Analysis Details
| Category | Package | Started | Completed | Duration | Logs | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| FILE | dll | 2026-04-16 22:52:52 | 2026-04-16 22:58:10 | 318s |
|
|||||
| Reports | JSON | |||||||||
Analysis Log
2026-03-05 20:34:43,241 [root] INFO: Date set to: 20260416T22:53:20, timeout set to: 200 2026-04-16 22:53:20,344 [root] DEBUG: Starting analyzer from: C:\ltb6yatm 2026-04-16 22:53:20,422 [root] DEBUG: Storing results at: C:\ErkGjXZSW 2026-04-16 22:53:20,453 [root] DEBUG: Pipe server name: \\.\PIPE\pyNDmeTCC 2026-04-16 22:53:20,469 [root] DEBUG: Python path: C:\Python310 2026-04-16 22:53:20,469 [root] INFO: analysis running as an admin 2026-04-16 22:53:20,484 [root] INFO: analysis package specified: "dll" 2026-04-16 22:53:20,484 [root] DEBUG: importing analysis package module: "modules.packages.dll"... 2026-04-16 22:53:20,500 [root] DEBUG: imported analysis package "dll" 2026-04-16 22:53:20,500 [root] DEBUG: initializing analysis package "dll"... 2026-04-16 22:53:20,500 [lib.common.common] INFO: wrapping 2026-04-16 22:53:20,718 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation 2026-04-16 22:53:20,734 [root] DEBUG: New location of moved file: C:\Users\cape\AppData\Local\Temp\ServerPlugin.dll 2026-04-16 22:53:20,734 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option 2026-04-16 22:53:20,734 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option 2026-04-16 22:53:20,734 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option 2026-04-16 22:53:20,734 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option 2026-04-16 22:53:20,906 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2026-04-16 22:53:21,562 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2026-04-16 22:53:21,625 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2026-04-16 22:53:21,640 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2026-04-16 22:53:21,703 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2026-04-16 22:53:21,718 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab' 2026-04-16 22:53:21,922 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw' 2026-04-16 22:53:23,453 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance 2026-04-16 22:53:23,453 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2026-04-16 22:53:23,469 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2026-04-16 22:53:23,469 [root] DEBUG: Initialized auxiliary module "Browser" 2026-04-16 22:53:23,469 [root] DEBUG: attempting to configure 'Browser' from data 2026-04-16 22:53:23,469 [root] DEBUG: module Browser does not support data configuration, ignoring 2026-04-16 22:53:23,469 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2026-04-16 22:53:23,469 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2026-04-16 22:53:23,469 [root] DEBUG: Initialized auxiliary module "DigiSig" 2026-04-16 22:53:23,469 [root] DEBUG: attempting to configure 'DigiSig' from data 2026-04-16 22:53:23,484 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2026-04-16 22:53:23,484 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2026-04-16 22:53:23,484 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2026-04-16 22:54:19,859 [modules.auxiliary.digisig] DEBUG: File is not signed 2026-04-16 22:54:19,875 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2026-04-16 22:54:19,875 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2026-04-16 22:54:19,875 [root] DEBUG: Initialized auxiliary module "Disguise" 2026-04-16 22:54:19,875 [root] DEBUG: attempting to configure 'Disguise' from data 2026-04-16 22:54:19,890 [root] DEBUG: module Disguise does not support data configuration, ignoring 2026-04-16 22:54:19,890 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2026-04-16 22:54:19,953 [modules.auxiliary.disguise] INFO: Disguising GUID to 3edd1f36-5c52-4bb2-8439-a3ed6ce40e23 2026-04-16 22:54:19,953 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2026-04-16 22:54:19,969 [root] DEBUG: Initialized auxiliary module "Human" 2026-04-16 22:54:19,969 [root] DEBUG: attempting to configure 'Human' from data 2026-04-16 22:54:19,969 [root] DEBUG: module Human does not support data configuration, ignoring 2026-04-16 22:54:19,969 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2026-04-16 22:54:19,969 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2026-04-16 22:54:19,969 [root] DEBUG: Initialized auxiliary module "Screenshots" 2026-04-16 22:54:19,984 [root] DEBUG: attempting to configure 'Screenshots' from data 2026-04-16 22:54:19,984 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2026-04-16 22:54:19,984 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2026-04-16 22:54:20,000 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2026-04-16 22:54:20,000 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2026-04-16 22:54:20,078 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2026-04-16 22:54:20,078 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2026-04-16 22:54:20,078 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2026-04-16 22:54:20,093 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644 2026-04-16 22:54:20,250 [lib.api.process] INFO: Monitor config for <Process 644 lsass.exe>: C:\ltb6yatm\dll\644.ini 2026-04-16 22:54:20,250 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2026-04-16 22:54:20,281 [lib.api.process] INFO: 64-bit DLL to inject is C:\ltb6yatm\dll\vlsdJF.dll, loader C:\ltb6yatm\bin\xwjOEbSl.exe 2026-04-16 22:54:20,609 [root] DEBUG: Loader: Injecting process 644 with C:\ltb6yatm\dll\vlsdJF.dll. 2026-04-16 22:54:21,515 [root] DEBUG: 644: Python path set to 'C:\Python310'. 2026-04-16 22:54:21,593 [root] DEBUG: 644: Disabling sleep skipping. 2026-04-16 22:54:21,593 [root] DEBUG: 644: TLS secret dump mode enabled. 2026-04-16 22:54:22,344 [root] DEBUG: 644: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500 2026-04-16 22:54:22,359 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABB00000, thread 6084, image base 0x00007FF7C23E0000, stack from 0x0000008E4C9F2000-0x0000008E4CA00000 2026-04-16 22:54:22,359 [root] DEBUG: 644: Commandline: C:\Windows\system32\lsass.exe 2026-04-16 22:54:22,406 [root] DEBUG: 644: Hooked 5 out of 5 functions 2026-04-16 22:54:22,406 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2026-04-16 22:54:22,406 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\vlsdJF.dll. 2026-04-16 22:54:22,406 [lib.api.process] INFO: Injected into 64-bit <Process 644 lsass.exe> 2026-04-16 22:54:22,406 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump 2026-04-16 22:54:22,547 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\ErkGjXZSW\tlsdump\tlsdump.log 2026-04-16 22:54:31,172 [root] INFO: Restarting WMI Service 2026-04-16 22:54:31,281 [root] DEBUG: package modules.packages.dll does not support configure, ignoring 2026-04-16 22:54:31,281 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages' 2026-04-16 22:54:31,281 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation 2026-04-16 22:54:31,297 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\System32\rundll32.exe" with arguments ""C:\Users\cape\AppData\Local\Temp\ServerPlugin.dll",#1" with pid 4344 2026-04-16 22:54:31,297 [lib.api.process] INFO: Monitor config for <Process 4344 rundll32.exe>: C:\ltb6yatm\dll\4344.ini 2026-04-16 22:54:31,312 [lib.api.process] INFO: 32-bit DLL to inject is C:\ltb6yatm\dll\bNmKpkjG.dll, loader C:\ltb6yatm\bin\NvwgoPM.exe 2026-04-16 22:54:31,687 [root] DEBUG: Loader: Injecting process 4344 (thread 6616) with C:\ltb6yatm\dll\bNmKpkjG.dll. 2026-04-16 22:54:31,828 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2026-04-16 22:54:31,843 [root] DEBUG: Successfully injected DLL C:\ltb6yatm\dll\bNmKpkjG.dll. 2026-04-16 22:54:31,843 [lib.api.process] INFO: Injected into 32-bit <Process 4344 rundll32.exe> 2026-04-16 22:54:33,875 [lib.api.process] INFO: Successfully resumed <Process 4344 rundll32.exe> 2026-04-16 22:54:36,203 [root] DEBUG: 4344: Python path set to 'C:\Python310'. 2026-04-16 22:54:36,203 [root] DEBUG: 4344: Disabling sleep skipping. 2026-04-16 22:54:36,218 [root] DEBUG: 4344: Dropped file limit defaulting to 100. 2026-04-16 22:54:36,484 [root] DEBUG: 4344: YaraInit: Compiled 44 rule files 2026-04-16 22:54:36,484 [root] DEBUG: 4344: YaraInit: Compiled rules saved to file C:\ltb6yatm\data\yara\capemon.yac 2026-04-16 22:54:36,484 [root] DEBUG: 4344: YaraScan: Scanning 0x001A0000, size 0x136e8 2026-04-16 22:54:36,500 [root] DEBUG: 4344: Monitor initialised: 32-bit capemon loaded in process 4344 at 0x73b90000, thread 6616, image base 0x1a0000, stack from 0x2762000-0x2770000 2026-04-16 22:54:36,500 [root] DEBUG: 4344: Commandline: "C:\Windows\System32\rundll32.exe" "C:\Users\cape\AppData\Local\Temp\ServerPlugin.dll",#1 2026-04-16 22:54:36,687 [root] DEBUG: 4344: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress 2026-04-16 22:54:36,687 [root] DEBUG: 4344: hook_api: Warning - CreateProcessA export address 0x76AE2D90 differs from GetProcAddress -> 0x73EF22A0 (AcLayers.DLL::0xfd4422a0) 2026-04-16 22:54:36,687 [root] DEBUG: 4344: hook_api: Warning - CreateProcessW export address 0x76AC88E0 differs from GetProcAddress -> 0x73EF24E0 (AcLayers.DLL::0xfd4424e0) 2026-04-16 22:54:36,703 [root] DEBUG: 4344: hook_api: Warning - WinExec export address 0x76B0CF20 differs from GetProcAddress -> 0x73EF27A0 (AcLayers.DLL::0xfd4427a0) 2026-04-16 22:54:36,828 [root] WARNING: b'Unable to place hook on GetCommandLineA' 2026-04-16 22:54:36,828 [root] DEBUG: 4344: set_hooks: Unable to hook GetCommandLineA 2026-04-16 22:54:36,843 [root] WARNING: b'Unable to place hook on GetCommandLineW' 2026-04-16 22:54:36,843 [root] DEBUG: 4344: set_hooks: Unable to hook GetCommandLineW 2026-04-16 22:54:36,906 [root] DEBUG: 4344: Hooked 630 out of 632 functions 2026-04-16 22:54:36,906 [root] DEBUG: 4344: Syscall hook installed, syscall logging level 1 2026-04-16 22:54:36,922 [root] DEBUG: 4344: RestoreHeaders: Restored original import table. 2026-04-16 22:54:36,922 [root] INFO: Loaded monitor into process with pid 4344 2026-04-16 22:54:36,937 [root] DEBUG: 4344: caller_dispatch: Added region at 0x001A0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x001A5F1A, thread 6616). 2026-04-16 22:54:36,937 [root] DEBUG: 4344: YaraScan: Scanning 0x001A0000, size 0x136e8 2026-04-16 22:54:36,937 [root] DEBUG: 4344: ProcessImageBase: Main module image at 0x001A0000 unmodified (entropy change 0.000000e+00) 2026-04-16 22:54:37,297 [root] DEBUG: 4344: InstrumentationCallback: Added region at 0x76AD24AC (base 0x76AB0000) to tracked regions list (thread 6616). 2026-04-16 22:54:37,312 [root] DEBUG: 4344: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping 2026-04-16 22:54:37,312 [root] DEBUG: 4344: Target DLL loaded at 0x05B20000: C:\Users\cape\AppData\Local\Temp\ServerPlugin (0xc000 bytes). 2026-04-16 22:54:37,312 [root] DEBUG: 4344: YaraScan: Scanning 0x05B20000, size 0x1f0 2026-04-16 22:54:37,531 [root] DEBUG: 4344: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 6616). 2026-04-16 22:54:37,531 [root] DEBUG: 4344: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping 2026-04-16 22:54:38,610 [root] DEBUG: 4344: DLL loaded at 0x73AF0000: C:\Windows\SYSTEM32\TextShaping (0x94000 bytes). 2026-04-16 22:54:39,781 [root] DEBUG: 4344: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes). 2026-04-16 22:54:40,109 [root] DEBUG: 4344: DLL loaded at 0x76BA0000: C:\Windows\System32\MSCTF (0xd4000 bytes). 2026-04-16 22:54:41,453 [root] DEBUG: 4344: set_hooks_by_export_directory: Hooked 0 out of 632 functions 2026-04-16 22:54:41,468 [root] DEBUG: 4344: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes). 2026-04-16 22:54:41,468 [root] DEBUG: 4344: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes). 2026-04-16 22:55:23,406 [root] DEBUG: 4344: DLL loaded at 0x74190000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes). 2026-04-16 22:55:23,406 [root] DEBUG: 4344: DLL loaded at 0x73710000: C:\Windows\System32\CoreMessaging (0x9b000 bytes). 2026-04-16 22:55:23,422 [root] DEBUG: 4344: DLL loaded at 0x73630000: C:\Windows\SYSTEM32\wintypes (0xdb000 bytes). 2026-04-16 22:55:23,437 [root] DEBUG: 4344: DLL loaded at 0x737B0000: C:\Windows\System32\CoreUIComponents (0x27e000 bytes). 2026-04-16 22:55:23,437 [root] DEBUG: 4344: DLL loaded at 0x73A30000: C:\Windows\SYSTEM32\textinputframework (0xb9000 bytes). 2026-04-16 22:57:54,825 [root] INFO: Analysis timeout hit, terminating analysis 2026-04-16 22:57:54,825 [lib.api.process] INFO: Terminate event set for <Process 4344 rundll32.exe> 2026-04-16 22:57:54,825 [root] DEBUG: 4344: Terminate Event: Attempting to dump process 4344 2026-04-16 22:57:54,825 [root] DEBUG: 4344: VerifyCodeSection: Executable code does not match, 0x3d42 of 0x3d43 matching 2026-04-16 22:57:54,841 [root] DEBUG: 4344: DoProcessDump: Code modification detected, dumping Imagebase at 0x05B20000. 2026-04-16 22:57:54,841 [root] DEBUG: 4344: DumpImageInCurrentProcess: Attempting to dump virtual PE image. 2026-04-16 22:57:54,841 [root] DEBUG: 4344: DumpProcess: Instantiating PeParser with address: 0x05B20000. 2026-04-16 22:57:54,856 [root] DEBUG: 4344: DumpProcess: Module entry point VA is 0x05B25D3E. 2026-04-16 22:57:54,856 [root] DEBUG: 4344: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x05B26000, section 2 2026-04-16 22:57:54,872 [root] DEBUG: 4344: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x05B2A000, section 3 2026-04-16 22:57:55,200 [lib.common.results] INFO: Uploading file C:\ErkGjXZSW\CAPE\4344_820055571916442026 to procdump\c2800550f928a910a9337cd2013e97a03b2da584b8522843804197fc2aa23634; Size is 16896; Max size: 100000000 2026-04-16 22:57:55,200 [root] DEBUG: 4344: DumpProcess: Module image dump success - dump size 0x4200. 2026-04-16 22:57:55,215 [lib.api.process] INFO: Termination confirmed for <Process 4344 rundll32.exe> 2026-04-16 22:57:55,215 [root] INFO: Terminate event set for process 4344 2026-04-16 22:57:55,215 [root] INFO: Created shutdown mutex 2026-04-16 22:57:55,215 [root] DEBUG: 4344: Terminate Event: monitor shutdown complete for process 4344 2026-04-16 22:57:56,231 [root] INFO: Shutting down package 2026-04-16 22:57:56,231 [root] INFO: Stopping auxiliary modules 2026-04-16 22:57:56,231 [root] INFO: Stopping auxiliary module: Browser 2026-04-16 22:57:56,231 [root] INFO: Stopping auxiliary module: Human 2026-04-16 22:57:58,090 [root] INFO: Stopping auxiliary module: Screenshots 2026-04-16 22:57:58,872 [root] INFO: Finishing auxiliary modules 2026-04-16 22:57:58,872 [root] INFO: Shutting down pipe server and dumping dropped files 2026-04-16 22:57:58,872 [root] WARNING: Folder at path "C:\ErkGjXZSW\debugger" does not exist, skipping 2026-04-16 22:57:58,872 [root] INFO: Uploading files at path "C:\ErkGjXZSW\tlsdump" 2026-04-16 22:57:58,887 [lib.common.results] INFO: Uploading file C:\ErkGjXZSW\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 18358; Max size: 100000000 2026-04-16 22:57:58,903 [root] INFO: Analysis completed
Process Log
Pre-Script Log
During-Script Log
Machine Information
| Name | Label | Manager | Started On | Shutdown On |
|---|---|---|---|---|
| win10x64 | win10x64 | KVM | 2026-04-16 22:52:52 | 2026-04-16 22:58:09 |
File Details
Show Parent FileParent File Info
| File Name |
ServerPlugin.dll
|
|---|---|
| File Type | PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| File Size | 29184 bytes |
| MD5 | 952c62ec830c63380beb72ad923d35dc |
| SHA1 | 6700baa1fb1877129e79402dfe237f0b84221b69 |
| SHA256 | 2e5fbfb7932b117a2f6093dc346cdee4a5702e39739d9c40d27bfd1580f6f0d7 VT MWDB Bazaar |
| SHA3-384 | 47b8fbed3e0be8948398ab60d955f7056567cd9c06fa8b2b74ba771fb012d380adfc8a211d6bad188d51db80a168fa46 |
| CRC32 | 55FCF2F0 |
| TLSH | T159D2A31B96CE7EE9D9B816743B7347C1D768CE005643DA2E55C83129E9BE2433A833D8 |
| Ssdeep | 384:7LmAEURVWGSCyo6/NLoqwXEsZmLTdFuoKy:vm1izOlg0ZKy |
| Yara |
Strings
target
clients
mscoree.dll
IServerFileTransferHost
IServerDataHost
Connections
ClickedCallback
m_Context
EndPoint
set_Value
1.2.0.0
BytesPerSecond
Priority
message
_AllowGrouping
_CorDllMain
#Blob
EnableListener
duration
Canceled
CancelFileTransfer
BeginInvoke
set_UserControl
CreateClientPipe
_StateChangedCallback
set_StateChangedCallback
CheckState
VarFileInfo
transfer
IServerFileTransfer
System.Runtime.CompilerServices
ApplyTheme
set_Name
IAsyncResult
EscapeSQLQuery
EndInvoke
wwwwww
Queued
set_GetCheckStateCallback
.text
ApplicationIcon
get_Icon
GuidAttribute
NanoCore
get_Width
AssemblyTrademarkAttribute
DelegateAsyncState
ProductVersion
FileDescription
@.reloc
DisconnectClient
FocusClient
actions
listener
PortNumber
get_ThemeSettings
8.0.0.0
000004b0
_CategoryName
get_Connections
Translation
mscorlib
RuntimeHelpers
set_Locked
FileName
HideModuleNameAttribute
PreBuild
connected
GetClients
IServerDatabaseHost
Binding
Incoming
background
get_FileName
Exception
index
TimeSpan
get_BytesPerSecond
FileSize
#GUID
ColumnEntry
AssemblyDescriptionAttribute
categoryName
Microsoft.VisualBasic.Devices
BuilderSettings
m_ComputerObjectProvider
StandardModuleAttribute
GetTypeFromHandle
get_State
set_CategoryName
System.Net
_UserControl
Disabled
EntryExists
checked
IServerNetworkHost
TableExists
Microsoft.VisualBasic.CompilerServices
Paused
AutoPropertyValue
_Callback
System
Cancel
Activate
AllowGrouping
Selected
MyApplication
MyGroupCollectionAttribute
NanoCore.ServerPlugin
ParamArrayAttribute
TabStateChangedDelegate
get_TimeRemaining
tableName
Status
IPEndPoint
compress
CategoryName
ThreadSafeObjectProvider`1
Close
IServerData
Medium
System.ComponentModel
ToString
DelegateCallback
instance
wwwwwwwwwwwwww
LegalCopyright
GetInstance
Completed
FileTransferStatus
CompilerGeneratedAttribute
Equals
get_GetCheckStateCallback
ContextValue`1
SetValue
get_Children
TabEntry
WebServices
logColor
v2.0.50727
#Strings
System.Collections.Generic
IServerApp
ThemeSettings
get_FileSize
query
UploadFile
ClientStateChanged
client
!This program cannot be run in DOS mode.
set_State
TargetObject
GetValue
IServerReadOnlyNameObjectCollection
ExecuteNonQuery
value__
Value
RuntimeCompatibilityAttribute
CompilationRelaxationsAttribute
Deselected
LogBuilderException
param
state
PluginUninstalling
ExecuteQuery
_GetCheckStateCallback
FocusTab
get_User
CreateInstance
ServerPlugin
TabState
NotificationAction
BuilderSettingChanged
NextResultSet
get_AllowGrouping
CancelReason
ListenerFailed
System.Windows.Forms
Active
SettingEntry
Callback
ListenerStateChanged
AddClientColumnEntry
HelpKeywordAttribute
NextRecord
SetClientColumnValue
PostBuild
defaultValue
System.Reflection
get_BuilderSettings
AddHint
get_Listeners
Direction
get_Name
LogServerException
DelegateAsyncResult
LogServerMessage
RuntimeTypeHandle
WrapNonExceptionThrows
GetType
Warning
get_PortNumber
EditorBrowsableState
Persistent
Microsoft.VisualBasic.MyServices.Internal
Removed
System.CodeDom.Compiler
get_Persistent
params
RemoveListener
Assembly Version
get_Direction
KeyValuePair`2
My.Application
ClientVariableChanged
NanoCore.My
IDATx
InternalName
State
set_Persistent
IServerUI
ExecuteScalar
MulticastDelegate
title
RestartFileTransfer
ComVisibleAttribute
clientFileName
GetFileTransfers
EditorBrowsableAttribute
ServerPlugin.dll
FileTransferStateChanged
pipeName
FindClient
get_BytesTransferred
get_UserControl
IServerNameObjectCollection
get_Id
EscapeSQLParam
DebuggerHiddenAttribute
_ClickedCallback
Error
5%7&:'<
GetEntries
MyTemplate
Outgoing
set_AllowGrouping
AddListener
StateChangedCallback
IServerBuildHost
Information
My.User
Listening
Control
_Icon
control
ListenerAdded
get_WebServices
ClientPipeClosed
Normal
FileTransferAdded
CreateDatabase
Invoke
System.ComponentModel.Design
get_EndPoint
Width
set_Width
contextEntry
get_ClickedCallback
Initializing
Background
FileTransferDirection
MyWebServices
My.WebServices
Variables
_Children
TimeRemaining
get_Background
AssemblyCompanyAttribute
Children
GetCheckStateCallback
m_UserObjectProvider
FindFileTransfer
Dispose__Instance__
set_Children
IFileTransfer
ClientFileName
Compile
DatabaseExists
IServerBuild
get_ServerSettings
ThemeChanged
Locked
get_Item
get_Status
get_Variables
get_Cancel
AssemblyTitleAttribute
ListenerStatus
fileName
AddWidgetEntry
get_ApplicationIcon
LogColor
m_MyWebServicesObjectProvider
GeneratedCodeAttribute
get_Computer
AddServerSettingEntry
AddContextEntry
DownloadFile
ISQLReader
Failed
ClientReadPacket
serverFileName
get_ServerFileName
ClientPipeCreated
GetObjectValue
UserControl
NotificationDelegate
TargetMethod
widgetEntry
ServerInvokeDelegate
ServerSettings
ContextEntry
tabEntry
System.Diagnostics
StartFileTransfer
set_Icon
MyComputer
.ctor
MyProject
get_CancelReason
set_ClickedCallback
AddTabEntry
My.Computer
AsyncCallback
m_AppObjectProvider
<Module>
get_GetInstance
FileVersion
IServerUIHost
get_Initializing
get_Locked
ShowToastNotification
set_Cancel
set_Priority
CloseClientPipe
`.rsrc
AssemblyFileVersionAttribute
imageName
StringFileInfo
set_CancelReason
get_Client
AssemblyProductAttribute
Microsoft.VisualBasic
IBuildEventArgs
NanoCore.ServerPluginHost
SendToClient
ListenerRemoved
AddBuilderSettingEntry
VariableChanged
get_Callback
GetHashCode
$8af4df77-9055-41ab-92ee-84a854449c8d
get_CategoryName
columnEntry
get_Application
settingEntry
Activator
Application
ContextClickedDelegate
FileTransferPriority
OriginalFilename
RemoveValue
IServerLoggingHost
set_Callback
System.Drawing
DisableListener
ContextGetCheckStateDelegate
get_ClientFileName
columnName
System.Runtime.InteropServices
ClientPipeExists
value
VS_VERSION_INFO
WidgetEntry
Create__Instance__
IServerNetwork
Computer
PauseFileTransfer
get_StateChangedCallback
ApplicationBase
LogBuilderMessage
BytesTransferred
_Name
Client
get_Priority
ServerSettingChanged
Object
AssemblyCopyrightAttribute
get_Value
IListener
4System.Web.Services.Protocols.SoapHttpClientProtocol
DeleteDatabase
.cctor
_Width
IClient
ServerFileName
Listeners
_Locked
databaseName
FileTransferRemoved
Microsoft.VisualBasic.ApplicationServices
PE Information
Image Base
0x00400000
Entry Point
0x00005d3e
Min OS
4.0
Compile Time
2014-11-23 01:09:02
Import Hash
dae02f32a21e03ce65412f6e56942daa
Icon Hash
f66c7c86e9ab59ef3f289acd613a3738
| Translation | 0x0000 0x04b0 |
|---|---|
| FileDescription | |
| FileVersion | 1.2.0.0 |
| InternalName | ServerPlugin.dll |
| LegalCopyright | |
| OriginalFilename | ServerPlugin.dll |
| ProductVersion | 1.2.0.0 |
| Assembly Version | 1.2.0.0 |
| Name | RAW Addr | Virt Addr | Virt Size | Raw Size | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000200 | 0x00002000 | 0x00003d44 | 0x00003e00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 5.46 |
| .rsrc | 0x00004000 | 0x00006000 | 0x00002f58 | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.31 |
| .reloc | 0x00007000 | 0x0000a000 | 0x0000000c | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 0.08 |
| Name | Offset | Size | Language | Entropy | Type |
|---|---|---|---|---|---|
| RT_ICON | 0x00006468 | 0x000002e8 | LANG_NEUTRAL | 1.71 | None |
| RT_ICON | 0x00006750 | 0x00000128 | LANG_NEUTRAL | 2.08 | None |
| RT_ICON | 0x00006878 | 0x000008a8 | LANG_NEUTRAL | 1.72 | None |
| RT_ICON | 0x00007120 | 0x00000568 | LANG_NEUTRAL | 1.05 | None |
| RT_ICON | 0x00007688 | 0x00000353 | LANG_NEUTRAL | 4.05 | None |
| RT_ICON | 0x000079e0 | 0x000010a8 | LANG_NEUTRAL | 2.72 | None |
| RT_ICON | 0x00008a88 | 0x00000468 | LANG_NEUTRAL | 2.76 | None |
| RT_GROUP_ICON | 0x00008ef0 | 0x00000068 | LANG_NEUTRAL | 2.69 | None |
| RT_VERSION | 0x00006208 | 0x0000025c | LANG_NEUTRAL | 3.24 | None |
| Address | Name |
|---|---|
| 0x402000 | _CorDllMain |
Processing 22.82s
- 11.542s NetworkAnalysis
- 9.859s Suricata
- 1.395s CAPE
- 0.015s AnalysisInfo
- 0.01s BehaviorAnalysis
- 0.001s Debug
Signatures 0.08s
- 0.009s network_dns_url_shortener
- 0.006s suspicious_tld
- 0.006s ransomware_files
- 0.005s antiav_detectreg
- 0.004s network_cnc_http
- 0.004s antiav_detectfile
- 0.004s ransomware_extensions_known
- 0.003s network_dyndns
- 0.003s infostealer_ftp
- 0.003s territorial_disputes_sigs
- 0.002s network_http
- 0.002s antianalysis_detectfile
- 0.002s antivm_vbox_files
- 0.002s infostealer_bitcoin
- 0.002s infostealer_im
- 0.002s infostealer_mail
- 0.002s masquerade_process_name
- 0.001s network_open_proxy
- 0.001s network_torgateway
- 0.001s antianalysis_detectreg
- 0.001s antidebug_devices
- 0.001s antivm_vbox_keys
- 0.001s antivm_vmware_files
- 0.001s geodo_banking_trojan
- 0.001s browser_security
- 0.001s disables_backups
- 0.001s disables_browser_warn
- 0.001s disables_power_options
- 0.001s azorult_mutexes
- 0.001s echelon_files
- 0.001s poullight_files
- 0.001s qulab_files
- 0.001s network_dns_opennic
- 0.001s network_dns_paste_site
- 0.001s network_dns_temp_file_storage
- 0.001s network_dns_doh_tls
- 0.001s revil_mutexes
- 0.001s ursnif_behavior
Reporting 0.00s
- 0.001s JsonDump
Signatures
Network activity detected but not expressed in monitor API logs
ip: 188.43.72.25
ip: 20.93.72.182
ip: 46.149.110.67
ip: 135.232.92.34
ip: 72.154.7.16
ip: 72.154.7.108
ip: 72.154.7.100
ip: 72.154.7.105
ip: 72.154.7.102
ip: 72.154.7.98
ip: 72.154.7.107
ip: 72.154.7.101
ip: 72.154.7.109
ip: 20.165.94.54
ip: 150.171.109.51
ip: 13.107.6.156
ip: 84.47.178.41
ip: 150.171.27.11
ip: 173.194.73.94
ip: 84.47.178.49
ip: 52.123.242.97
ip: 40.126.53.14
ip: 20.42.65.93
ip: 4.207.247.139
ip: 84.47.178.56
ip: 20.189.173.2
domain: i.pki.goog
domain: dns.google
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com
suspicious_request: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776984951&P2=404&P3=2&P4=dTcAsbSjvag54XwyHINIogEyitdBULDSjv%2fXiN94fPAsjc9p%2bVBPlQUGxgDg1ReAI5z8oNDujPM7tczrEk3rAA%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com
Performs some HTTP requests
url: http://i.pki.goog/gsr1.crt
url: http://i.pki.goog/r4.crt
url: http://i.pki.goog/we2.crt
url: http://i.pki.goog/gsr4.crt
url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com
url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776984951&P2=404&P3=2&P4=dTcAsbSjvag54XwyHINIogEyitdBULDSjv%2fXiN94fPAsjc9p%2bVBPlQUGxgDg1ReAI5z8oNDujPM7tczrEk3rAA%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com
Binary file triggered multiple YARA rules
Binary triggered YARA rule: NETDLLMicrosoft
Binary triggered YARA rule: IsPE32
Binary triggered YARA rule: IsNET_DLL
Binary triggered YARA rule: IsDLL
Binary triggered YARA rule: IsWindowsGUI
Binary triggered YARA rule: Microsoft_Visual_Studio_NET
Binary triggered YARA rule: Microsoft_Visual_C_v70_Basic_NET_additional
Binary triggered YARA rule: Microsoft_Visual_C_Basic_NET
Binary triggered YARA rule: Microsoft_Visual_Studio_NET_additional
Binary triggered YARA rule: Microsoft_Visual_C_v70_Basic_NET
Binary triggered YARA rule: NET_executable_
Binary triggered YARA rule: NET_executable
Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext
url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com
url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776984951&P2=404&P3=2&P4=dTcAsbSjvag54XwyHINIogEyitdBULDSjv%2fXiN94fPAsjc9p%2bVBPlQUGxgDg1ReAI5z8oNDujPM7tczrEk3rAA%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com
url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776984951&P2=404&P3=2&P4=dTcAsbSjvag54XwyHINIogEyitdBULDSjv%2fXiN94fPAsjc9p%2bVBPlQUGxgDg1ReAI5z8oNDujPM7tczrEk3rAA%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com
url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776984951&P2=404&P3=2&P4=dTcAsbSjvag54XwyHINIogEyitdBULDSjv%2fXiN94fPAsjc9p%2bVBPlQUGxgDg1ReAI5z8oNDujPM7tczrEk3rAA%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 4344 triggered the Yara rule 'NETDLLMicrosoft' with data '['{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }']'
Hit: PID 4344 triggered the Yara rule 'IsPE32' with data '[]'
Hit: PID 4344 triggered the Yara rule 'IsNET_DLL' with data '[]'
Hit: PID 4344 triggered the Yara rule 'IsDLL' with data '[]'
Hit: PID 4344 triggered the Yara rule 'IsWindowsGUI' with data '[]'
Hit: PID 4344 triggered the Yara rule 'Microsoft_Visual_Studio_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 4344 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 4344 triggered the Yara rule 'Microsoft_Visual_C_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 4344 triggered the Yara rule 'Microsoft_Visual_Studio_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 4344 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 4344 triggered the Yara rule 'NET_executable_' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Hit: PID 4344 triggered the Yara rule 'NET_executable' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'
Screenshots
Hosts
| Direct | IP | Country Name | ASN |
|---|---|---|---|
| Y | 188.43.72.25 [VT] | unknown | |
| Y | 20.93.72.182 [VT] | unknown | |
| Y | 46.149.110.67 [VT] | unknown | |
| Y | 135.232.92.34 [VT] | unknown | |
| Y | 72.154.7.16 [VT] | unknown | |
| Y | 72.154.7.108 [VT] | unknown | |
| Y | 72.154.7.100 [VT] | unknown | |
| Y | 72.154.7.105 [VT] | unknown | |
| Y | 72.154.7.102 [VT] | unknown | |
| Y | 72.154.7.98 [VT] | unknown | |
| Y | 72.154.7.107 [VT] | unknown | |
| Y | 72.154.7.101 [VT] | unknown | |
| Y | 72.154.7.109 [VT] | unknown | |
| Y | 20.165.94.54 [VT] | unknown | |
| Y | 150.171.109.51 [VT] | unknown | |
| Y | 13.107.6.156 [VT] | unknown | |
| Y | 84.47.178.41 [VT] | unknown | |
| Y | 150.171.27.11 [VT] | unknown | |
| N | 173.194.73.94 [VT] | unknown | |
| Y | 84.47.178.49 [VT] | unknown | |
| Y | 52.123.242.97 [VT] | unknown | |
| Y | 40.126.53.14 [VT] | unknown | |
| Y | 20.42.65.93 [VT] | unknown | |
| Y | 4.207.247.139 [VT] | unknown | |
| Y | 84.47.178.56 [VT] | unknown | |
| Y | 20.189.173.2 [VT] | unknown |
Summary
- C:\Users\cape\AppData\Local\Temp\ServerPlugin.dll.manifest
- C:\Users\cape\AppData\Local\Temp\ServerPlugin.dll
- C:\Users\cape\AppData\Local\Temp\ServerPlugin.dll.123.Manifest
- C:\Users\cape\AppData\Local\Temp\ServerPlugin.dll.124.Manifest
- C:\Users\cape\AppData\Local\Temp\ServerPlugin.dll.2.Manifest
- C:\Windows\SysWOW64\rundll32.exe
- C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\rundll32.exe.mui
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\ru-RU
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest
No results found.
No behavioral analysis data available.
Sorry! No strace.
Sorry! No tracee.
Hosts
No hosts contacted.
TCP Connections
No TCP connections recorded.
UDP Connections
No UDP connections recorded.
DNS Requests
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP Traffic
No SMTP traffic performed.
IRC Traffic
No IRC requests performed.
ICMP Traffic
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
No dropped files found.
Sorry! No process dumps.