Analysis Details
| Category | Package | Started | Completed | Duration | Logs | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| FILE | dll | 2026-04-16 22:43:33 | 2026-04-16 22:49:40 | 367s |
|
|||||
| Reports | JSON | |||||||||
Analysis Log
2026-03-05 20:34:41,788 [root] INFO: Date set to: 20260416T22:44:30, timeout set to: 200 2026-04-16 22:44:30,187 [root] DEBUG: Starting analyzer from: C:\ltb6yatm 2026-04-16 22:44:30,281 [root] DEBUG: Storing results at: C:\OHjuCIJf 2026-04-16 22:44:30,297 [root] DEBUG: Pipe server name: \\.\PIPE\THzYLz 2026-04-16 22:44:30,328 [root] DEBUG: Python path: C:\Python310 2026-04-16 22:44:30,343 [root] INFO: analysis running as an admin 2026-04-16 22:44:30,343 [root] INFO: analysis package specified: "dll" 2026-04-16 22:44:30,359 [root] DEBUG: importing analysis package module: "modules.packages.dll"... 2026-04-16 22:44:30,375 [root] DEBUG: imported analysis package "dll" 2026-04-16 22:44:30,375 [root] DEBUG: initializing analysis package "dll"... 2026-04-16 22:44:30,375 [lib.common.common] INFO: wrapping 2026-04-16 22:44:30,547 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation 2026-04-16 22:44:30,562 [root] DEBUG: New location of moved file: C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll 2026-04-16 22:44:30,578 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option 2026-04-16 22:44:30,578 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option 2026-04-16 22:44:30,578 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option 2026-04-16 22:44:30,578 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option 2026-04-16 22:44:30,594 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2026-04-16 22:44:30,969 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2026-04-16 22:44:31,047 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2026-04-16 22:44:31,093 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2026-04-16 22:44:31,187 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2026-04-16 22:44:31,609 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab' 2026-04-16 22:44:31,828 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw' 2026-04-16 22:44:34,140 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance 2026-04-16 22:44:34,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2026-04-16 22:44:34,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2026-04-16 22:44:34,140 [root] DEBUG: Initialized auxiliary module "Browser" 2026-04-16 22:44:34,140 [root] DEBUG: attempting to configure 'Browser' from data 2026-04-16 22:44:34,156 [root] DEBUG: module Browser does not support data configuration, ignoring 2026-04-16 22:44:34,156 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2026-04-16 22:44:34,156 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2026-04-16 22:44:34,156 [root] DEBUG: Initialized auxiliary module "DigiSig" 2026-04-16 22:44:34,156 [root] DEBUG: attempting to configure 'DigiSig' from data 2026-04-16 22:44:34,172 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2026-04-16 22:44:34,172 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2026-04-16 22:44:34,172 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2026-04-16 22:44:57,734 [modules.auxiliary.digisig] DEBUG: File is not signed 2026-04-16 22:44:57,750 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2026-04-16 22:44:57,750 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2026-04-16 22:44:57,750 [root] DEBUG: Initialized auxiliary module "Disguise" 2026-04-16 22:44:57,750 [root] DEBUG: attempting to configure 'Disguise' from data 2026-04-16 22:44:57,750 [root] DEBUG: module Disguise does not support data configuration, ignoring 2026-04-16 22:44:57,750 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2026-04-16 22:44:57,875 [modules.auxiliary.disguise] INFO: Disguising GUID to b891db33-606d-41e0-a0dd-e7dd26a578cf 2026-04-16 22:44:57,875 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2026-04-16 22:44:57,890 [root] DEBUG: Initialized auxiliary module "Human" 2026-04-16 22:44:57,890 [root] DEBUG: attempting to configure 'Human' from data 2026-04-16 22:44:57,890 [root] DEBUG: module Human does not support data configuration, ignoring 2026-04-16 22:44:57,890 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2026-04-16 22:44:57,906 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2026-04-16 22:44:57,906 [root] DEBUG: Initialized auxiliary module "Screenshots" 2026-04-16 22:44:57,906 [root] DEBUG: attempting to configure 'Screenshots' from data 2026-04-16 22:44:57,906 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2026-04-16 22:44:57,906 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2026-04-16 22:44:58,250 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2026-04-16 22:44:58,250 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2026-04-16 22:44:58,469 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2026-04-16 22:44:58,484 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2026-04-16 22:44:58,484 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2026-04-16 22:44:58,500 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644 2026-04-16 22:45:00,218 [lib.api.process] INFO: Monitor config for <Process 644 lsass.exe>: C:\ltb6yatm\dll\644.ini 2026-04-16 22:45:01,312 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2026-04-16 22:45:02,531 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\rXJCncX.dll, loader C:\ltb6yatm\bin\WBIUjUol.exe 2026-04-16 22:45:03,063 [root] DEBUG: Loader: Injecting process 644 with C:\ltb6yatm\dll\rXJCncX.dll. 2026-04-16 22:45:05,531 [root] DEBUG: 644: Python path set to 'C:\Python310'. 2026-04-16 22:45:05,547 [root] DEBUG: 644: Disabling sleep skipping. 2026-04-16 22:45:05,547 [root] DEBUG: 644: TLS secret dump mode enabled. 2026-04-16 22:45:06,766 [root] DEBUG: 644: Yara error: Scanning timed out 2026-04-16 22:45:06,766 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABC70000, thread 5740, image base 0x00007FF7C23E0000, stack from 0x0000008E4C471000-0x0000008E4C480000 2026-04-16 22:45:06,781 [root] DEBUG: 644: Commandline: C:\Windows\system32\lsass.exe 2026-04-16 22:45:06,812 [root] DEBUG: 644: Hooked 5 out of 5 functions 2026-04-16 22:45:06,828 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2026-04-16 22:45:06,828 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\rXJCncX.dll. 2026-04-16 22:45:06,844 [lib.api.process] INFO: Injected into 64-bit <Process 644 lsass.exe> 2026-04-16 22:45:06,844 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump 2026-04-16 22:45:08,547 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\OHjuCIJf\tlsdump\tlsdump.log 2026-04-16 22:46:01,875 [root] INFO: Restarting WMI Service 2026-04-16 22:46:04,000 [root] DEBUG: package modules.packages.dll does not support configure, ignoring 2026-04-16 22:46:04,000 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages' 2026-04-16 22:46:04,125 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation 2026-04-16 22:46:04,641 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\System32\rundll32.exe" with arguments ""C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll",#1" with pid 1568 2026-04-16 22:46:04,641 [lib.api.process] INFO: Monitor config for <Process 1568 rundll32.exe>: C:\ltb6yatm\dll\1568.ini 2026-04-16 22:46:04,656 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\iyMbcod.dll, loader C:\ltb6yatm\bin\QSOiFni.exe 2026-04-16 22:46:05,062 [root] DEBUG: Loader: Injecting process 1568 (thread 732) with C:\ltb6yatm\dll\iyMbcod.dll. 2026-04-16 22:46:05,167 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2026-04-16 22:46:05,167 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\iyMbcod.dll. 2026-04-16 22:46:05,177 [lib.api.process] INFO: Injected into 32-bit <Process 1568 rundll32.exe> 2026-04-16 22:46:07,253 [lib.api.process] INFO: Successfully resumed <Process 1568 rundll32.exe> 2026-04-16 22:46:09,567 [root] DEBUG: 1568: Python path set to 'C:\Python310'. 2026-04-16 22:46:09,722 [root] DEBUG: 1568: Disabling sleep skipping. 2026-04-16 22:46:09,722 [root] DEBUG: 1568: Dropped file limit defaulting to 100. 2026-04-16 22:46:09,769 [root] DEBUG: 1568: YaraInit: Compiled 44 rule files 2026-04-16 22:46:09,769 [root] DEBUG: 1568: YaraInit: Compiled rules saved to file C:\ltb6yatm\data\yara\capemon.yac 2026-04-16 22:46:09,769 [root] DEBUG: 1568: YaraScan: Scanning 0x00BC0000, size 0x136e8 2026-04-16 22:46:09,769 [root] DEBUG: 1568: Monitor initialised: 32-bit capemon loaded in process 1568 at 0x73ae0000, thread 732, image base 0xbc0000, stack from 0xa32000-0xa40000 2026-04-16 22:46:09,784 [root] DEBUG: 1568: Commandline: "C:\Windows\System32\rundll32.exe" "C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll",#1 2026-04-16 22:46:10,945 [root] DEBUG: 1568: Yara error: Scanning timed out 2026-04-16 22:46:10,976 [root] DEBUG: 1568: hook_api: Warning - CreateProcessA export address 0x76AE2D90 differs from GetProcAddress -> 0x73E422A0 (AcLayers.DLL::0xfd3922a0) 2026-04-16 22:46:10,976 [root] DEBUG: 1568: hook_api: Warning - CreateProcessW export address 0x76AC88E0 differs from GetProcAddress -> 0x73E424E0 (AcLayers.DLL::0xfd3924e0) 2026-04-16 22:46:10,976 [root] DEBUG: 1568: hook_api: Warning - WinExec export address 0x76B0CF20 differs from GetProcAddress -> 0x73E427A0 (AcLayers.DLL::0xfd3927a0) 2026-04-16 22:46:11,536 [root] WARNING: b'Unable to place hook on GetCommandLineA' 2026-04-16 22:46:11,536 [root] DEBUG: 1568: set_hooks: Unable to hook GetCommandLineA 2026-04-16 22:46:11,552 [root] WARNING: b'Unable to place hook on GetCommandLineW' 2026-04-16 22:46:11,552 [root] DEBUG: 1568: set_hooks: Unable to hook GetCommandLineW 2026-04-16 22:46:12,305 [root] DEBUG: 1568: Hooked 630 out of 632 functions 2026-04-16 22:46:12,327 [root] DEBUG: 1568: Syscall hook installed, syscall logging level 1 2026-04-16 22:46:12,343 [root] DEBUG: 1568: RestoreHeaders: Restored original import table. 2026-04-16 22:46:12,343 [root] INFO: Loaded monitor into process with pid 1568 2026-04-16 22:46:12,343 [root] DEBUG: 1568: caller_dispatch: Added region at 0x00BC0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00BC5F1A, thread 732). 2026-04-16 22:46:12,343 [root] DEBUG: 1568: YaraScan: Scanning 0x00BC0000, size 0x136e8 2026-04-16 22:46:12,359 [root] DEBUG: 1568: ProcessImageBase: Main module image at 0x00BC0000 unmodified (entropy change 0.000000e+00) 2026-04-16 22:46:12,646 [root] DEBUG: 1568: InstrumentationCallback: Added region at 0x76AD24AC (base 0x76AB0000) to tracked regions list (thread 732). 2026-04-16 22:46:12,662 [root] DEBUG: 1568: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping 2026-04-16 22:46:12,662 [root] DEBUG: 1568: Target DLL loaded at 0x05C10000: C:\Users\cape\AppData\Local\Temp\ClientPlugin (0xa000 bytes). 2026-04-16 22:46:12,678 [root] DEBUG: 1568: YaraScan: Scanning 0x05C10000, size 0x1f0 2026-04-16 22:46:14,946 [root] DEBUG: 1568: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 732). 2026-04-16 22:46:14,946 [root] DEBUG: 1568: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping 2026-04-16 22:46:15,349 [root] DEBUG: 1568: DLL loaded at 0x73A40000: C:\Windows\SYSTEM32\TextShaping (0x94000 bytes). 2026-04-16 22:46:15,948 [root] DEBUG: 1568: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes). 2026-04-16 22:46:16,026 [root] DEBUG: 1568: DLL loaded at 0x76BA0000: C:\Windows\System32\MSCTF (0xd4000 bytes). 2026-04-16 22:46:17,276 [root] DEBUG: 1568: set_hooks_by_export_directory: Hooked 0 out of 632 functions 2026-04-16 22:46:17,308 [root] DEBUG: 1568: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes). 2026-04-16 22:46:17,323 [root] DEBUG: 1568: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes). 2026-04-16 22:46:21,761 [root] DEBUG: 1568: DLL loaded at 0x74190000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes). 2026-04-16 22:46:21,776 [root] DEBUG: 1568: DLL loaded at 0x73660000: C:\Windows\System32\CoreMessaging (0x9b000 bytes). 2026-04-16 22:46:21,776 [root] DEBUG: 1568: DLL loaded at 0x73580000: C:\Windows\SYSTEM32\wintypes (0xdb000 bytes). 2026-04-16 22:46:21,776 [root] DEBUG: 1568: DLL loaded at 0x73700000: C:\Windows\System32\CoreUIComponents (0x27e000 bytes). 2026-04-16 22:46:21,776 [root] DEBUG: 1568: DLL loaded at 0x73980000: C:\Windows\SYSTEM32\textinputframework (0xb9000 bytes). 2026-04-16 22:49:27,557 [root] INFO: Analysis timeout hit, terminating analysis 2026-04-16 22:49:27,557 [lib.api.process] INFO: Terminate event set for <Process 1568 rundll32.exe> 2026-04-16 22:49:27,557 [root] DEBUG: 1568: Terminate Event: Attempting to dump process 1568 2026-04-16 22:49:27,557 [root] DEBUG: 1568: VerifyCodeSection: Executable code does not match, 0x18f2 of 0x18f3 matching 2026-04-16 22:49:27,573 [root] DEBUG: 1568: DoProcessDump: Code modification detected, dumping Imagebase at 0x05C10000. 2026-04-16 22:49:27,573 [root] DEBUG: 1568: DumpImageInCurrentProcess: Attempting to dump virtual PE image. 2026-04-16 22:49:27,573 [root] DEBUG: 1568: DumpProcess: Instantiating PeParser with address: 0x05C10000. 2026-04-16 22:49:27,573 [root] DEBUG: 1568: DumpProcess: Module entry point VA is 0x05C138EE. 2026-04-16 22:49:27,589 [root] DEBUG: 1568: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x05C14000, section 2 2026-04-16 22:49:27,589 [root] DEBUG: 1568: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x05C18000, section 3 2026-04-16 22:49:27,885 [lib.common.results] INFO: Uploading file C:\OHjuCIJf\CAPE\1568_3628527491916442026 to procdump\9d7c7de83cb3527f377d51220f8a046ac9c72bce4389ade3d7d133b7a31ea3d3; Size is 7680; Max size: 100000000 2026-04-16 22:49:27,979 [root] DEBUG: 1568: DumpProcess: Module image dump success - dump size 0x1e00. 2026-04-16 22:49:27,995 [lib.api.process] INFO: Termination confirmed for <Process 1568 rundll32.exe> 2026-04-16 22:49:27,995 [root] INFO: Terminate event set for process 1568 2026-04-16 22:49:27,995 [root] INFO: Created shutdown mutex 2026-04-16 22:49:28,010 [root] DEBUG: 1568: Terminate Event: monitor shutdown complete for process 1568 2026-04-16 22:49:29,042 [root] INFO: Shutting down package 2026-04-16 22:49:29,058 [root] INFO: Stopping auxiliary modules 2026-04-16 22:49:29,058 [root] INFO: Stopping auxiliary module: Browser 2026-04-16 22:49:29,073 [root] INFO: Stopping auxiliary module: Human 2026-04-16 22:49:29,495 [root] INFO: Stopping auxiliary module: Screenshots 2026-04-16 22:49:30,182 [root] INFO: Finishing auxiliary modules 2026-04-16 22:49:30,182 [root] INFO: Shutting down pipe server and dumping dropped files 2026-04-16 22:49:30,182 [root] WARNING: Folder at path "C:\OHjuCIJf\debugger" does not exist, skipping 2026-04-16 22:49:30,182 [root] INFO: Uploading files at path "C:\OHjuCIJf\tlsdump" 2026-04-16 22:49:30,182 [lib.common.results] INFO: Uploading file C:\OHjuCIJf\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 17536; Max size: 100000000 2026-04-16 22:49:30,213 [root] INFO: Analysis completed
Process Log
Pre-Script Log
During-Script Log
Machine Information
| Name | Label | Manager | Started On | Shutdown On |
|---|---|---|---|---|
| win10x64 | win10x64 | KVM | 2026-04-16 22:43:33 | 2026-04-16 22:49:39 |
File Details
Show Parent FileParent File Info
| File Name |
ClientPlugin.dll
|
|---|---|
| File Type | PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| File Size | 19968 bytes |
| MD5 | bdc8945f1d799c845408522e372d1dbd |
| SHA1 | 874b7c3c97cc5b13b9dd172fec5a54bc1f258005 |
| SHA256 | 61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403 VT MWDB Bazaar |
| SHA3-384 | 34e76812c5bbcc4e39114f9560b049a9e8ac0f74800b55f33641134edf5dfb32ff8a420a55be3ca4c294e8d1f69db255 |
| CRC32 | BE3B83AB |
| TLSH | T1CA924D1362CE7DE6E5B916303B3387C1C72DDE041653DA2E16D87629E97E2833A523D8 |
| Ssdeep | 192:VYLQui6h6p5WW3tZVTnlYJL/eLYLTr2/C8:VYLQu/6/fKqLYLTR |
| Yara |
|
Strings
System.CodeDom.Compiler
get_ClientSettings
RestoreProtection
mscoree.dll
EntryExists
params
Assembly Version
ClientPlugin.dll
SendToServer
RebuildHostCache
m_Context
KeyValuePair`2
GetObjectValue
set_Value
TargetMethod
My.Application
1.2.0.0
NanoCore.My
IDATx
Microsoft.VisualBasic.CompilerServices
InternalName
message
System
#Blob
_CorDllMain
System.Diagnostics
MulticastDelegate
ClientPlugin
ComVisibleAttribute
MyApplication
IClientNameObjectCollection
MyGroupCollectionAttribute
EditorBrowsableAttribute
pipeName
AddHostEntry
ParamArrayAttribute
MyComputer
BeginInvoke
.ctor
MyProject
compress
ThreadSafeObjectProvider`1
LogClientException
ConnectionStateChanged
DebuggerHiddenAttribute
System.ComponentModel
ToString
DelegateCallback
instance
wwwwwwwwwwwwww
VarFileInfo
LegalCopyright
My.Computer
get_Connected
GetEntries
AsyncCallback
MyTemplate
m_AppObjectProvider
Restart
System.Runtime.CompilerServices
<Module>
GetInstance
Uninstall
get_GetInstance
Equals
IAsyncResult
wwwwww
ClientSettingChanged
EndInvoke
My.User
FileVersion
ClientInvokeDelegate
ContextValue`1
SetValue
IClientNetwork
get_WebServices
PipeCreated
`.rsrc
.text
AssemblyFileVersionAttribute
WebServices
Invoke
StringFileInfo
LogClientMessage
GuidAttribute
NanoCore
AssemblyTrademarkAttribute
DelegateAsyncState
v2.0.50727
ProductVersion
#Strings
System.Collections.Generic
System.ComponentModel.Design
Microsoft.VisualBasic
AssemblyProductAttribute
ClientSettings
FileDescription
@.reloc
ConnectionFailed
IClientUIHost
$d6e3c4d8-8560-4021-a765-fad7362f3388
VariableChanged
MyWebServices
!This program cannot be run in DOS mode.
ClosePipe
My.WebServices
Variables
IClientLoggingHost
GetHashCode
IClientNetworkHost
TargetObject
AssemblyCompanyAttribute
BuildingHostCache
GetValue
m_UserObjectProvider
Connected
IClientApp
RuntimeCompatibilityAttribute
Dispose__Instance__
8.0.0.0
CompilationRelaxationsAttribute
get_Application
IClientData
Activator
000004b0
PipeExists
state
PluginUninstalling
Application
Translation
mscorlib
OriginalFilename
RuntimeHelpers
RemoveValue
IClientReadOnlyNameObjectCollection
get_User
CreateInstance
IClientAppHost
HideModuleNameAttribute
connected
ReadPacket
System.Runtime.InteropServices
value
VS_VERSION_INFO
HelpKeywordAttribute
get_Variables
Create__Instance__
Computer
Disconnect
Exception
AssemblyTitleAttribute
defaultValue
ApplicationBase
#GUID
ClientUninstalling
AssemblyDescriptionAttribute
NanoCore.ClientPlugin
IClientDataHost
Object
get_BuilderSettings
method
System.Reflection
AssemblyCopyrightAttribute
DisableProtection
get_Value
Microsoft.VisualBasic.Devices
4System.Web.Services.Protocols.SoapHttpClientProtocol
m_MyWebServicesObjectProvider
m_ComputerObjectProvider
BuilderSettings
GeneratedCodeAttribute
NanoCore.ClientPluginHost
Shutdown
DelegateAsyncResult
RuntimeTypeHandle
WrapNonExceptionThrows
get_Computer
.cctor
GetType
StandardModuleAttribute
GetTypeFromHandle
PipeClosed
EditorBrowsableState
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.MyServices.Internal
PE Information
Image Base
0x00400000
Entry Point
0x000038ee
Min OS
4.0
Compile Time
2014-11-23 01:09:01
Import Hash
dae02f32a21e03ce65412f6e56942daa
Icon Hash
f66c7c86e9ab59ef3f289acd613a3738
| Translation | 0x0000 0x04b0 |
|---|---|
| FileDescription | |
| FileVersion | 1.2.0.0 |
| InternalName | ClientPlugin.dll |
| LegalCopyright | |
| OriginalFilename | ClientPlugin.dll |
| ProductVersion | 1.2.0.0 |
| Assembly Version | 1.2.0.0 |
| Name | RAW Addr | Virt Addr | Virt Size | Raw Size | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000200 | 0x00002000 | 0x000018f4 | 0x00001a00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 5.26 |
| .rsrc | 0x00001c00 | 0x00004000 | 0x00002f58 | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.31 |
| .reloc | 0x00004c00 | 0x00008000 | 0x0000000c | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 0.08 |
| Name | Offset | Size | Language | Entropy | Type |
|---|---|---|---|---|---|
| RT_ICON | 0x00004468 | 0x000002e8 | LANG_NEUTRAL | 1.71 | None |
| RT_ICON | 0x00004750 | 0x00000128 | LANG_NEUTRAL | 2.08 | None |
| RT_ICON | 0x00004878 | 0x000008a8 | LANG_NEUTRAL | 1.72 | None |
| RT_ICON | 0x00005120 | 0x00000568 | LANG_NEUTRAL | 1.05 | None |
| RT_ICON | 0x00005688 | 0x00000353 | LANG_NEUTRAL | 4.05 | None |
| RT_ICON | 0x000059e0 | 0x000010a8 | LANG_NEUTRAL | 2.72 | None |
| RT_ICON | 0x00006a88 | 0x00000468 | LANG_NEUTRAL | 2.76 | None |
| RT_GROUP_ICON | 0x00006ef0 | 0x00000068 | LANG_NEUTRAL | 2.69 | None |
| RT_VERSION | 0x00004208 | 0x0000025c | LANG_NEUTRAL | 3.23 | None |
| Address | Name |
|---|---|
| 0x402000 | _CorDllMain |
Processing 26.80s
- 11.136s Suricata
- 10.221s NetworkAnalysis
- 5.361s CAPE
- 0.065s AnalysisInfo
- 0.017s BehaviorAnalysis
- 0.002s Debug
Signatures 0.08s
- 0.008s network_dns_url_shortener
- 0.006s suspicious_tld
- 0.006s ransomware_files
- 0.005s antiav_detectreg
- 0.004s network_cnc_http
- 0.004s antiav_detectfile
- 0.004s ransomware_extensions_known
- 0.003s network_dyndns
- 0.003s infostealer_ftp
- 0.002s network_http
- 0.002s antianalysis_detectfile
- 0.002s antivm_vbox_files
- 0.002s infostealer_bitcoin
- 0.002s infostealer_im
- 0.002s infostealer_mail
- 0.002s masquerade_process_name
- 0.002s territorial_disputes_sigs
- 0.001s network_open_proxy
- 0.001s network_torgateway
- 0.001s antianalysis_detectreg
- 0.001s antidebug_devices
- 0.001s antivm_vbox_keys
- 0.001s geodo_banking_trojan
- 0.001s browser_security
- 0.001s disables_backups
- 0.001s disables_browser_warn
- 0.001s disables_power_options
- 0.001s azorult_mutexes
- 0.001s echelon_files
- 0.001s poullight_files
- 0.001s qulab_files
- 0.001s network_dns_opennic
- 0.001s network_dns_paste_site
- 0.001s network_dns_temp_file_storage
- 0.001s revil_mutexes
- 0.001s ursnif_behavior
Reporting 0.00s
- 0.001s JsonDump
Signatures
Network activity detected but not expressed in monitor API logs
ip: 20.93.72.182
ip: 46.149.110.67
ip: 72.154.7.16
ip: 72.154.7.108
ip: 72.154.7.100
ip: 72.154.7.105
ip: 72.154.7.102
ip: 72.154.7.98
ip: 72.154.7.101
ip: 72.154.7.107
ip: 72.154.7.109
ip: 20.165.94.54
ip: 13.107.6.156
ip: 84.47.178.41
ip: 150.171.27.11
ip: 173.194.73.94
ip: 84.47.178.49
ip: 52.123.242.97
ip: 40.126.53.14
ip: 20.42.65.93
ip: 4.207.247.139
ip: 84.47.178.56
ip: 20.189.173.2
domain: i.pki.goog
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com
suspicious_request: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776984406&P2=404&P3=2&P4=WQc6A4LAYc7walY%2fNjZu6hBzJ19RMgcc%2foz0E1v%2bBwY9F2pYAOS3WPepVN4pAj46d1Lal9ss1LJwi2V%2fiY%2ba0Q%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com
Performs some HTTP requests
url: http://i.pki.goog/gsr1.crt
url: http://i.pki.goog/r4.crt
url: http://i.pki.goog/we2.crt
url: http://i.pki.goog/gsr4.crt
url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com
url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776984406&P2=404&P3=2&P4=WQc6A4LAYc7walY%2fNjZu6hBzJ19RMgcc%2foz0E1v%2bBwY9F2pYAOS3WPepVN4pAj46d1Lal9ss1LJwi2V%2fiY%2ba0Q%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com
Binary file triggered multiple YARA rules
Binary triggered YARA rule: DITEKSHEN_MALWARE_Win_Nanocore
Binary triggered YARA rule: Windows_Trojan_Nanocore_d8c4e3c5
Binary triggered YARA rule: Nanocore_RAT_Gen_2
Binary triggered YARA rule: NETDLLMicrosoft
Binary triggered YARA rule: IsPE32
Binary triggered YARA rule: IsNET_DLL
Binary triggered YARA rule: IsDLL
Binary triggered YARA rule: IsWindowsGUI
Binary triggered YARA rule: Microsoft_Visual_Studio_NET
Binary triggered YARA rule: Microsoft_Visual_C_v70_Basic_NET_additional
Binary triggered YARA rule: Microsoft_Visual_C_Basic_NET
Binary triggered YARA rule: Microsoft_Visual_Studio_NET_additional
Binary triggered YARA rule: Microsoft_Visual_C_v70_Basic_NET
Binary triggered YARA rule: NET_executable_
Binary triggered YARA rule: NET_executable
Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext
url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com
url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776984406&P2=404&P3=2&P4=WQc6A4LAYc7walY%2fNjZu6hBzJ19RMgcc%2foz0E1v%2bBwY9F2pYAOS3WPepVN4pAj46d1Lal9ss1LJwi2V%2fiY%2ba0Q%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com
url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776984406&P2=404&P3=2&P4=WQc6A4LAYc7walY%2fNjZu6hBzJ19RMgcc%2foz0E1v%2bBwY9F2pYAOS3WPepVN4pAj46d1Lal9ss1LJwi2V%2fiY%2ba0Q%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com
url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776984406&P2=404&P3=2&P4=WQc6A4LAYc7walY%2fNjZu6hBzJ19RMgcc%2foz0E1v%2bBwY9F2pYAOS3WPepVN4pAj46d1Lal9ss1LJwi2V%2fiY%2ba0Q%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 1568 triggered the Yara rule 'DITEKSHEN_MALWARE_Win_Nanocore' with data '['NanoCore.ClientPlugin', 'NanoCore.ClientPluginHost', 'IClientApp', 'IClientData', 'IClientNetwork', 'IClientAppHost', 'IClientDataHost', 'IClientLoggingHost', 'IClientNetworkHost', 'IClientUIHost', 'IClientNameObjectCollection', 'IClientReadOnlyNameObjectCollection', 'ClientPlugin', 'get_ClientSettings', 'get_Connected']'
Hit: PID 1568 triggered the Yara rule 'Windows_Trojan_Nanocore_d8c4e3c5' with data '['NanoCore.ClientPluginHost', 'NanoCore.ClientPlugin', 'get_BuilderSettings', 'IClientAppHost', 'AddHostEntry', 'LogClientException', 'PipeExists', 'IClientLoggingHost']'
Hit: PID 1568 triggered the Yara rule 'Nanocore_RAT_Gen_2' with data '['NanoCore.ClientPluginHost', 'IClientNetworkHost']'
Hit: PID 1568 triggered the Yara rule 'NETDLLMicrosoft' with data '['{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }']'
Hit: PID 1568 triggered the Yara rule 'IsPE32' with data '[]'
Hit: PID 1568 triggered the Yara rule 'IsNET_DLL' with data '[]'
Hit: PID 1568 triggered the Yara rule 'IsDLL' with data '[]'
Hit: PID 1568 triggered the Yara rule 'IsWindowsGUI' with data '[]'
Hit: PID 1568 triggered the Yara rule 'Microsoft_Visual_Studio_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 1568 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 1568 triggered the Yara rule 'Microsoft_Visual_C_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 1568 triggered the Yara rule 'Microsoft_Visual_Studio_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 1568 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 1568 triggered the Yara rule 'NET_executable_' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 1568 triggered the Yara rule 'NET_executable' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Screenshots
Hosts
| Direct | IP | Country Name | ASN |
|---|---|---|---|
| Y | 20.93.72.182 [VT] | unknown | |
| Y | 46.149.110.67 [VT] | unknown | |
| Y | 72.154.7.16 [VT] | unknown | |
| Y | 72.154.7.108 [VT] | unknown | |
| Y | 72.154.7.100 [VT] | unknown | |
| Y | 72.154.7.105 [VT] | unknown | |
| Y | 72.154.7.102 [VT] | unknown | |
| Y | 72.154.7.98 [VT] | unknown | |
| Y | 72.154.7.101 [VT] | unknown | |
| Y | 72.154.7.107 [VT] | unknown | |
| Y | 72.154.7.109 [VT] | unknown | |
| Y | 20.165.94.54 [VT] | unknown | |
| Y | 13.107.6.156 [VT] | unknown | |
| Y | 84.47.178.41 [VT] | unknown | |
| Y | 150.171.27.11 [VT] | unknown | |
| N | 173.194.73.94 [VT] | unknown | |
| Y | 84.47.178.49 [VT] | unknown | |
| Y | 52.123.242.97 [VT] | unknown | |
| Y | 40.126.53.14 [VT] | unknown | |
| Y | 20.42.65.93 [VT] | unknown | |
| Y | 4.207.247.139 [VT] | unknown | |
| Y | 84.47.178.56 [VT] | unknown | |
| Y | 20.189.173.2 [VT] | unknown |
Summary
- C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll.manifest
- C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll
- C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll.123.Manifest
- C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll.124.Manifest
- C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll.2.Manifest
- C:\Windows\SysWOW64\rundll32.exe
- C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\rundll32.exe.mui
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\ru-RU
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest
No results found.
No behavioral analysis data available.
Sorry! No strace.
Sorry! No tracee.
Hosts
No hosts contacted.
TCP Connections
No TCP connections recorded.
UDP Connections
No UDP connections recorded.
DNS Requests
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP Traffic
No SMTP traffic performed.
IRC Traffic
No IRC requests performed.
ICMP Traffic
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
No dropped files found.
Sorry! No process dumps.