Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-14 12:11:54	2025-06-14 12:42:45	1851 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,381 [root] INFO: Date set to: 20250614T06:49:29, timeout set to: 1800
2025-06-14 07:49:29,163 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-14 07:49:29,179 [root] DEBUG: Storing results at: C:\qDdlkFnGz
2025-06-14 07:49:29,179 [root] DEBUG: Pipe server name: \\.\PIPE\wXevDSJXBA
2025-06-14 07:49:29,179 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-14 07:49:29,179 [root] INFO: analysis running as an admin
2025-06-14 07:49:29,179 [root] INFO: analysis package specified: "exe"
2025-06-14 07:49:29,179 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-14 07:49:30,163 [root] DEBUG: imported analysis package "exe"
2025-06-14 07:49:30,163 [root] DEBUG: initializing analysis package "exe"...
2025-06-14 07:49:30,163 [lib.common.common] INFO: wrapping
2025-06-14 07:49:30,163 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-14 07:49:30,163 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\Tango_Logger.exe
2025-06-14 07:49:30,163 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-14 07:49:30,163 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-14 07:49:30,163 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-14 07:49:30,163 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-14 07:49:30,366 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-14 07:49:30,382 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-14 07:49:30,444 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-14 07:49:30,460 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-14 07:49:30,538 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-14 07:49:30,538 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-14 07:49:30,538 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-14 07:49:30,554 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-14 07:49:30,554 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-14 07:49:30,554 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-14 07:49:30,554 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-14 07:49:30,554 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-14 07:49:30,554 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-14 07:49:30,554 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-14 07:49:30,554 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-14 07:49:30,554 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-14 07:49:30,554 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-14 07:49:30,554 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-14 07:49:30,725 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-14 07:49:30,725 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-14 07:49:30,725 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-14 07:49:30,725 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-14 07:49:30,725 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-14 07:49:30,725 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-14 07:49:30,725 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-14 07:49:30,725 [modules.auxiliary.disguise] INFO: Disguising GUID to 681fd063-b6e3-4307-92e0-097646af0c7f
2025-06-14 07:49:30,725 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-14 07:49:30,725 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-14 07:49:30,725 [root] DEBUG: attempting to configure 'Human' from data
2025-06-14 07:49:30,725 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-14 07:49:30,725 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-14 07:49:30,725 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-14 07:49:30,725 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-14 07:49:30,741 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-14 07:49:30,741 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-14 07:49:30,741 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-14 07:49:30,741 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-14 07:49:30,741 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-14 07:49:30,741 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-14 07:49:30,741 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-14 07:49:30,741 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-14 07:49:30,741 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-14 07:49:30,741 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-14 07:49:30,772 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-14 07:49:30,772 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-14 07:49:30,772 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-14 07:49:30,772 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-14 07:49:30,772 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-14 07:49:30,772 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-14 07:49:30,772 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-14 07:49:30,772 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\EeGlvdpK.dll, loader C:\tmpjeo7jmad\bin\PoaYJsgW.exe
2025-06-14 07:49:30,835 [root] DEBUG: Loader: IAT patching disabled.
2025-06-14 07:49:30,835 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\EeGlvdpK.dll.
2025-06-14 07:49:30,866 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-14 07:49:30,866 [root] INFO: Disabling sleep skipping.
2025-06-14 07:49:30,866 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-14 07:49:30,866 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-14 07:49:30,866 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-14 07:49:30,866 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-14 07:49:30,866 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-14 07:49:30,898 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-14 07:49:30,898 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-14 07:49:30,898 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-14 07:49:30,898 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 3696, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-14 07:49:30,898 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-14 07:49:30,913 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-14 07:49:30,913 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-14 07:49:30,913 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\EeGlvdpK.dll.
2025-06-14 07:49:30,913 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-14 07:49:30, <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-14 12:11:54	2025-06-14 12:42:26	none

File Details

File Name	Tango_Logger.exe
File Type	PE32 executable (console) Intel 80386, for MS Windows
File Size	237056 bytes
MD5	8debcbda9fd3aa2a5b77639cb4e97743
SHA1	4576ea30b300a1ad027dbfdd6f011f70d16626be
SHA256	198115f8fdcd98e4d31444bc60a4fe84526b0697b0e0c70bb37bfaf119d12e30 [VT] [MWDB] [Bazaar]
SHA3-384	1ececc193f07b56a44e014c646c239bd85bf7c274f4f427be883ff54332219c9bb5d627587ce44a120fe384078db8caf
CRC32	A2611865
TLSH	T15E349DB16461AD87F6A98CF2EFCAA32060E07D9D59F3416EE3DD173B41B035105ACA39
Ssdeep	6144:tm7pUsm10HMbRRE0epkZiIcvp96J+4xoSao:tmp010MXE0KIcvp96EioS
PE	File Strings BinGraph Vba2Graph VirusTotal

M-2%E

JtpGR

V2Xqw

m)>dW

3Y>SBV\9

+%5}s

)>-A>

KKg9?

T-4WZM_

I2_Z~

NqR:xo:

?MIb-

RFpxP{

version="6.0.0.0"

IT-go

zG|pv>

9KF0?G

:.`DN

K-w;y=

LCj7f

<assemblyIdentity

ExitProcess

n_6zE

+y!y%w

>_VWw

$rP$y

j<Tpad

cP+VC

nnulQ

?,/-(

:E\P$

R<3KMM<

!w$sd

KQ]1j

%2NQT

{-/~E

#aQ|V

.iWYRI

uEO_"

YOB_Bp

I2u!9;

sZt}z

s`)L$4

X;2TL

5Rf$RMx

]Nf)q

InitCommonControls

COMCTL32.dll

+F9o?jZ

type="win32" />

j]L4kX

d<=C3

l$8f)

AsSzL

7*5U~4t

FileVersion

]~LSn

@E8O"

c(32 @y_

Jr@Nv

KV[xz

U3Rna

LshIA

2S5^9

5ecO

~bWw[g

n'UVQO

YsvWL>

o2ZIi

]TW2}3Hk

$~:-3

:fTqr

u&%Ni

D*RTC

"t*T2

Z^buv

gvSDz3

V"^n0

s.|nN

ev2`drI5E

s(_#9

mN] |

xOei/(

&n-{\

D~M_7

Doy>B[

040904E4

avWbq

3'a6xI

2t&KSXc`r

RRM3m

i5|sN

G-*j5

s`_~,Q

</dependentAssembly>

)v5@r

u/!,D{9

Lugf3

type="win32"

t_Ni;[%

x]0kZx

m%N{l

Wnpg4^

!\[kL

dI:,N

X\Ib#

#i{fs

k?mD`

nwj6w

*v|cO

_W"Y}t~

r^Jjv

Q~A,wS

.+?7z

%gl+~i

s6r{q

Oeste

!Tg\yf

XHQS@

7oW3z

g_3oh

y.n)W3

Ife{Qq

6xMz?

^$L+%

o+=W6d

9C%`\

@E1rD

0p>@a

1$;y:

\^C<8

ssYma

5RSYj

<assemblyIdentity

7=s\X-

`a*"D

KERNEL32.DLL

C(F'Z

T7j4T

t_&OW

vpAY}

-;+0V{

J~8|@

g/]8&X

(|:^?7

e/=+.

V4S|\

\+TYC

^x"E%

9PLrX"

@y2H#

@@6vBN&

CoInitialize

3zn]=

VirtualAlloc

oemhB

D4bi[

fPar'

sCg?dA<_

G`b_U

\P&E2

P{rm~O

'}xOn

mUCR)#

@5_IH/

Ua{=K

sCqg

q{ZAj

_k<n$

N#PNd

SHLWAPI.dll

^u*e%

GDI32.dll

Wf|kM

7Qfd8

}x$V0

v+_6$

z&i[i8

XJMQS

,}LoH

<@(5|

u%|C^Q

3AAG#i

|d<{b

m07Z>i

9l$\w_

1qvA#

:Z&Lhz

D$t+D$\

Q#Y'<

fcuY)+

!iQ>W

~^_qS

/Cf'#y<)

VarFileInfo

~NFq|u

6YtfaH

>'sZxLO

!A~~d&WV

d6(D}

"&;Vru

cDCD7c

g2kcS

QWA61

&;kQm

wm:@>o

]MD4z

fcLrl`y

s9j%$

38P?y

@m04z

}|%Y+

_=Cu6

?CcC?

HPckN

ZvXxj$?

asV!H

{+O'n

oy;L1R

k:lhr

sPq@)|

*hJ!m

yIA^7sL[

z[0mg,

N;5[+

IzC3*

by+VE

{SmZ~

'j}BN

cp*Al

\)YRF[4U

H9:p:F

LoadLibraryA

Tj. O

Ky>7ZOT^

r\Gi:

zXNDD%YQ

:)~!)%

OAb"g

]!L)ser

3kD;5T

gecs|`

#(Qzo

Zjd,{t-

PHPS%

w[eZAH

h(4Ry

language="*" />

uCWuG><

"N)!t

(!NK)A

W/f'oA

Mr>ak<f

#~9ye

(fGBX

lkwH\~H)

L$8f)

EL%)P

-SHK;Y

u_i`oG

z#|C\}

vmTP>

Fn.V^A

#s!Qc

CowAF

bjmV"

w/wB(

DDXBn

\:$[v

RXjt@)

}\I-Az

F \;o

#] M,

$H^UD6

zy!DB^

SetBkColor

Hj}oI

$K5_jj

$~phN

-F|wSnS

0BXNQ

* eOC~z

j?9Bh

9D'8>

(_fR,,D

%nbB.

pFH^`L\n

Zd-4|'w

[w)u;n,

6+DZ"

ID7DMs3Pob

tHb|c

If4Ee

t$\tY

version="1.0.0.0"

9(E.1<

>w|lv

nOEGb

aKERX>

:P#Ir

t~Z`N

K'^#P

wN8zA

]+B>Gr

i-s&u

vLne_

Y[3Z|

Lpfe{d

Gvn5[

$RM%|m

'Lh 2

y=zp8

}T/|X

GG41&G

~Ohy]

h+u&;

lJ&\Kv

rHJjr

5\],2

D$tIt

1MkC5

w"o/p

<t:oOu

XDR?<

pD@FF

.mVB{

xK66%

~$sm@

_JN1p

0]sJ/;

ux'Ad

>&BJ!

Pv~u&C

G~nQ~ C)n

<vWH9

processorArchitecture="X86"

h]SUv

s86xH

34r$h?c`$-|

t<Y4\

IsChild

wzany

-sQ+\vJ2o

nFbA&A

+}v33

c0V2w

@x4/]

Y\C22.

BGx`?

OY|ib

~`T4W

t< C[

\ s.v

=*7$>q

,lYP =

+c{W!

Tg-@x

a~gWe

p]|@vG

=@cGG

mm:NAa

RHJgy

~~W$O

+G,lJ

fd?Q^

5An)M

hiK WI

X08-

M0|p.K8

y}@bO

kpvm-

L/CEh

M9215,

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

h2I>M

I,/S6H

*,!(:

VirtualFree

!This program cannot be run in DOS mode.

)U!T

K~<t-

oM%5P

%I5:Z

3'VOKt

OOEe>'

JSvE>

;|$Hr

PathQuoteSpacesA

Z%VAO

iX@Db

sQS!S

jy4o5

5,^(,

k"K&)i

3&8 g[]

$yFk[

.OQ5@5:

;w~qf

\*WP=VP(

,.`bEe

Pv%oL.

E>9@8a

@A#o9

-8/C&

CQvA2W

9%3%~

xfYOR

u2>J~R

3dK^L(

"RRT$

]bx?y>-

Ax_syH

NgyI}@

}Dx>.N

,})oQ

N3Vci

^!DnfZ

USER32.dll

`y>~W

p)7QD

U1B=I;

nRDG>

_Z@w3

(D/#

=k31s\

!L83m

b_*xz

bS,?%g

\Ty%u]

*Ugry

mveA$2

(h;[x

XRAQ"4(0

.Qi9$m

#`Zq)

Z3E_A^

Wi~do*

P^0Q)

pjpH}

5B[l@dG7

|0Qh[+

R~_e@

K0)S(

L?`0r

6AQh`

8p^M%;

q:0rf

2l} d

B!KQK

9L$ts

q4U x

V- g7vo

08hhc

9l$tr

Iz"z1\

/C6[6

ShellExecuteExA

T(^Y#

,VmJf

b`|.5

Q>4>3

fO+q@ZOE

)1So-

yG3T^

l#I1'9

v}W/a

s_^j

wv%.}

W3;uO

CFZ11

3%Y<X

StringFileInfo

P>7)*{

/8[|v

DI>z(

2w#Oy

jL&fS

sDDPQ

d\dLGq

cku fXk

.un|8

aL|@!1T

6A0Nf0

.RF:2

Oeqc{(

27[>T

4/&!I

(_dH4

BgNRM

t<A07

&H,Vt

kJQ&3

eiG2x

.)D$H)

MSVCRT.dll

x2X%d

L@1yl

V8Q5"

sib_R

X:gTB

UU!,E

n+ QT

"4Za.

#N:}3@

80HQ

&+8&!

8tj=2h

#Idt1Tk

q)tUbN

y+^=$

:Uu1%W

=(Ah)8

mf'R:

{`_9%

F"*`*

gdp=e

aIYzn

xlJ%t

Fnx>c~d|

zv>*[

)D$H)

oD?3.<

1,4,0,0

sNh~YX

pc>_&u

qh8[&|fF

>qv//

_o1/Xt

mF\jy-

Translation

"Jr#o

Tango Logger

q3J0@c@/TQ(Ar

CaW(H

%M?K$

g2,A*

p;}"D

1.4.0.0

P;UVF

|\SpA

0Y;w@

P1>y~

t$t#t$l

[V` g@

us}q p0Z

BY) }

Lx\lYU

eCWeg

ZVP^35

p!h]N1v

NpPH$4

nnimd

k_AE\V2

'<WMGS

+J!^~#

1$OAIx

jo~M|z

J+@AUS

}LtIM

KTbWG

\k#j"

@{~lx

%w14V*@

X}vmo

EZxJ!

publicKeyToken="6595b64144ccf1df"

tG8lI

mj!}q

5Z.mo

XJEt<3

q@")1

C5AZ'

EYPl"|

\-I[P

H*3gH

^cV@-

a"Md

=]]S<

IAL8L

ProductVersion

&i3^l

0|CloE

/s"6=Z

,"\O%

~)}TB

4T&7,

g/BCX

Y'D/3

~o9H\

rTA"*

]XUIk

>B/{?

?JHJ3;j

s/q@)J

d#2&M

@M*`

79l9<E&

O,_uMv*

OLE32.dll

SHELL32.dll

v26rCP

jAX5K

XYShQ\

$<7rd

iIO|-

P-Yyw

NVo=+

</dependency>

|s9Dx6

T"+XS

4jf"4=

HH`DP;{

!*B]yY{0

BHwA&n}

+EtFj

a`Pqt

PpXAGi

|qi`JP0$

s}t^]z

Xz(i.HA

=W.lO

F,$m'

|[^_]

/.P#}.

.rsrc

UA!n%E

rZvU:

y4/26f

M<CU8

\Qk`Xa

3f|5$H[

1VI42q

B8fFC

;&!CO:N

?Q~Ha

byM;C

|,NRs

DQb![

-2Rj~

yp3:z

oFd0@

H\M-Y

W]}|~

H&'%i

`IihP

2I-n s

8s&l-(

>I,:fIQ

xt^xk

c'MO@

biAJ/

>r&Q&1t

D$t#D$h

M}7y{$

np7~m

b3zRy

%rT-]-

-k~P*n_m$S

rP],!

X-XYUx

MziSR

'dqLB

OnbbV

T/w-s

Tnld+

+ko\y

)$(BwTA|0z

rcu)'UI

HY{wC

~6uwt

.dteE

(+K0CqY

name="CompanyName.ProductName.YourApp"

a%UW*

3Yym<

jS{TF

]Eea[

w*pJ"3

06NP,

g`"nD

Hh+r4

p}*(>

?Tr~`m

}oo,h}L

59He2w

!*#uJ]

iJR!+ie

|({KA!

LRQ(g@z

lZ?*_q2.`

L9+"D

:duBr

7neq\Zc

QGZ*/<

?gqh=

d`kY#

k@?]^

C\s+=j

&\!Qc8L

<Y8M.

4YAgKf

0BKfn

|c)#C

D1YN6df

rJ'(-Z

F{(Vq

(=\h:

mW_b+

+y,i#

/(:\J

Ni\_^,nF

`$QZ9

~C2dF

*G):,

I| u06

IDb6k#

CompanyName

ICS\[

VirtualProtect

EAG<<

~Z&*L

(xk( 2{

\dOJpb

`#n;y

Y]_E!h

7NRG^

VS_VERSION_INFO

processorArchitecture="X86"

EBgO.i:

Ui"Z]

<^LWn

iMb, H

O]K|{

!6Joh,

Axoft Argentina S.A.

TH|bR)

Bd`"%

RnHIG&

name="Microsoft.Windows.Common-Controls"

Et@=:

nNn}>

zbYqjn4

!]\|r

%}>Vl

yB*4HC%

-vq}<

9oLa:

gO{m@

#iA&

07+F}A

%*"%fX

encpQ

>S^/o

u-t-A]

vxLX]

/:zV I

2k_{B

>!]6j

a=bW\

168j}

8htN.I

XPTPSW

.`q3P3

</assembly>P

;[<hp$

BX1_x

7\itH

m_fb=

n,%j+8\h

WZy]=

H>{d"

p=A|m

5-W&n

k<_x0

4m4y,

g,\+H

zlh}K

`W.?8+

0_P7j

memset

dz`7 .

,2KVc

>;6=h

NEfQC

Q1<*b[

zlw.IO

m-cN+

wx\;b

3$e;W

}Z,Pl&^

CD:n&

O|_7~2

+ W>g

VIol+CV

].rG-

$\}cu

JRH2{

Z0`U!

/XR9f

nor4!

`dU|w

gcAB[

GetProcAddress

r3L:h

[BI6n

PY}"o

;kcPP

R\DV%

{4`\Z

8uGxu|)0g

ProductName

a'Ad|$)

2K(TG

KTF}Sz

s=zbAU

%{Qa<

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x0006ce20	0x00000000	0x0003c6f7	4.0	2014-07-30 16:15:11	1d88d597200c0081784c27940d743ec5		8a600eef1b42e0d5c8e842872f4d6dc9	e61d652d81ffeeb000bf14e2687f7c4d	64f4d4c4c4c4c4d4

Version Infos

CompanyName	Axoft Argentina S.A.
FileVersion	1,4,0,0
ProductName	Tango Logger
ProductVersion	1.4.0.0
Translation	0x0000 0x04e4

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
UPX0	0x00000200	0x00001000	0x00044000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
UPX1	0x00000200	0x00045000	0x00029000	0x00028a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	8.00
.rsrc	0x00028c00	0x0006e000	0x00012000	0x00011200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.04

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_ICON	0x0006e284	0x00010828	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.98	None
RT_RCDATA	0x0001caa8	0x00001220	LANG_NEUTRAL	SUBLANG_NEUTRAL	0.00	None
RT_RCDATA	0x0001dcc8	0x0000000e	LANG_NEUTRAL	SUBLANG_NEUTRAL	0.00	None
RT_RCDATA	0x0001dcd8	0x0004cc00	LANG_NEUTRAL	SUBLANG_NEUTRAL	0.00	None
RT_RCDATA	0x0006a8d8	0x00000020	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.88	None
RT_RCDATA	0x0006a8f8	0x00000010	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.00	None
RT_RCDATA	0x0006a908	0x00000006	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.58	None
RT_GROUP_ICON	0x0007eab0	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.98	None
RT_VERSION	0x0007eac8	0x000001c8	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.22	None
RT_MANIFEST	0x0007ec94	0x00000263	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.92	None

Imports

Name	Address
LoadLibraryA	0x47efac
GetProcAddress	0x47efb0
VirtualProtect	0x47efb4
VirtualAlloc	0x47efb8
VirtualFree	0x47efbc
ExitProcess	0x47efc0

Name	Address
InitCommonControls	0x47efc8

Name	Address
SetBkColor	0x47efd0

Name	Address
memset	0x47efd8

Name	Address
CoInitialize	0x47efe0

Name	Address
ShellExecuteExA	0x47efe8

Name	Address
PathQuoteSpacesA	0x47eff0

Name	Address
IsChild	0x47eff8

Reports: JSON

Statistics (157.81)

Usage

Processing ( 157.66 seconds )

154.575 ProcessMemory
2.755 CAPE
0.316 BehaviorAnalysis
0.009 AnalysisInfo
0.001 Debug

Signatures ( 0.07 seconds )

0.008 ransomware_files
0.006 antianalysis_detectfile
0.006 antiav_detectreg
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antivm_vbox_files
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 poullight_files
0.002 masquerade_process_name
0.001 antianalysis_detectreg
0.001 antidebug_devices
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 uac_bypass_cmstpcom
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 qulab_files
0.001 revil_mutexes
0.001 modirat_behavior
0.001 suspicious_command_tools
0.001 uses_windows_utilities

Reporting ( 0.09 seconds )

0.079 CAPASummary
0.014 JsonDump

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)

Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution

command: C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common AppData" 2>nul | find /i "Common AppData"

command: C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop" 2>nul | find /i "Desktop"

Possible date expiration check, exits too soon after checking local time

process: cmd.exe, PID 3464

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': 'UPX0', 'raw_address': '0x00000200', 'virtual_address': '0x00001000', 'virtual_size': '0x00044000', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000080', 'entropy': '0.00'}

unknown section: {'name': 'UPX1', 'raw_address': '0x00000200', 'virtual_address': '0x00045000', 'virtual_size': '0x00029000', 'size_of_data': '0x00028a00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '8.00'}

The binary likely contains encrypted or compressed data

section: {'name': 'UPX1', 'raw_address': '0x00000200', 'virtual_address': '0x00045000', 'virtual_size': '0x00029000', 'size_of_data': '0x00028a00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '8.00'}

Uses Windows utilities for basic functionality

command: C:\Windows\system32\cmd.exe /c ""C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\Tango_Logger.bat""

command: C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common AppData" 2>nul | find /i "Common AppData"

command: C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop" 2>nul | find /i "Desktop"

command: C:\Windows\system32\cmd.exe /S /D /c" echo Sat 06/14/2025 "

command: reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common AppData"

command: reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop"

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 3412 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 684 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 2712 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 4552 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 2308 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 3464 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 6400 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 3660 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 2664 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 2468 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 5080 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 6212 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 840 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 3904 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 6856 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Deletes executed files from disk

file: C:\Users\Packager\AppData\Local\Temp\F1F9.tmp

Attempts to interact with an Alternate Data Stream (ADS)

file: C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\call:RegQuery

file: C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\goto:rqloop

file: C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\goto:eof

file: C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\goto:jump

file: C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\goto:jump2

file: C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\call:LogConfig

file: C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\call:StampGen

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\bcryptPrimitives.dll
\Device\CNG
C:\Users\Packager\AppData\Local\Temp\
C:\Users
C:\Users\Packager
C:\Users\Packager\AppData
C:\Users\Packager\AppData\Local
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\Tango_Logger.bat
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\Rar.exe
C:\Users\Packager\AppData\Local\Temp\Tango_Logger.exe
\Device\NamedPipe\
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\"C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\Tango_Logger.bat"
C:\Windows\System32\cmdext.dll
\??\nul
C:\
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\chcp.*
C:\Windows\System32\chcp.*
C:\Windows\System32\chcp.com
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\call:\RegQuery.*
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\call:RegQuery
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\goto:rqloop
C:\Windows\System32\cmd.exe
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\set.*
C:\Windows\System32\set.*
C:\Windows\set.*
C:\Windows\System32\wbem\set.*
C:\Windows\System32\WindowsPowerShell\v1.0\set.*
C:\Windows\System32\OpenSSH\set.*
C:\Users\Packager\AppData\Local\Programs\Python\Python310-32\Scripts\set.*
C:\Users\Packager\AppData\Local\Programs\Python\Python310-32\set.*
C:\Users\Packager\AppData\Local\Microsoft\WindowsApps\set.*
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\goto:\eof.*
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\goto:eof
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\goto:jump
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\goto:jump2
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\call:\LogConfig.*
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\call:LogConfig
C:\ProgramData\Axoft\Log.Ini
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\call:\StampGen.*
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\call:StampGen
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\find.*
C:\Windows\System32\find.*
C:\Windows\System32\find.COM
C:\Windows\System32\find.exe
C:\ProgramData\Axoft\Logs
C:\ProgramData\Axoft
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\echo..*
C:\Windows\System32\echo..*
C:\Windows\echo..*
C:\Windows\System32\wbem\echo..*
C:\Windows\System32\WindowsPowerShell\v1.0\echo..*
C:\Windows\System32\OpenSSH\echo..*
C:\Users\Packager\AppData\Local\Programs\Python\Python310-32\Scripts\echo..*
C:\Users\Packager\AppData\Local\Programs\Python\Python310-32\echo..*
C:\Users\Packager\AppData\Local\Microsoft\WindowsApps\echo..*
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\echo
C:\Windows\System32\fsutilext.dll
\??\CONOUT$
C:\Windows\System32\en-US\ulib.dll.mui
C:\Windows\sysnative\en-US\ulib.dll.mui
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\reg.*
C:\Windows\System32\reg.*
C:\Windows\System32\reg.COM
C:\Windows\System32\reg.exe

C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\Tango_Logger.bat
C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\Rar.exe
\??\nul
C:\ProgramData\Axoft\Log.Ini
\??\CONOUT$

C:\Users\Packager\AppData\Local\Temp\F1F9.tmp

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common AppData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common AppData
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop

"C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\Tango_Logger.bat"
C:\Windows\system32\cmd.exe /c ""C:\Users\Packager\AppData\Local\Temp\F1F9.tmp\Tango_Logger.bat""
chcp 850
chcp 1252
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common AppData" 2>nul | find /i "Common AppData"
C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop" 2>nul | find /i "Desktop"
C:\Windows\system32\cmd.exe /S /D /c" echo Sat 06/14/2025 "
find "-"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common AppData"
find /i "Common AppData"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop"
find /i "Desktop"

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.