SH4ueKjtdXFzsw8zBUGwJ9KdBBybrmmJHy4YYUTR6A7uZHPVHPyJbxqM8gya6dYswei0XRMYLq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: imagelogger.exe, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _1DE10xLs4SH4ueKjtdXFzsw8zBUGwJ9KdBBybrmmJHy4YYUTR6A7uZHPVHPyJbxqM8gya6dYswei0XRMYLq[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: imagelogger.0.dr, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.A6Pa6WJLrbjhcbA4gRhylLdc7cK4M8AGrvpXi0Z0Tabt9TzorwueTMUTsLT3wteU9,QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.y167JS3m9QengzGgezAcVIITVP5ZsenwOrXtMuOkhGGlDzWK1zaC33ZrtJyOZdj4j,QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.os0mI79tY4AuRf1LtMhmQJj0Zy6Qz10bGpiBEUiwnH7Mt3wHb7iDReouccdcO1u7k,QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.b5u6ogM8W7noyvGdVlTSROF3wLJHzwDvR8nijCr5hkBblVBFiEbkHM7kmreMu9sCf,xFEI6GFflrDoYGq8T7NvZ6oxo.kzCseTU8DgMUs7rpfRccD230G()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: imagelogger.0.dr, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_1DE10xLs4SH4ueKjtdXFzsw8zBUGwJ9KdBBybrmmJHy4YYUTR6A7uZHPVHPyJbxqM8gya6dYswei0XRMYLq[2],xFEI6GFflrDoYGq8T7NvZ6oxo.OtQcn5ymMtuGiMgBBEPeKkxfm(Convert.FromBase64String(_1DE10xLs4SH4ueKjtdXFzsw8zBUGwJ9KdBBybrmmJHy4YYUTR6A7uZHPVHPyJbxqM8gya6dYswei0XRMYLq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: imagelogger.0.dr, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _1DE10xLs4SH4ueKjtdXFzsw8zBUGwJ9KdBBybrmmJHy4YYUTR6A7uZHPVHPyJbxqM8gya6dYswei0XRMYLq[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.A6Pa6WJLrbjhcbA4gRhylLdc7cK4M8AGrvpXi0Z0Tabt9TzorwueTMUTsLT3wteU9,QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.y167JS3m9QengzGgezAcVIITVP5ZsenwOrXtMuOkhGGlDzWK1zaC33ZrtJyOZdj4j,QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.os0mI79tY4AuRf1LtMhmQJj0Zy6Qz10bGpiBEUiwnH7Mt3wHb7iDReouccdcO1u7k,QfQVihqdbg4jqoGI8F2rHDd9Ww7d0qYDqqqA4sGlPlTwl1M4nI2RNz5ZI3dhWtwrE.b5u6ogM8W7noyvGdVlTSROF3wLJHzwDvR8nijCr5hkBblVBFiEbkHM7kmreMu9sCf,xFEI6GFflrDoYGq8T7NvZ6oxo.kzCseTU8DgMUs7rpfRccD230G()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_1DE10xLs4SH4ueKjtdXFzsw8zBUGwJ9KdBBybrmmJHy4YYUTR6A7uZHPVHPyJbxqM8gya6dYswei0XRMYLq[2],xFEI6GFflrDoYGq8T7NvZ6oxo.OtQcn5ymMtuGiMgBBEPeKkxfm(Convert.FromBase64String(_1DE10xLs4SH4ueKjtdXFzsw8zBUGwJ9KdBBybrmmJHy4YYUTR6A7uZHPVHPyJbxqM8gya6dYswei0XRMYLq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _1DE10xLs4SH4ueKjtdXFzsw8zBUGwJ9KdBBybrmmJHy4YYUTR6A7uZHPVHPyJbxqM8gya6dYswei0XRMYLq[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        .NET source code contains potential unpacker
                        Source: imagelogger.exe, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: Rh0goXkSWFbkOaXSLoOXl7VE3hBxuE527s0Vo2vHfzx5J29XhA System.AppDomain.Load(byte[])
                        Source: imagelogger.exe, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: eu8dOAACozhHu7F0nR6lsS9serqkhXWieYrzL2py0xCOc2wotCXhWIm5t0OAgeLT5fEHYljmuKlOu0ZfY2T System.AppDomain.Load(byte[])
                        Source: imagelogger.exe, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: eu8dOAACozhHu7F0nR6lsS9serqkhXWieYrzL2py0xCOc2wotCXhWIm5t0OAgeLT5fEHYljmuKlOu0ZfY2T
                        Source: imagelogger.0.dr, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: Rh0goXkSWFbkOaXSLoOXl7VE3hBxuE527s0Vo2vHfzx5J29XhA System.AppDomain.Load(byte[])
                        Source: imagelogger.0.dr, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: eu8dOAACozhHu7F0nR6lsS9serqkhXWieYrzL2py0xCOc2wotCXhWIm5t0OAgeLT5fEHYljmuKlOu0ZfY2T System.AppDomain.Load(byte[])
                        Source: imagelogger.0.dr, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: eu8dOAACozhHu7F0nR6lsS9serqkhXWieYrzL2py0xCOc2wotCXhWIm5t0OAgeLT5fEHYljmuKlOu0ZfY2T
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: Rh0goXkSWFbkOaXSLoOXl7VE3hBxuE527s0Vo2vHfzx5J29XhA System.AppDomain.Load(byte[])
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: eu8dOAACozhHu7F0nR6lsS9serqkhXWieYrzL2py0xCOc2wotCXhWIm5t0OAgeLT5fEHYljmuKlOu0ZfY2T System.AppDomain.Load(byte[])
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.cs.Net Code: eu8dOAACozhHu7F0nR6lsS9serqkhXWieYrzL2py0xCOc2wotCXhWIm5t0OAgeLT5fEHYljmuKlOu0ZfY2T
                        Source: C:\Users\user\Desktop\imagelogger.exeCode function: 0_2_00007FF887B02458 push ebx; iretd 0_2_00007FF887B024CA
                        Source: imagelogger.exe, iKJ4AENNa8mLOwx6LzIjB1mfK.csHigh entropy of concatenated method names: 'nC0yQUxeBXWwbCn2oEsKG8h2c', 'WM8OMu8NW0st6cj12D1kCuuSN', 't0r1qJNm57sGGY0Lo3CiY1c61', '_01rIKLg4oD', 'MV5FRB5ztA', 'c1TtQhPnv5Yxq7HmN9AYJhxdPXQQj8q8QvCRRHHYl32', 'mNqw4QzXRPzNN2X4AVMMZ6koduHt21Bb7W3E7pgCo6i', 'U9vIMA5aR1jivNIpEfRpYRKK0smFebdlZHNAQRxWXkY', 'U4c3HJaF6uWTSOzvNTtone5R8uxjwpBZbAwvu8GiqMo', 'sGtMU9I0UPZWFYbjnx3UBLUXdOj9H6lmbGKwSU7F3el'
                        Source: imagelogger.exe, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.csHigh entropy of concatenated method names: '_9rPtYGRERqFQvVrbzQmj2bGLFE9HC4TvV39rcJkRRiNGX2QzCj', 'Rh0goXkSWFbkOaXSLoOXl7VE3hBxuE527s0Vo2vHfzx5J29XhA', '_5V5HQHjlqlXaQadQAeJt8bK8U0niy8Ef7AOvPhvmwDah4LUWg2', 'qLGSXU8VFblvvVhBOryozoQaY3U5tA0kXgdwR5mlmJaPvb4kik', 'lwVjD1vbHzdvylMr6uiuUAEvaN7DlxkJF9iXLAoleC9kHYLEXv', 'XAKpGZcAGjjnpWeCmD3ZtWZuwqznUe9LILhnADGiIuipy7Ccf2', 'EsH3qgp7pkAt7uaa1c81LvVV5LVlunZdyxBYJuu0f9uOSRIXbj', 'ZgL62uslYzditFt64DuHZnrJAy4cb5oFq8pORuMeeQiaDDhf0O53fXXPu1E9VvRHcgbmVsiTEuYDQq9z1Pu', 's2rWrpr1Sukp40kBxMV66NPfnaaOsCDJHlS4vSWwPUq4M6AIAQxe2AjmSjLqBEGi26FywfybF1SsaABe22h', 'rqF6szm3zNjsTa24gavKwQe4sgVMXosbfcGSOeSKvKF8mz0lKYLVgq2aeZHe5wOan3MaYLNNiNUtBnPOWBs'
                        Source: imagelogger.exe, FyZqVu9h9CsbV1aafmGwZ44IEsxosU9Beg1nA2HahTn3k0bQySpC5E60vqnHHztAe1FVjwYJEfE67Bh42OD.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'JAsLW9da6RO33ELvCfP0JggQHRI60tuQj5YEXhkLFfg7h0MKHxBC82B8kJNXXUeszYzSQSocu1k2YMHfOHW', 'XYjsGaruuR', 'Jo9e9fOAnS', '_9cfY7EEETc', '_12cS8MFqK0'
                        Source: imagelogger.exe, 6coZ22sBrCOss4k7p3VZM9puHdz8RszCObd8aBYgrrjj8EE2ynlgAbUzL7Yy61NekVlmf16HICMU9m5WWnW.csHigh entropy of concatenated method names: 'uTcvL4HbodJUCfqMhQ6HmndkAPRoLR1pilq7SZDxrLKjGUKwFxs9RMYSlipiswRf8B8bKHBNQvu0y29R6jS', 'SxnOjnEX53', 'ZVnpRUyERH', 'bJttju9KnW', 'tsmHl4044f'
                        Source: imagelogger.exe, qh407p2eG1CMRhpADi7tfM32osPWCEqBZPr01IEWBGGCUBSw61I5ngw21nKtDcGkIBLoAtEC3URLcgT9ORn.csHigh entropy of concatenated method names: 'GNP9uwbibPaD3ssHD6APyDLs7uLXZOLx4i7QKNbCyiC37ODnskXGXVUiCBvF9h1cGqGF7NqP5RNPlywCK1Y', 'Fy6RrcX8g8n01Fq0y1GbP1Q3NQ9pudmWqfqWxtLjZyEBPTkJ9g5ltFHoG569XXzbVzmq1aIxizILbxfCiJZ', '_8wBe8z0kOo', 'mfzfGGPne1', 'GmI2M03612', '_8MaCUfAOgC'
                        Source: imagelogger.exe, 5d5M6UPj5GkFOQYeqNDALKVMzAe60umRAMqpJQyhB6Wr8WEnIMYJIqtX2lIBwb4Ew.csHigh entropy of concatenated method names: 't0BrpmAMBQObySLJZ5SHZSY9GHgV48pVpShl1kuxGmhTgOqLHEmnE07FeaIUSnM02', 'm0j6o5tD9QQXQvFyWlEy4HzG4ACa9ITotrohyc6K1Zk8D6gsLRg514RRexzcZl1fY', 'tT8jdxeN16arHRLQyJKpGUFJOszyxPfAoISq8A7mitfRouvlnmkmkz27kHqM85Emy', 'mFbODUCE8dpKW9AR5nVBndnjb3yLLHXZX0zEBgmqhMsxNKqyiV', 'rSXFd9o5nGCtSWajz4F0jn84lN1zDs4QKCtsiYZoUuGHntHMZA', 'K0N84TNour9CLwqVGnVmYgkSA8lKXA3hsF1ZBjTR7Knjm6PkII', 'lCpz2FFAEWWQSyZwa0eNlTt6sfL2benCAWRvPA3dv3lKhwbvY3', 'BzcL6rbPioJuBF5eklmx526SFWYn0AMD4oJ7mYZWOpYITit5WR', 'QywiyVPJ8m9lvIXw6Mti0AuUJDA2mSU0tuAw3oAejjSlQM7pbQ', 'MtxbmVO8XOmJr3inJsWvpd9mYJCPUq9hUB6U7H8ljZQYUW8JUZ'
                        Source: imagelogger.exe, P0zmgyAwIzWS1SNemBwKeisRM0m5a2gCpdQrDHNEpHWYooGu9s.csHigh entropy of concatenated method names: 'ZRIsfo0V1spJfGDtUf8dSoMQgVYLuz1rnLJKAnK1U0GhZbBq42', '_3aMDbZ2q9e20BmZEhIaJt6XlXm5UJhLKFpFQN49bCAjEUKABU4', 'BxN2FLjOWZDzBH5bLtgYmJqRF6C5T5cGazEdfHcn8ZI22nuWdB', 'KfOsm4kFLGAEdhc33hOLO132StxtaXF8wEQJdC800FLNbytrS8', 'sgif8D08CSsyeOD7aYFmeF60RZsfuOE9qVqHpmJgGZTIJZbgCA', 'vttQD75kDGiceC5WBSry2w1mQ4vqHsXs6B9e0rnKFmtFSmkmHW', 'nCHVTlnALkhlGRnPg8KuFukEWjnWBiTZJdROj6j2zlk3AS5Bt7', 'PPWozYnItdDIat0WNDwRWFXQRmilw2RHem6oQ4Eap1KEMtSUSc', 'ZzHGkqlfneKc9axyxzoJiqJdiuGfz9TcwEKKqDYCoa8oVP6oML', 'NnlRXBx3RxlQimLoiBIInKmhL71dh1B8tCet1JjjwKYQnstxOD'
                        Source: imagelogger.exe, xFEI6GFflrDoYGq8T7NvZ6oxo.csHigh entropy of concatenated method names: 'mHTAb9BI4irvmiRltQrnwimEm', 'Jm6HacNyF4NnJaP2xFwNPFp3p', 'E7W4z6SnvbN6BykbMeXkHzJ9Z', 'M5xD61rMj4IIuhi0JLJU6T2JX', 'i8pbxD6vQuQpTDl5F1DsF2eoX', 'Xzwtbf7NUv2JuF7qSQ1vvuzmO', 'LkDQ0SqvnbgYpr06sZPUDUHgG', '_1bPapUWnAMMbbbBMQebBRCb8X', 'aJAIdEMQXqmtwMWpIxXaFTe9P', 'kUisE9idkGaPkAYlExoFAx5qW'
                        Source: imagelogger.exe, FhrwYiRTRf2VDyM59kmulbyU2.csHigh entropy of concatenated method names: 'nQtJxtWE0d3JO6W4O2FiT0jJe', 'qpPIeuuyevTg3ZI0Ea1Ctui1o', 'Moq2nmPwCP9cbjFNPGH2hHiL1', 'mV5DPAK60gzly7fLERlkR2FgB', 'eHS0HYtDbc', '_0qXwHtIvIk', 'LZtYzkaDWK', 'V4q16VWCi2', 'UxJpbFKhjE', 'vJy7dElNqI'
                        Source: imagelogger.0.dr, iKJ4AENNa8mLOwx6LzIjB1mfK.csHigh entropy of concatenated method names: 'nC0yQUxeBXWwbCn2oEsKG8h2c', 'WM8OMu8NW0st6cj12D1kCuuSN', 't0r1qJNm57sGGY0Lo3CiY1c61', '_01rIKLg4oD', 'MV5FRB5ztA', 'c1TtQhPnv5Yxq7HmN9AYJhxdPXQQj8q8QvCRRHHYl32', 'mNqw4QzXRPzNN2X4AVMMZ6koduHt21Bb7W3E7pgCo6i', 'U9vIMA5aR1jivNIpEfRpYRKK0smFebdlZHNAQRxWXkY', 'U4c3HJaF6uWTSOzvNTtone5R8uxjwpBZbAwvu8GiqMo', 'sGtMU9I0UPZWFYbjnx3UBLUXdOj9H6lmbGKwSU7F3el'
                        Source: imagelogger.0.dr, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.csHigh entropy of concatenated method names: '_9rPtYGRERqFQvVrbzQmj2bGLFE9HC4TvV39rcJkRRiNGX2QzCj', 'Rh0goXkSWFbkOaXSLoOXl7VE3hBxuE527s0Vo2vHfzx5J29XhA', '_5V5HQHjlqlXaQadQAeJt8bK8U0niy8Ef7AOvPhvmwDah4LUWg2', 'qLGSXU8VFblvvVhBOryozoQaY3U5tA0kXgdwR5mlmJaPvb4kik', 'lwVjD1vbHzdvylMr6uiuUAEvaN7DlxkJF9iXLAoleC9kHYLEXv', 'XAKpGZcAGjjnpWeCmD3ZtWZuwqznUe9LILhnADGiIuipy7Ccf2', 'EsH3qgp7pkAt7uaa1c81LvVV5LVlunZdyxBYJuu0f9uOSRIXbj', 'ZgL62uslYzditFt64DuHZnrJAy4cb5oFq8pORuMeeQiaDDhf0O53fXXPu1E9VvRHcgbmVsiTEuYDQq9z1Pu', 's2rWrpr1Sukp40kBxMV66NPfnaaOsCDJHlS4vSWwPUq4M6AIAQxe2AjmSjLqBEGi26FywfybF1SsaABe22h', 'rqF6szm3zNjsTa24gavKwQe4sgVMXosbfcGSOeSKvKF8mz0lKYLVgq2aeZHe5wOan3MaYLNNiNUtBnPOWBs'
                        Source: imagelogger.0.dr, FyZqVu9h9CsbV1aafmGwZ44IEsxosU9Beg1nA2HahTn3k0bQySpC5E60vqnHHztAe1FVjwYJEfE67Bh42OD.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'JAsLW9da6RO33ELvCfP0JggQHRI60tuQj5YEXhkLFfg7h0MKHxBC82B8kJNXXUeszYzSQSocu1k2YMHfOHW', 'XYjsGaruuR', 'Jo9e9fOAnS', '_9cfY7EEETc', '_12cS8MFqK0'
                        Source: imagelogger.0.dr, 6coZ22sBrCOss4k7p3VZM9puHdz8RszCObd8aBYgrrjj8EE2ynlgAbUzL7Yy61NekVlmf16HICMU9m5WWnW.csHigh entropy of concatenated method names: 'uTcvL4HbodJUCfqMhQ6HmndkAPRoLR1pilq7SZDxrLKjGUKwFxs9RMYSlipiswRf8B8bKHBNQvu0y29R6jS', 'SxnOjnEX53', 'ZVnpRUyERH', 'bJttju9KnW', 'tsmHl4044f'
                        Source: imagelogger.0.dr, qh407p2eG1CMRhpADi7tfM32osPWCEqBZPr01IEWBGGCUBSw61I5ngw21nKtDcGkIBLoAtEC3URLcgT9ORn.csHigh entropy of concatenated method names: 'GNP9uwbibPaD3ssHD6APyDLs7uLXZOLx4i7QKNbCyiC37ODnskXGXVUiCBvF9h1cGqGF7NqP5RNPlywCK1Y', 'Fy6RrcX8g8n01Fq0y1GbP1Q3NQ9pudmWqfqWxtLjZyEBPTkJ9g5ltFHoG569XXzbVzmq1aIxizILbxfCiJZ', '_8wBe8z0kOo', 'mfzfGGPne1', 'GmI2M03612', '_8MaCUfAOgC'
                        Source: imagelogger.0.dr, 5d5M6UPj5GkFOQYeqNDALKVMzAe60umRAMqpJQyhB6Wr8WEnIMYJIqtX2lIBwb4Ew.csHigh entropy of concatenated method names: 't0BrpmAMBQObySLJZ5SHZSY9GHgV48pVpShl1kuxGmhTgOqLHEmnE07FeaIUSnM02', 'm0j6o5tD9QQXQvFyWlEy4HzG4ACa9ITotrohyc6K1Zk8D6gsLRg514RRexzcZl1fY', 'tT8jdxeN16arHRLQyJKpGUFJOszyxPfAoISq8A7mitfRouvlnmkmkz27kHqM85Emy', 'mFbODUCE8dpKW9AR5nVBndnjb3yLLHXZX0zEBgmqhMsxNKqyiV', 'rSXFd9o5nGCtSWajz4F0jn84lN1zDs4QKCtsiYZoUuGHntHMZA', 'K0N84TNour9CLwqVGnVmYgkSA8lKXA3hsF1ZBjTR7Knjm6PkII', 'lCpz2FFAEWWQSyZwa0eNlTt6sfL2benCAWRvPA3dv3lKhwbvY3', 'BzcL6rbPioJuBF5eklmx526SFWYn0AMD4oJ7mYZWOpYITit5WR', 'QywiyVPJ8m9lvIXw6Mti0AuUJDA2mSU0tuAw3oAejjSlQM7pbQ', 'MtxbmVO8XOmJr3inJsWvpd9mYJCPUq9hUB6U7H8ljZQYUW8JUZ'
                        Source: imagelogger.0.dr, P0zmgyAwIzWS1SNemBwKeisRM0m5a2gCpdQrDHNEpHWYooGu9s.csHigh entropy of concatenated method names: 'ZRIsfo0V1spJfGDtUf8dSoMQgVYLuz1rnLJKAnK1U0GhZbBq42', '_3aMDbZ2q9e20BmZEhIaJt6XlXm5UJhLKFpFQN49bCAjEUKABU4', 'BxN2FLjOWZDzBH5bLtgYmJqRF6C5T5cGazEdfHcn8ZI22nuWdB', 'KfOsm4kFLGAEdhc33hOLO132StxtaXF8wEQJdC800FLNbytrS8', 'sgif8D08CSsyeOD7aYFmeF60RZsfuOE9qVqHpmJgGZTIJZbgCA', 'vttQD75kDGiceC5WBSry2w1mQ4vqHsXs6B9e0rnKFmtFSmkmHW', 'nCHVTlnALkhlGRnPg8KuFukEWjnWBiTZJdROj6j2zlk3AS5Bt7', 'PPWozYnItdDIat0WNDwRWFXQRmilw2RHem6oQ4Eap1KEMtSUSc', 'ZzHGkqlfneKc9axyxzoJiqJdiuGfz9TcwEKKqDYCoa8oVP6oML', 'NnlRXBx3RxlQimLoiBIInKmhL71dh1B8tCet1JjjwKYQnstxOD'
                        Source: imagelogger.0.dr, xFEI6GFflrDoYGq8T7NvZ6oxo.csHigh entropy of concatenated method names: 'mHTAb9BI4irvmiRltQrnwimEm', 'Jm6HacNyF4NnJaP2xFwNPFp3p', 'E7W4z6SnvbN6BykbMeXkHzJ9Z', 'M5xD61rMj4IIuhi0JLJU6T2JX', 'i8pbxD6vQuQpTDl5F1DsF2eoX', 'Xzwtbf7NUv2JuF7qSQ1vvuzmO', 'LkDQ0SqvnbgYpr06sZPUDUHgG', '_1bPapUWnAMMbbbBMQebBRCb8X', 'aJAIdEMQXqmtwMWpIxXaFTe9P', 'kUisE9idkGaPkAYlExoFAx5qW'
                        Source: imagelogger.0.dr, FhrwYiRTRf2VDyM59kmulbyU2.csHigh entropy of concatenated method names: 'nQtJxtWE0d3JO6W4O2FiT0jJe', 'qpPIeuuyevTg3ZI0Ea1Ctui1o', 'Moq2nmPwCP9cbjFNPGH2hHiL1', 'mV5DPAK60gzly7fLERlkR2FgB', 'eHS0HYtDbc', '_0qXwHtIvIk', 'LZtYzkaDWK', 'V4q16VWCi2', 'UxJpbFKhjE', 'vJy7dElNqI'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, iKJ4AENNa8mLOwx6LzIjB1mfK.csHigh entropy of concatenated method names: 'nC0yQUxeBXWwbCn2oEsKG8h2c', 'WM8OMu8NW0st6cj12D1kCuuSN', 't0r1qJNm57sGGY0Lo3CiY1c61', '_01rIKLg4oD', 'MV5FRB5ztA', 'c1TtQhPnv5Yxq7HmN9AYJhxdPXQQj8q8QvCRRHHYl32', 'mNqw4QzXRPzNN2X4AVMMZ6koduHt21Bb7W3E7pgCo6i', 'U9vIMA5aR1jivNIpEfRpYRKK0smFebdlZHNAQRxWXkY', 'U4c3HJaF6uWTSOzvNTtone5R8uxjwpBZbAwvu8GiqMo', 'sGtMU9I0UPZWFYbjnx3UBLUXdOj9H6lmbGKwSU7F3el'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, AXuwpxT6b3Dw8vjCODBlVC9HxBkD0z5qa2n9W88sRGTmHwNhJV.csHigh entropy of concatenated method names: '_9rPtYGRERqFQvVrbzQmj2bGLFE9HC4TvV39rcJkRRiNGX2QzCj', 'Rh0goXkSWFbkOaXSLoOXl7VE3hBxuE527s0Vo2vHfzx5J29XhA', '_5V5HQHjlqlXaQadQAeJt8bK8U0niy8Ef7AOvPhvmwDah4LUWg2', 'qLGSXU8VFblvvVhBOryozoQaY3U5tA0kXgdwR5mlmJaPvb4kik', 'lwVjD1vbHzdvylMr6uiuUAEvaN7DlxkJF9iXLAoleC9kHYLEXv', 'XAKpGZcAGjjnpWeCmD3ZtWZuwqznUe9LILhnADGiIuipy7Ccf2', 'EsH3qgp7pkAt7uaa1c81LvVV5LVlunZdyxBYJuu0f9uOSRIXbj', 'ZgL62uslYzditFt64DuHZnrJAy4cb5oFq8pORuMeeQiaDDhf0O53fXXPu1E9VvRHcgbmVsiTEuYDQq9z1Pu', 's2rWrpr1Sukp40kBxMV66NPfnaaOsCDJHlS4vSWwPUq4M6AIAQxe2AjmSjLqBEGi26FywfybF1SsaABe22h', 'rqF6szm3zNjsTa24gavKwQe4sgVMXosbfcGSOeSKvKF8mz0lKYLVgq2aeZHe5wOan3MaYLNNiNUtBnPOWBs'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, FyZqVu9h9CsbV1aafmGwZ44IEsxosU9Beg1nA2HahTn3k0bQySpC5E60vqnHHztAe1FVjwYJEfE67Bh42OD.csHigh entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'JAsLW9da6RO33ELvCfP0JggQHRI60tuQj5YEXhkLFfg7h0MKHxBC82B8kJNXXUeszYzSQSocu1k2YMHfOHW', 'XYjsGaruuR', 'Jo9e9fOAnS', '_9cfY7EEETc', '_12cS8MFqK0'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, 6coZ22sBrCOss4k7p3VZM9puHdz8RszCObd8aBYgrrjj8EE2ynlgAbUzL7Yy61NekVlmf16HICMU9m5WWnW.csHigh entropy of concatenated method names: 'uTcvL4HbodJUCfqMhQ6HmndkAPRoLR1pilq7SZDxrLKjGUKwFxs9RMYSlipiswRf8B8bKHBNQvu0y29R6jS', 'SxnOjnEX53', 'ZVnpRUyERH', 'bJttju9KnW', 'tsmHl4044f'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, qh407p2eG1CMRhpADi7tfM32osPWCEqBZPr01IEWBGGCUBSw61I5ngw21nKtDcGkIBLoAtEC3URLcgT9ORn.csHigh entropy of concatenated method names: 'GNP9uwbibPaD3ssHD6APyDLs7uLXZOLx4i7QKNbCyiC37ODnskXGXVUiCBvF9h1cGqGF7NqP5RNPlywCK1Y', 'Fy6RrcX8g8n01Fq0y1GbP1Q3NQ9pudmWqfqWxtLjZyEBPTkJ9g5ltFHoG569XXzbVzmq1aIxizILbxfCiJZ', '_8wBe8z0kOo', 'mfzfGGPne1', 'GmI2M03612', '_8MaCUfAOgC'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, 5d5M6UPj5GkFOQYeqNDALKVMzAe60umRAMqpJQyhB6Wr8WEnIMYJIqtX2lIBwb4Ew.csHigh entropy of concatenated method names: 't0BrpmAMBQObySLJZ5SHZSY9GHgV48pVpShl1kuxGmhTgOqLHEmnE07FeaIUSnM02', 'm0j6o5tD9QQXQvFyWlEy4HzG4ACa9ITotrohyc6K1Zk8D6gsLRg514RRexzcZl1fY', 'tT8jdxeN16arHRLQyJKpGUFJOszyxPfAoISq8A7mitfRouvlnmkmkz27kHqM85Emy', 'mFbODUCE8dpKW9AR5nVBndnjb3yLLHXZX0zEBgmqhMsxNKqyiV', 'rSXFd9o5nGCtSWajz4F0jn84lN1zDs4QKCtsiYZoUuGHntHMZA', 'K0N84TNour9CLwqVGnVmYgkSA8lKXA3hsF1ZBjTR7Knjm6PkII', 'lCpz2FFAEWWQSyZwa0eNlTt6sfL2benCAWRvPA3dv3lKhwbvY3', 'BzcL6rbPioJuBF5eklmx526SFWYn0AMD4oJ7mYZWOpYITit5WR', 'QywiyVPJ8m9lvIXw6Mti0AuUJDA2mSU0tuAw3oAejjSlQM7pbQ', 'MtxbmVO8XOmJr3inJsWvpd9mYJCPUq9hUB6U7H8ljZQYUW8JUZ'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, P0zmgyAwIzWS1SNemBwKeisRM0m5a2gCpdQrDHNEpHWYooGu9s.csHigh entropy of concatenated method names: 'ZRIsfo0V1spJfGDtUf8dSoMQgVYLuz1rnLJKAnK1U0GhZbBq42', '_3aMDbZ2q9e20BmZEhIaJt6XlXm5UJhLKFpFQN49bCAjEUKABU4', 'BxN2FLjOWZDzBH5bLtgYmJqRF6C5T5cGazEdfHcn8ZI22nuWdB', 'KfOsm4kFLGAEdhc33hOLO132StxtaXF8wEQJdC800FLNbytrS8', 'sgif8D08CSsyeOD7aYFmeF60RZsfuOE9qVqHpmJgGZTIJZbgCA', 'vttQD75kDGiceC5WBSry2w1mQ4vqHsXs6B9e0rnKFmtFSmkmHW', 'nCHVTlnALkhlGRnPg8KuFukEWjnWBiTZJdROj6j2zlk3AS5Bt7', 'PPWozYnItdDIat0WNDwRWFXQRmilw2RHem6oQ4Eap1KEMtSUSc', 'ZzHGkqlfneKc9axyxzoJiqJdiuGfz9TcwEKKqDYCoa8oVP6oML', 'NnlRXBx3RxlQimLoiBIInKmhL71dh1B8tCet1JjjwKYQnstxOD'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, xFEI6GFflrDoYGq8T7NvZ6oxo.csHigh entropy of concatenated method names: 'mHTAb9BI4irvmiRltQrnwimEm', 'Jm6HacNyF4NnJaP2xFwNPFp3p', 'E7W4z6SnvbN6BykbMeXkHzJ9Z', 'M5xD61rMj4IIuhi0JLJU6T2JX', 'i8pbxD6vQuQpTDl5F1DsF2eoX', 'Xzwtbf7NUv2JuF7qSQ1vvuzmO', 'LkDQ0SqvnbgYpr06sZPUDUHgG', '_1bPapUWnAMMbbbBMQebBRCb8X', 'aJAIdEMQXqmtwMWpIxXaFTe9P', 'kUisE9idkGaPkAYlExoFAx5qW'
                        Source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, FhrwYiRTRf2VDyM59kmulbyU2.csHigh entropy of concatenated method names: 'nQtJxtWE0d3JO6W4O2FiT0jJe', 'qpPIeuuyevTg3ZI0Ea1Ctui1o', 'Moq2nmPwCP9cbjFNPGH2hHiL1', 'mV5DPAK60gzly7fLERlkR2FgB', 'eHS0HYtDbc', '_0qXwHtIvIk', 'LZtYzkaDWK', 'V4q16VWCi2', 'UxJpbFKhjE', 'vJy7dElNqI'
                        Source: C:\Users\user\Desktop\imagelogger.exeFile created: C:\Users\user\AppData\Local\Temp\imageloggerJump to dropped file
                        Source: C:\Users\user\Desktop\imagelogger.exeFile created: C:\Users\user\AppData\Local\Temp\imageloggerJump to dropped file
                        Source: C:\Users\user\Desktop\imagelogger.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imagelogger.lnkJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imagelogger.lnkJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: imagelogger.exe, imagelogger.0.drBinary or memory string: SBIEDLL.DLL
                        Source: C:\Users\user\Desktop\imagelogger.exeMemory allocated: 28C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeMemory allocated: 1AA90000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeWindow / User API: threadDelayed 7520Jump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeWindow / User API: threadDelayed 2336Jump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exe TID: 2960Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Users\user\Desktop\imagelogger.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: imagelogger.0.drBinary or memory string: vmware
                        Source: imagelogger.exe, 00000000.00000002.3787830035.000000001B91C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\user\Desktop\imagelogger.exeCode function: 0_2_00007FF887B07301 CheckRemoteDebuggerPresent,0_2_00007FF887B07301
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeQueries volume information: C:\Users\user\Desktop\imagelogger.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\imagelogger.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: imagelogger.exe, 00000000.00000002.3787830035.000000001B91C000.00000004.00000020.00020000.00000000.sdmp, imagelogger.exe, 00000000.00000002.3785635722.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, imagelogger.exe, 00000000.00000002.3787830035.000000001B8F2000.00000004.00000020.00020000.00000000.sdmp, imagelogger.exe, 00000000.00000002.3787830035.000000001B9C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\Desktop\imagelogger.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected XWorm
                        Source: Yara matchFile source: imagelogger.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.imagelogger.exe.780000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.imagelogger.exe.12aa1a78.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1327178252.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3787439473.0000000012A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3786146895.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: imagelogger.exe PID: 3820, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\imagelogger, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected XWorm
                        Source: Yara matchFile source: imagelogger.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.imagelogger.exe.12aa1a78.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.imagelogger.exe.780000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.imagelogger.exe.12aa1a78.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1327178252.0000000000782000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3787439473.0000000012A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3786146895.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: imagelogger.exe PID: 3820, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\imagelogger, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                        Windows Management Instrumentation                        		2
                        Registry Run Keys / Startup Folder                        		2
                        Registry Run Keys / Startup Folder                        		11
                        Masquerading                        		OS Credential Dumping541
                        Security Software Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/Job1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory151
                        Virtualization/Sandbox Evasion                        		Remote Desktop Protocol1
                        Clipboard Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)151
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Application Window Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Ingress Tool Transfer                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Deobfuscate/Decode Files or Information                        		NTDS1
                        System Network Configuration Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                        Obfuscated Files or Information                        		LSA Secrets1
                        File and Directory Discovery                        		SSHKeylogging12
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Software Packing                        		Cached Domain Credentials23
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        imagelogger.exe75%VirustotalBrowse
                        imagelogger.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        imagelogger.exe100%AviraHEUR/AGEN.1311620
                        imagelogger.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\imagelogger100%AviraHEUR/AGEN.1311620
                        C:\Users\user\AppData\Local\Temp\imagelogger100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\imagelogger76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        among-publication.at.ply.gg4%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        among-publication.at.ply.gg100%Avira URL Cloudmalware

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        among-publication.at.ply.gg
                        		147.185.221.229
                        		truetrueunknown
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high
                          s-part-0035.t-0009.t-msedge.net
                          		13.107.246.63
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            among-publication.at.ply.ggtrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://ip-api.com/line/?fields=hostingfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameimagelogger.exe, 00000000.00000002.3786146895.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                208.95.112.1
                                		ip-api.comUnited States
                                		53334TUT-ASUSfalse
                                147.185.221.229
                                		among-publication.at.ply.ggUnited States
                                		12087SALSGIVERUStrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1575694
                                Start date and time:2024-12-16 08:36:28 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 14s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:6
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:imagelogger.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/2@2/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 98%
                                • Number of executed functions: 6
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                02:37:26API Interceptor13578621x Sleep call for process: imagelogger.exe modified
                                07:37:28AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imagelogger.lnk

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                208.95.112.1com surrogate.exeGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                • ip-api.com/json/
                                file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                • ip-api.com/line/?fields=hosting
                                RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                • ip-api.com/line/?fields=hosting
                                7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                • ip-api.com/json/
                                gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                • ip-api.com/json/
                                hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                • ip-api.com/json/
                                da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                • ip-api.com/line/?fields=hosting
                                03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                • ip-api.com/line/?fields=hosting
                                147.185.221.229Fast Download.exeGet hashmaliciousNjratBrowse
                                  cheker.exeGet hashmaliciousOrcusBrowse
                                    CheatsCheker.exeGet hashmaliciousOrcusBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ip-api.comcom surrogate.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                      • 208.95.112.1
                                      file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                      • 208.95.112.1
                                      RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                      • 208.95.112.1
                                      7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                      • 208.95.112.1
                                      gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                      • 208.95.112.1
                                      hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                      • 208.95.112.1
                                      da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                      • 208.95.112.1
                                      03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • 208.95.112.1
                                      s-part-0035.t-0009.t-msedge.netEx.exeGet hashmaliciousUnknownBrowse
                                      • 13.107.246.63
                                      installer.exe.exeGet hashmaliciousQuasarBrowse
                                      • 13.107.246.63
                                      Neverlose Loader.exeGet hashmaliciousQuasarBrowse
                                      • 13.107.246.63
                                      vanilla.exeGet hashmaliciousQuasarBrowse
                                      • 13.107.246.63
                                      Fast Download.exeGet hashmaliciousNjratBrowse
                                      • 13.107.246.63
                                      Client.exeGet hashmaliciousAsyncRATBrowse
                                      • 13.107.246.63
                                      backd00rhome.exeGet hashmaliciousMetasploitBrowse
                                      • 13.107.246.63
                                      fern_wifi_recon%2.34.exeGet hashmaliciousMetasploitBrowse
                                      • 13.107.246.63
                                      CrSpoofer.exeGet hashmaliciousAsyncRATBrowse
                                      • 13.107.246.63
                                      ImageMso.Gallery.xllGet hashmaliciousUnknownBrowse
                                      • 13.107.246.63

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      SALSGIVERUScom surrogate.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.22
                                      lastest.exeGet hashmaliciousNjratBrowse
                                      • 147.185.221.20
                                      Fast Download.exeGet hashmaliciousNjratBrowse
                                      • 147.185.221.229
                                      cnct.exeGet hashmaliciousNjratBrowse
                                      • 147.185.221.20
                                      Server1.exeGet hashmaliciousNjratBrowse
                                      • 147.185.221.17
                                      njSilent.exeGet hashmaliciousNjratBrowse
                                      • 147.185.221.19
                                      Minet.exeGet hashmaliciousNjratBrowse
                                      • 147.185.221.22
                                      Discordd.exeGet hashmaliciousAsyncRATBrowse
                                      • 147.185.221.18
                                      Discord2.exeGet hashmaliciousAsyncRATBrowse
                                      • 147.185.221.18
                                      Discord3.exeGet hashmaliciousAsyncRATBrowse
                                      • 147.185.221.18
                                      TUT-ASUScom surrogate.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                      • 208.95.112.1
                                      https://fsharetv.ioGet hashmaliciousUnknownBrowse
                                      • 162.252.214.4
                                      file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                      • 208.95.112.1
                                      RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                      • 208.95.112.1
                                      7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                      • 208.95.112.1
                                      gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                      • 208.95.112.1
                                      hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                      • 208.95.112.1
                                      da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                      • 208.95.112.1

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\imagelogger

                                      Download File
                                      Process:C:\Users\user\Desktop\imagelogger.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):327680
                                      Entropy (8bit):3.402515961281467
                                      Encrypted:false
                                      SSDEEP:3072:Bm4cvA/SDhVUYbg1Sc0dBYOzY4Xy0tv4L9witTOs/sh/A:oVTbGSldBSf0tvg3xs/
                                      MD5:9655B8120C0D0469EE87EEBDEECA3B4D
                                      SHA1:88694919A39988857213BDE785B5C591E1525A35
                                      SHA-256:D5355284B6411903AB344C3DA20178FF2891B7C14B2CECF27943C9331E6FE652
                                      SHA-512:AA418C5AB153B3FAD305D6556990C2BB89ED59E8AC11F84D5CEBEA547032387CCB9211FB4D35486534D205194884ABFCC5CFB84417196C3A9FF886E97346B306
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\imagelogger, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\imagelogger, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\imagelogger, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 76%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..d.....................(......N.... ........@.. .......................`............@.....................................S........%...................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc....%.......&..................@..@.reloc.......@......................@..B................0.......H.......H^..........&.....................................................(....*.r...p*. '(..*..(....*.r5..p*. .Q.*.s.........s.........s.........s.........*.rK..p*. ..e.*.ra..p*. qP..*.rw..p*. .x!.*.r...p*. ..|.*.r...p*. ....*..((...*.r...p*. 5...*.r...p*. .M^.*.(*...-.(+...,.+.(,...,.+.()...,.+.((...,..(H...*"(....+.*&(....&+.*.+5sZ... .... .'..o[...(*...~....-.(\...(N...~....o\...&.-.*.r...p*. O...*.r...p*. wr..*.r...p*. .+..*.r...p*. '^..*.r%..p*. ....*.r;..p*. .(T.*.rQ.

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imagelogger.lnk

                                      Download File
                                      Process:C:\Users\user\Desktop\imagelogger.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Dec 16 06:37:25 2024, mtime=Mon Dec 16 06:37:25 2024, atime=Mon Dec 16 06:37:25 2024, length=327680, window=hide
                                      Category:dropped
                                      Size (bytes):1049
                                      Entropy (8bit):4.992986568846722
                                      Encrypted:false
                                      SSDEEP:24:8RRHDHo73qKRSgK3RerGAcwZlEI4iAOqygm:8RVrK3qKR/cwZLCLyg
                                      MD5:53E4E9CF775219938FB216846D3D501F
                                      SHA1:5921A8E57E160DB4268546A76ABD9E55DD7C9582
                                      SHA-256:422DB0468F90AE3C204883D75B64000328547BF9903840AB8863B471D9222EA2
                                      SHA-512:B27B50B24D5C79F20E1A4F1BF5ABC801EB249371242BBD81F0771B887503693C3F11AD886E0473FA4097F8FF87A9C19F2AB3F2C2A78C44DEECA4F00811E05CAA
                                      Malicious:false
                                      Reputation:low
                                      Preview:L..................F.... ...<.%Z.O..<.%Z.O..<.%Z.O............................:..DG..Yr?.D..U..k0.&...&.......bBDj...@k/R.O...n/Z.O......t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsG.Y.<..........................=...A.p.p.D.a.t.a...B.P.1......Y.<..Local.<......EWsG.Y.<.............................L.o.c.a.l.....N.1......Y.<..Temp..:......EWsG.Y.<.............................T.e.m.p.....`.2......Y.< .IMAGEL~1..H......Y.<.Y.<.............................i.m.a.g.e.l.o.g.g.e.r.......[...............-.......Z............D.c.....C:\Users\user\AppData\Local\Temp\imagelogger..(.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.i.m.a.g.e.l.o.g.g.e.r.............:...........|....I.J.H..K..:...`.......X.......035347...........hT..CrF.f4... ...E._c...,...E...hT..CrF.f4... ...E._c...,...E..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):3.402515961281467
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      File name:imagelogger.exe
                                      File size:327'680 bytes
                                      MD5:9655b8120c0d0469ee87eebdeeca3b4d
                                      SHA1:88694919a39988857213bde785b5c591e1525a35
                                      SHA256:d5355284b6411903ab344c3da20178ff2891b7c14b2cecf27943c9331e6fe652
                                      SHA512:aa418c5ab153b3fad305d6556990c2bb89ed59e8ac11f84d5cebea547032387ccb9211fb4d35486534d205194884abfcc5cfb84417196c3a9ff886e97346b306
                                      SSDEEP:3072:Bm4cvA/SDhVUYbg1Sc0dBYOzY4Xy0tv4L9witTOs/sh/A:oVTbGSldBSf0tvg3xs/
                                      TLSH:936408D63B4043EFC05ABF798965D631A2BA5F46FA46E346C074F051AFB71C28E41AC2
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..d.....................(......N.... ........@.. .......................`............@................................

                                      File Icon

                                      Icon Hash:17137171652d0303

                                      Static PE Info

                                      General

                                      Entrypoint:0x40f54e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x64F7BE46 [Tue Sep 5 23:48:22 2023 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xf4f80x53.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x425aa.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x540000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xd5540xd6007f0e7e46e5770e2d36f35037f62679b0False0.5971086448598131data6.1236544264430695IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x100000x425aa0x426009883ae93da2a2082c3c7fe7f8ae676adFalse0.1864811381826742data2.3894491698434708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x540000xc0x2007ee00025a62cea4fff5885e1822b5ff8False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x101300x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 11811 x 11811 px/m0.18493875196023316
                                      RT_GROUP_ICON0x521580x14data0.9
                                      RT_VERSION0x5216c0x254data0.4664429530201342
                                      RT_MANIFEST0x523c00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-12-16T08:37:38.443741+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.949723147.185.221.22942209TCP
                                      2024-12-16T08:39:03.103686+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.949897147.185.221.22942209TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 16, 2024 08:37:24.558048964 CET4971780192.168.2.9208.95.112.1
                                      Dec 16, 2024 08:37:24.677905083 CET8049717208.95.112.1192.168.2.9
                                      Dec 16, 2024 08:37:24.678037882 CET4971780192.168.2.9208.95.112.1
                                      Dec 16, 2024 08:37:24.679280996 CET4971780192.168.2.9208.95.112.1
                                      Dec 16, 2024 08:37:24.799031019 CET8049717208.95.112.1192.168.2.9
                                      Dec 16, 2024 08:37:25.830826998 CET8049717208.95.112.1192.168.2.9
                                      Dec 16, 2024 08:37:25.876678944 CET4971780192.168.2.9208.95.112.1
                                      Dec 16, 2024 08:37:27.491365910 CET4972342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:37:27.611377001 CET4220949723147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:37:27.615473986 CET4972342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:37:27.689527035 CET4972342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:37:27.809324026 CET4220949723147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:37:38.443741083 CET4972342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:37:38.563544989 CET4220949723147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:37:49.190136909 CET4972342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:37:49.310051918 CET4220949723147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:37:49.506159067 CET4220949723147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:37:49.506239891 CET4972342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:37:51.596060991 CET4972342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:37:51.597423077 CET4978142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:37:51.715868950 CET4220949723147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:37:51.717488050 CET4220949781147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:37:51.717596054 CET4978142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:37:52.072165966 CET4978142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:37:52.192792892 CET4220949781147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:06.142893076 CET4978142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:06.262756109 CET4220949781147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:13.601051092 CET4220949781147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:13.601176977 CET4978142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:14.033478975 CET4978142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:14.034941912 CET4983142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:14.153239012 CET4220949781147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:14.154623032 CET4220949831147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:14.154712915 CET4983142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:14.193061113 CET4983142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:14.312966108 CET4220949831147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:17.542336941 CET8049717208.95.112.1192.168.2.9
                                      Dec 16, 2024 08:38:17.542484045 CET4971780192.168.2.9208.95.112.1
                                      Dec 16, 2024 08:38:26.783673048 CET4983142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:26.903461933 CET4220949831147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:32.642879009 CET4983142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:32.762799025 CET4220949831147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:32.799338102 CET4983142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:32.919294119 CET4220949831147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:33.236546040 CET4983142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:33.356230974 CET4220949831147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:34.935174942 CET4983142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:35.054971933 CET4220949831147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:36.056226969 CET4220949831147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:36.056363106 CET4983142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:41.064493895 CET4983142209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:41.067009926 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:41.184241056 CET4220949831147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:41.186774969 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:41.186842918 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:41.225881100 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:41.347587109 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:41.347651005 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:41.467551947 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:41.611836910 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:41.731656075 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:43.049915075 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:43.169678926 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:45.221295118 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:45.340990067 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:49.658552885 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:49.778362989 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:51.768091917 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:51.888159037 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:51.889703035 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:52.009682894 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:52.066692114 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:52.186394930 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:38:57.533638954 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:38:57.653347015 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:02.863879919 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:02.983685017 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:02.983747959 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:03.103636026 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:03.103686094 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:03.117934942 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:03.118036985 CET4989742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:03.223421097 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:03.237713099 CET4220949897147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:05.848567009 CET4971780192.168.2.9208.95.112.1
                                      Dec 16, 2024 08:39:05.968352079 CET8049717208.95.112.1192.168.2.9
                                      Dec 16, 2024 08:39:08.010214090 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:08.129966974 CET4220949958147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:08.130168915 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:08.231005907 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:08.350754976 CET4220949958147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:08.814901114 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:08.934542894 CET4220949958147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:08.935065031 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:09.054797888 CET4220949958147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:09.441689968 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:09.561634064 CET4220949958147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:15.521704912 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:15.641444921 CET4220949958147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:19.221657038 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:19.341397047 CET4220949958147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:24.627876043 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:24.747582912 CET4220949958147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:27.799350023 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:27.919087887 CET4220949958147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:29.801759005 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:29.921528101 CET4220949958147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:30.025727987 CET4220949958147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:30.025810003 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:34.820108891 CET4995842209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:34.855384111 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:34.940001965 CET4220949958147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:34.977869034 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:34.984981060 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:35.256619930 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:35.378602028 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:40.393264055 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:40.513750076 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:40.513823032 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:40.633606911 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:40.633660078 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:40.753469944 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:47.565356970 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:47.685133934 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:47.986881971 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:48.106875896 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:52.989836931 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:53.109888077 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:56.080990076 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:56.201327085 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:56.201395035 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:56.321185112 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:56.321266890 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:56.443036079 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:56.443123102 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:56.563020945 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:56.563093901 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:39:56.683120012 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:56.902080059 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:39:56.902151108 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:01.549258947 CET4998242209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:01.552069902 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:01.669336081 CET4220949982147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:01.671950102 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:01.672137976 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:01.880186081 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:01.999938965 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:05.519886971 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:05.639708042 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:06.971414089 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:07.091229916 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:07.092050076 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:07.211896896 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:12.038858891 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:12.347939014 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:12.437491894 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:12.467814922 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:12.846978903 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:12.967247009 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:12.967310905 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:13.087390900 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:13.087567091 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:13.207426071 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:17.409210920 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:17.528978109 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:18.206034899 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:18.325894117 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:18.325956106 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:18.445769072 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:18.445971012 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:18.565788031 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:18.565849066 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:18.685570955 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:18.685628891 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:18.805362940 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:23.577688932 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:23.582071066 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:23.585140944 CET4998342209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:23.588009119 CET4998442209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:23.705022097 CET4220949983147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:23.707845926 CET4220949984147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:23.708292007 CET4998442209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:23.866831064 CET4998442209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:23.986601114 CET4220949984147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:35.161978006 CET4998442209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:35.281685114 CET4220949984147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:36.815787077 CET4998442209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:36.936012030 CET4220949984147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:38.675096989 CET4998442209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:38.794795990 CET4220949984147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:45.625212908 CET4220949984147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:45.625310898 CET4998442209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:49.033998013 CET4998442209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:49.036628008 CET4998542209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:49.153773069 CET4220949984147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:49.156349897 CET4220949985147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:49.157160044 CET4998542209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:49.437100887 CET4998542209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:49.556936979 CET4220949985147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:54.534167051 CET4998542209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:54.654119015 CET4220949985147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:40:54.654190063 CET4998542209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:40:54.774199009 CET4220949985147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:05.518482924 CET4998542209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:05.638283014 CET4220949985147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:07.409130096 CET4998542209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:07.529082060 CET4220949985147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:11.047552109 CET4220949985147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:11.047631979 CET4998542209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:14.940289021 CET4998542209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:14.942884922 CET4998642209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:15.060118914 CET4220949985147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:15.062978029 CET4220949986147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:15.063090086 CET4998642209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:15.099416018 CET4998642209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:15.222165108 CET4220949986147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:18.596782923 CET4998642209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:18.716449022 CET4220949986147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:20.018579006 CET4998642209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:20.138335943 CET4220949986147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:26.815496922 CET4998642209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:26.935457945 CET4220949986147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:36.970113039 CET4220949986147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:36.970267057 CET4998642209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:40.643378973 CET4998642209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:40.644553900 CET4998742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:40.763128996 CET4220949986147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:40.764360905 CET4220949987147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:40.768491030 CET4998742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:40.793423891 CET4998742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:40.913333893 CET4220949987147.185.221.229192.168.2.9
                                      Dec 16, 2024 08:41:54.362462044 CET4998742209192.168.2.9147.185.221.229
                                      Dec 16, 2024 08:41:54.482134104 CET4220949987147.185.221.229192.168.2.9

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 16, 2024 08:37:24.411652088 CET4951353192.168.2.91.1.1.1
                                      Dec 16, 2024 08:37:24.551023960 CET53495131.1.1.1192.168.2.9
                                      Dec 16, 2024 08:37:27.197638035 CET6203653192.168.2.91.1.1.1
                                      Dec 16, 2024 08:37:27.472388029 CET53620361.1.1.1192.168.2.9

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Dec 16, 2024 08:37:24.411652088 CET192.168.2.91.1.1.10x5022Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Dec 16, 2024 08:37:27.197638035 CET192.168.2.91.1.1.10xf24cStandard query (0)among-publication.at.ply.ggA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Dec 16, 2024 08:37:19.105788946 CET1.1.1.1192.168.2.90xe188No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                      Dec 16, 2024 08:37:19.105788946 CET1.1.1.1192.168.2.90xe188No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                      Dec 16, 2024 08:37:24.551023960 CET1.1.1.1192.168.2.90x5022No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Dec 16, 2024 08:37:27.472388029 CET1.1.1.1192.168.2.90xf24cNo error (0)among-publication.at.ply.gg147.185.221.229A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • ip-api.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.949717208.95.112.1803820C:\Users\user\Desktop\imagelogger.exe
                                      TimestampBytes transferredDirectionData
                                      Dec 16, 2024 08:37:24.679280996 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Dec 16, 2024 08:37:25.830826998 CET175INHTTP/1.1 200 OK
                                      Date: Mon, 16 Dec 2024 07:37:24 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 60
                                      X-Rl: 44
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:02:37:19
                                      Start date:16/12/2024
                                      Path:C:\Users\user\Desktop\imagelogger.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\imagelogger.exe"
                                      Imagebase:0x780000
                                      File size:327'680 bytes
                                      MD5 hash:9655B8120C0D0469EE87EEBDEECA3B4D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1327178252.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1327178252.0000000000782000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3787439473.0000000012A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3787439473.0000000012A91000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3786146895.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:18.2%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:50%
                                        Total number of Nodes:6
                                        Total number of Limit Nodes:0

                                        Executed Functions

                                        Function 00007FF887B010FA Relevance: 14.5, Strings: 11, Instructions: 755COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 7ff887b010fa-7ff887b01141 3 7ff887b01176-7ff887b0117a 0->3 4 7ff887b01143-7ff887b01149 0->4 5 7ff887b0117e-7ff887b0119e 3->5 4->5 6 7ff887b0114b-7ff887b01172 4->6 11 7ff887b011a5-7ff887b011a6 5->11 12 7ff887b011a0 5->12 6->3 13 7ff887b011ac-7ff887b011ae 11->13 14 7ff887b011a8 11->14 12->11 15 7ff887b011b3-7ff887b011b6 13->15 16 7ff887b011b0 13->16 14->13 17 7ff887b011ba-7ff887b011be 15->17 18 7ff887b011b8 15->18 16->15 19 7ff887b011c1-7ff887b01200 17->19 20 7ff887b011c0 17->20 18->17 23 7ff887b01206-7ff887b0139e call 7ff887b00620 * 11 call 7ff887b00a38 19->23 24 7ff887b0189e-7ff887b018e5 19->24 20->19 77 7ff887b013a0-7ff887b013a7 23->77 78 7ff887b013a8-7ff887b01403 call 7ff887b004b0 call 7ff887b00348 call 7ff887b00358 23->78 77->78 89 7ff887b01407-7ff887b0141a 78->89 91 7ff887b0142d-7ff887b0143d 89->91 92 7ff887b0141c-7ff887b01426 89->92 95 7ff887b01465-7ff887b01485 91->95 96 7ff887b0143f-7ff887b0144a 91->96 92->91 103 7ff887b01487-7ff887b01491 call 7ff887b00368 95->103 104 7ff887b01496-7ff887b01578 95->104 96->89 99 7ff887b0144c-7ff887b0145e call 7ff887b00348 96->99 99->95 103->104 118 7ff887b015c6-7ff887b015f9 104->118 119 7ff887b0157a-7ff887b015ad 104->119 129 7ff887b0161e-7ff887b0164e 118->129 130 7ff887b015fb-7ff887b0161c 118->130 119->118 126 7ff887b015af-7ff887b015bc 119->126 126->118 131 7ff887b015be-7ff887b015c4 126->131 133 7ff887b01656-7ff887b0168d 129->133 130->133 131->118 139 7ff887b016b2-7ff887b016e2 133->139 140 7ff887b0168f-7ff887b016b0 133->140 141 7ff887b016ea-7ff887b016ff 139->141 140->141 144 7ff887b01701-7ff887b0170f 141->144 145 7ff887b01710-7ff887b017cc call 7ff887b00378 call 7ff887b009d8 call 7ff887b01008 141->145 144->145 163 7ff887b017d3-7ff887b0186c 145->163 164 7ff887b017ce call 7ff887b007a8 145->164 164->163
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3788662126.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887b00000_imagelogger.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6f$6f$6f$6f$L_H$"rf$0Dp$0Dp$0Dp$3L_^$8Mp
                                        • API String ID: 0-3355891241
                                        • Opcode ID: 6ef2a1494ad0edec26e17e7c12dc89c8103a14124e372ea9107952c45077383d
                                        • Instruction ID: 8a78f44fbc70c4896cae4d09a096eb1422e71a585866a2dc86ca8816f0b98844
                                        • Opcode Fuzzy Hash: 6ef2a1494ad0edec26e17e7c12dc89c8103a14124e372ea9107952c45077383d
                                        • Instruction Fuzzy Hash: D932E431B68A095BEB58FB7C945A2FD77E2FF98390F440579D04DD3292DE28A841C782
                                        Function 00007FF887B01C11 Relevance: 5.4, Strings: 4, Instructions: 388COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3788662126.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887b00000_imagelogger.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6f$6f$6f$6f
                                        • API String ID: 0-1167845655
                                        • Opcode ID: f2348884848170ca671df4e9ae1eafba2af17fce4d4a9378774a57eae9ea1f45
                                        • Instruction ID: 2ca110629f63d5ea7228b432476d1b81a5781ad619287ad46be152fedefe2db6
                                        • Opcode Fuzzy Hash: f2348884848170ca671df4e9ae1eafba2af17fce4d4a9378774a57eae9ea1f45
                                        • Instruction Fuzzy Hash: C6C17030F5C94D8FEB98EB6C84657BD76E2FF99384F044579D04ED3292DE28A8428742
                                        Function 00007FF887B07301 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 485 7ff887b07301-7ff887b073bd CheckRemoteDebuggerPresent 488 7ff887b073c5-7ff887b07408 485->488 489 7ff887b073bf 485->489 489->488
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3788662126.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887b00000_imagelogger.jbxd
                                        Similarity
                                        • API ID: CheckDebuggerPresentRemote
                                        • String ID:
                                        • API String ID: 3662101638-0
                                        • Opcode ID: 21a2bd0adefae163ff31386e0bcb1f739edcc38ee528728285598a04dfe6188c
                                        • Instruction ID: 4434448930417c960feac69fd861554d7303f74bd60d1c6b45cbd7fe2b97d5d2
                                        • Opcode Fuzzy Hash: 21a2bd0adefae163ff31386e0bcb1f739edcc38ee528728285598a04dfe6188c
                                        • Instruction Fuzzy Hash: 8A31FF319086188FCB58DF58C88A7ED7BF0EF65321F0542AAD489D7252DB34A846CB91
                                        Function 00007FF887B05D56 Relevance: .5, Instructions: 469COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3788662126.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887b00000_imagelogger.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 71297c6b52a4faa124b9bc5ab67ee8fc2281742535e2cf25fb023b18f6c3ce9b
                                        • Instruction ID: 6d5d41068ccaffcd709f28b006933a25aed0cce165376b1e67ba69a2edda40d2
                                        • Opcode Fuzzy Hash: 71297c6b52a4faa124b9bc5ab67ee8fc2281742535e2cf25fb023b18f6c3ce9b
                                        • Instruction Fuzzy Hash: EDF1A330918A4D8FEBA8DF28C855BED37E1FF55350F04426AE84DC7691DB38A945CB82
                                        Function 00007FF887B06B02 Relevance: .5, Instructions: 454COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3788662126.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887b00000_imagelogger.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1917e4c9a72671dd3cecf5eca3c835beccffda524fc9bc956604502841b99015
                                        • Instruction ID: bf9ae2882a2cfd34a1a0eef4dde4bccebddadf1c08d5eefad2cc6416071c1a43
                                        • Opcode Fuzzy Hash: 1917e4c9a72671dd3cecf5eca3c835beccffda524fc9bc956604502841b99015
                                        • Instruction Fuzzy Hash: 13E1A230908A4E8FEBA8DF28C8557E977E2FF55350F04426ED84DC7291DB78A945CB82
                                        Function 00007FF887B08BBD Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 479 7ff887b08bbd-7ff887b08ca0 RtlSetProcessIsCritical 482 7ff887b08ca8-7ff887b08cdd 479->482 483 7ff887b08ca2 479->483 483->482
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3788662126.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff887b00000_imagelogger.jbxd
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID:
                                        • API String ID: 2695349919-0
                                        • Opcode ID: 3a5cf00e790a9427521a6e6c5266be897ce1c69169373347fcec51bec62db1d3
                                        • Instruction ID: 720deff5d751317e75ad4ef0b43e8713c25e1cca60cc6d6f7bf8cd5e5aea7932
                                        • Opcode Fuzzy Hash: 3a5cf00e790a9427521a6e6c5266be897ce1c69169373347fcec51bec62db1d3
                                        • Instruction Fuzzy Hash: 2541C23190C6498FDB19DBA8D845BE9BBF0EF56311F04416ED08AD3692CB68A446CB91