Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2020-02-14 16:47:54 2020-02-14 16:49:13 79 seconds Show Options Show Log
procmemdump = 1
procdump = 0
route = inetsim
2020-02-14 17:48:15,000 [root] INFO: Date set to: 02-14-20, time set to: 16:48:15, timeout set to: 200
2020-02-14 17:48:15,046 [root] DEBUG: Starting analyzer from: C:\qkuyag
2020-02-14 17:48:15,046 [root] DEBUG: Storing results at: C:\XLqwGvRVH
2020-02-14 17:48:15,046 [root] DEBUG: Pipe server name: \\.\PIPE\bsDFhhv
2020-02-14 17:48:15,046 [root] INFO: Analysis package "Extraction" has been specified.
2020-02-14 17:48:17,655 [root] DEBUG: Started auxiliary module Browser
2020-02-14 17:48:17,655 [root] DEBUG: Started auxiliary module Curtain
2020-02-14 17:48:17,655 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-02-14 17:48:18,140 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-02-14 17:48:18,140 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-02-14 17:48:18,140 [root] DEBUG: Started auxiliary module DigiSig
2020-02-14 17:48:18,140 [root] DEBUG: Started auxiliary module Disguise
2020-02-14 17:48:18,140 [root] DEBUG: Started auxiliary module Human
2020-02-14 17:48:18,140 [root] DEBUG: Started auxiliary module Screenshots
2020-02-14 17:48:18,140 [root] DEBUG: Started auxiliary module Sysmon
2020-02-14 17:48:18,140 [root] DEBUG: Started auxiliary module Usage
2020-02-14 17:48:18,140 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL option
2020-02-14 17:48:18,140 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL_64 option
2020-02-14 17:48:18,625 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe" with arguments "" with pid 3468
2020-02-14 17:48:18,750 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2020-02-14 17:48:18,750 [lib.api.process] INFO: Option 'extraction' with value '1' sent to monitor
2020-02-14 17:48:18,750 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-02-14 17:48:18,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\qkuyag\dll\UXLpPft.dll, loader C:\qkuyag\bin\aMfJsXz.exe
2020-02-14 17:48:21,030 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\bsDFhhv.
2020-02-14 17:48:22,250 [root] DEBUG: Loader: Injecting process 3468 (thread 340) with C:\qkuyag\dll\UXLpPft.dll.
2020-02-14 17:48:23,092 [root] DEBUG: Process image base: 0x002C0000
2020-02-14 17:48:23,390 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\qkuyag\dll\UXLpPft.dll.
2020-02-14 17:48:23,578 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-14 17:48:23,578 [root] DEBUG: Successfully injected DLL C:\qkuyag\dll\UXLpPft.dll.
2020-02-14 17:48:23,592 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3468
2020-02-14 17:48:25,592 [lib.api.process] INFO: Successfully resumed process with pid 3468
2020-02-14 17:48:25,592 [root] INFO: Added new process to list with pid: 3468
2020-02-14 17:48:26,875 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-14 17:48:26,875 [root] DEBUG: Full process memory dumps enabled.
2020-02-14 17:48:26,875 [root] DEBUG: Capture of extracted payloads enabled.
2020-02-14 17:48:26,875 [root] DEBUG: Process dumps disabled.
2020-02-14 17:48:27,046 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-14 17:48:27,046 [root] INFO: Disabling sleep skipping.
2020-02-14 17:48:27,046 [root] INFO: Disabling sleep skipping.
2020-02-14 17:48:27,046 [root] INFO: Disabling sleep skipping.
2020-02-14 17:48:27,046 [root] INFO: Disabling sleep skipping.
2020-02-14 17:48:27,046 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3468 at 0x6c3b0000, image base 0x2c0000, stack from 0x1b6000-0x1c0000
2020-02-14 17:48:27,046 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe".
2020-02-14 17:48:27,046 [root] DEBUG: WoW64 not detected.
2020-02-14 17:48:27,046 [root] DEBUG: ExtractionInit: Debugger initialised.
2020-02-14 17:48:27,046 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x002C0000.
2020-02-14 17:48:27,078 [root] DEBUG: AddTrackedRegion: New region at 0x002C0000 size 0x1000 added to tracked regions: EntryPoint 0x41b000, Entropy 3.984601e+00
2020-02-14 17:48:27,078 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-02-14 17:48:27,078 [root] INFO: Monitor successfully loaded in process with pid 3468.
2020-02-14 17:48:27,125 [root] DEBUG: DLL loaded at 0x70B60000: C:\Windows\system32\winmm (0x32000 bytes).
2020-02-14 17:48:27,500 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2832.
2020-02-14 17:48:27,500 [root] DEBUG: DLL unloaded from 0x76E50000.
2020-02-14 17:48:27,500 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2656.
2020-02-14 17:48:27,500 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1064.
2020-02-14 17:48:27,500 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2428.
2020-02-14 17:48:27,500 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2420.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2816.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2708.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3408.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 932.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3040.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1544.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1228.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1648.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1632.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 824.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 160.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1464.
2020-02-14 17:48:27,515 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2904.
2020-02-14 17:48:27,530 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2984.
2020-02-14 17:48:27,530 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2776.
2020-02-14 17:48:27,530 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2348.
2020-02-14 17:48:27,530 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3156.
2020-02-14 17:48:27,530 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2704.
2020-02-14 17:48:27,530 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2768.
2020-02-14 17:48:27,562 [root] DEBUG: DLL loaded at 0x75340000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-02-14 17:48:27,562 [root] DEBUG: DLL loaded at 0x76FB0000: C:\Windows\system32\NSI (0x6000 bytes).
2020-02-14 17:48:27,562 [root] DEBUG: DLL loaded at 0x730E0000: C:\Windows\system32\WTSAPI32 (0xd000 bytes).
2020-02-14 17:48:27,578 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\Secur32 (0x8000 bytes).
2020-02-14 17:48:27,578 [root] DEBUG: DLL loaded at 0x74410000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-02-14 17:48:27,592 [root] DEBUG: ProtectionHandler: Address 0x002C1000 already in tracked region at 0x002C0000, size 0x1000
2020-02-14 17:48:27,592 [root] DEBUG: ProtectionHandler: Address: 0x002C1000 (alloc base 0x002C0000), NumberOfBytesToProtect: 0x26200, NewAccessProtection: 0x40
2020-02-14 17:48:27,592 [root] DEBUG: ProtectionHandler: Increased region size at 0x002C1000 to 0x27200.
2020-02-14 17:48:27,592 [root] DEBUG: ProtectionHandler: Updated region protection at 0x002C1000 to 0x40.
2020-02-14 17:48:27,592 [root] DEBUG: ProcessImageBase: EP 0x0041B000 image base 0x002C0000 size 0x0 entropy 6.812938e+00.
2020-02-14 17:48:27,608 [root] DEBUG: ProcessImageBase: Modified image detected at image base 0x002C0000 - new entropy 6.812938e+00.
2020-02-14 17:48:27,608 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x002C0000
2020-02-14 17:48:27,608 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-02-14 17:48:27,608 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x002C0000.
2020-02-14 17:48:27,655 [root] DEBUG: DLL loaded at 0x74AC0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-02-14 17:48:27,671 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_179237825127481614522020
2020-02-14 17:48:27,671 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x195000.
2020-02-14 17:48:27,687 [root] DEBUG: CreateThread: Initialising breakpoints for thread 972.
2020-02-14 17:48:27,687 [root] DEBUG: Allocation: 0x00780000 - 0x00781000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:27,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:27,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:27,687 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,687 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,687 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:27,687 [root] DEBUG: ProcessImageBase: Modified entry point (0x00000000) detected at image base 0x002C0000 - dumping.
2020-02-14 17:48:27,687 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x002C0000
2020-02-14 17:48:27,687 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-02-14 17:48:27,687 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x002C0000.
2020-02-14 17:48:27,717 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_54095617327481614522020
2020-02-14 17:48:27,717 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x195000.
2020-02-14 17:48:27,717 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00780000, size: 0x1000.
2020-02-14 17:48:27,717 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00780000.
2020-02-14 17:48:27,717 [root] DEBUG: AddTrackedRegion: New region at 0x00780000 size 0x1000 added to tracked regions.
2020-02-14 17:48:27,733 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00780000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:27,733 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x00780000 and Type=0x1.
2020-02-14 17:48:27,733 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x00780000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:27,733 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00780000
2020-02-14 17:48:27,733 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x0078003C and Type=0x1.
2020-02-14 17:48:27,733 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x0078003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:27,733 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0078003C
2020-02-14 17:48:27,733 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00780000 (size 0x1000).
2020-02-14 17:48:27,733 [root] DEBUG: Allocation: 0x00790000 - 0x00791000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:27,733 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:27,733 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:27,733 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,733 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,733 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:27,733 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:27,733 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00790000, size: 0x1000.
2020-02-14 17:48:27,733 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x00790000.
2020-02-14 17:48:27,733 [root] DEBUG: AddTrackedRegion: New region at 0x00790000 size 0x1000 added to tracked regions.
2020-02-14 17:48:27,733 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00790000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:27,750 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00780000 to 0x00790000.
2020-02-14 17:48:27,750 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x00790000 and Type=0x1.
2020-02-14 17:48:27,750 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x00790000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:27,750 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00790000
2020-02-14 17:48:27,750 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x0079003C and Type=0x1.
2020-02-14 17:48:27,750 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x0079003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:27,750 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0079003C
2020-02-14 17:48:27,750 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00790000 (size 0x1000).
2020-02-14 17:48:27,750 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00539EFF (thread 340)
2020-02-14 17:48:27,750 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00790000.
2020-02-14 17:48:27,750 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00790000 and Type=0x0.
2020-02-14 17:48:27,750 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x790000: 0x0.
2020-02-14 17:48:27,750 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:27,750 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00539EFF (thread 340)
2020-02-14 17:48:27,750 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0079003C.
2020-02-14 17:48:27,750 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x90bf1d91 (at 0x0079003C).
2020-02-14 17:48:27,750 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00790000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:27,750 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00790000.
2020-02-14 17:48:27,750 [root] DEBUG: Allocation: 0x007A0000 - 0x007A2000, size: 0x2000, protection: 0x40.
2020-02-14 17:48:27,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:27,750 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:27,765 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,765 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,765 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:27,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:27,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:27,765 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x007A0000, size: 0x2000.
2020-02-14 17:48:27,765 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x007A0000.
2020-02-14 17:48:27,765 [root] DEBUG: AddTrackedRegion: New region at 0x007A0000 size 0x2000 added to tracked regions.
2020-02-14 17:48:27,765 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x007A0000, TrackedRegion->RegionSize: 0x2000, thread 340
2020-02-14 17:48:27,765 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00790000 to 0x007A0000.
2020-02-14 17:48:27,765 [root] DEBUG: DumpPEsInRange: Scanning range 0x790000 - 0x791000.
2020-02-14 17:48:27,765 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x790000-0x791000.
2020-02-14 17:48:27,765 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00790000 - 0x00791000.
2020-02-14 17:48:27,765 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_101687587927481614522020
2020-02-14 17:48:27,765 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_101687587927481614522020 (size 0x1000)
2020-02-14 17:48:27,765 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00790000.
2020-02-14 17:48:27,780 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x790000 - 0x791000.
2020-02-14 17:48:27,780 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x007A0000 and Type=0x1.
2020-02-14 17:48:27,780 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x007A0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:27,780 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x007A0000
2020-02-14 17:48:27,780 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x007A003C and Type=0x1.
2020-02-14 17:48:27,780 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x007A003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:27,780 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x007A003C
2020-02-14 17:48:27,780 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x007A0000 (size 0x2000).
2020-02-14 17:48:27,780 [root] DEBUG: Allocation: 0x029D0000 - 0x029E0000, size: 0x10000, protection: 0x40.
2020-02-14 17:48:27,780 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:27,780 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:27,780 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,780 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,780 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:27,780 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:27,780 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:27,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:27,796 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x029D0000, size: 0x10000.
2020-02-14 17:48:27,796 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x029D0000.
2020-02-14 17:48:27,796 [root] DEBUG: AddTrackedRegion: New region at 0x029D0000 size 0x10000 added to tracked regions.
2020-02-14 17:48:27,796 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x029D0000, TrackedRegion->RegionSize: 0x10000, thread 340
2020-02-14 17:48:27,796 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x007A0000 to 0x029D0000.
2020-02-14 17:48:27,796 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x029D0000 and Type=0x1.
2020-02-14 17:48:27,796 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x029D0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:27,796 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x029D0000
2020-02-14 17:48:27,796 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x029D003C and Type=0x1.
2020-02-14 17:48:27,796 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x029D003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:27,796 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x029D003C
2020-02-14 17:48:27,796 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x029D0000 (size 0x10000).
2020-02-14 17:48:27,796 [root] DEBUG: Allocation: 0x029E0000 - 0x029E2000, size: 0x2000, protection: 0x40.
2020-02-14 17:48:27,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:27,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:27,796 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,796 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,796 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:27,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:27,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:27,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:27,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:27,812 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x029E0000, size: 0x2000.
2020-02-14 17:48:27,812 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x029E0000.
2020-02-14 17:48:27,812 [root] DEBUG: AddTrackedRegion: New region at 0x029E0000 size 0x2000 added to tracked regions.
2020-02-14 17:48:27,812 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x029E0000, TrackedRegion->RegionSize: 0x2000, thread 340
2020-02-14 17:48:27,812 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x029D0000 to 0x029E0000.
2020-02-14 17:48:27,812 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x029E0000 and Type=0x1.
2020-02-14 17:48:27,812 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x029E0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:27,812 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x029E0000
2020-02-14 17:48:27,812 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x029E003C and Type=0x1.
2020-02-14 17:48:27,812 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x029E003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:27,812 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x029E003C
2020-02-14 17:48:27,812 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x029E0000 (size 0x2000).
2020-02-14 17:48:27,812 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:27,812 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:27,812 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x029E0000 and Type=0x0.
2020-02-14 17:48:27,812 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0xb3.
2020-02-14 17:48:27,828 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:27,828 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:27,828 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:27,828 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:27,828 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0xce.
2020-02-14 17:48:27,828 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:27,828 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:27,828 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:27,828 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x5f9523f9 (at 0x029E003C).
2020-02-14 17:48:27,828 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:27,828 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:27,828 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:27,828 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:27,828 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xe826c814 (at 0x029E003C).
2020-02-14 17:48:27,828 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:27,828 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:27,828 [root] DEBUG: Allocation: 0x029F0000 - 0x029F1000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:27,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:27,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:27,828 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,828 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,828 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:27,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:27,842 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:27,842 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:27,842 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:27,842 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:27,842 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x029F0000, size: 0x1000.
2020-02-14 17:48:27,842 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x029F0000.
2020-02-14 17:48:27,842 [root] DEBUG: AddTrackedRegion: New region at 0x029F0000 size 0x1000 added to tracked regions.
2020-02-14 17:48:27,842 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x029F0000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:27,842 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x029E0000 to 0x029F0000.
2020-02-14 17:48:27,842 [root] DEBUG: DumpPEsInRange: Scanning range 0x29e0000 - 0x29e2000.
2020-02-14 17:48:27,842 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29e0000-0x29e2000.
2020-02-14 17:48:27,842 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x029E0000 - 0x029E2000.
2020-02-14 17:48:27,842 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_69680446127481614522020
2020-02-14 17:48:27,842 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_69680446127481614522020 (size 0x2000)
2020-02-14 17:48:27,842 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x029E0000.
2020-02-14 17:48:27,842 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29e0000 - 0x29e2000.
2020-02-14 17:48:27,842 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x029F0000 and Type=0x1.
2020-02-14 17:48:27,842 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x029F0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:27,842 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x029F0000
2020-02-14 17:48:27,858 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x029F003C and Type=0x1.
2020-02-14 17:48:27,858 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x029F003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:27,858 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x029F003C
2020-02-14 17:48:27,858 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x029F0000 (size 0x1000).
2020-02-14 17:48:27,858 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:27,858 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029F0000.
2020-02-14 17:48:27,858 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x029F0000 and Type=0x0.
2020-02-14 17:48:27,858 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29f0000: 0x8b.
2020-02-14 17:48:27,858 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:27,858 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:27,858 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029F0000.
2020-02-14 17:48:27,858 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029F0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:27,858 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29f0000: 0x8b.
2020-02-14 17:48:27,858 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:27,858 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:27,858 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029F003C.
2020-02-14 17:48:27,858 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x585aeb3a (at 0x029F003C).
2020-02-14 17:48:27,858 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029F0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:27,858 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029F0000.
2020-02-14 17:48:27,858 [root] DEBUG: Allocation: 0x02B00000 - 0x02B01000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:27,858 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:27,858 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:27,858 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,858 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,875 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:27,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:27,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:27,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:27,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:27,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:27,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:27,875 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02B00000, size: 0x1000.
2020-02-14 17:48:27,875 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02B00000.
2020-02-14 17:48:27,875 [root] DEBUG: AddTrackedRegion: New region at 0x02B00000 size 0x1000 added to tracked regions.
2020-02-14 17:48:27,875 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02B00000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:27,875 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x029F0000 to 0x02B00000.
2020-02-14 17:48:27,875 [root] DEBUG: DumpPEsInRange: Scanning range 0x29f0000 - 0x29f1000.
2020-02-14 17:48:27,875 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29f0000-0x29f1000.
2020-02-14 17:48:27,875 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x029F0000 - 0x029F1000.
2020-02-14 17:48:27,875 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_159072422827481614522020
2020-02-14 17:48:27,875 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_159072422827481614522020 (size 0x1000)
2020-02-14 17:48:27,890 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x029F0000.
2020-02-14 17:48:27,890 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29f0000 - 0x29f1000.
2020-02-14 17:48:27,890 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02B00000 and Type=0x1.
2020-02-14 17:48:27,890 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02B00000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:27,890 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02B00000
2020-02-14 17:48:27,890 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02B0003C and Type=0x1.
2020-02-14 17:48:27,890 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02B0003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:27,890 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02B0003C
2020-02-14 17:48:27,890 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02B00000 (size 0x1000).
2020-02-14 17:48:27,890 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:27,890 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02B00000.
2020-02-14 17:48:27,890 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02B00000 and Type=0x0.
2020-02-14 17:48:27,890 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2b00000: 0x8b.
2020-02-14 17:48:27,890 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:27,890 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:27,890 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02B00000.
2020-02-14 17:48:27,890 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02B00000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:27,890 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2b00000: 0x8b.
2020-02-14 17:48:27,890 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:27,890 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:27,890 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02B0003C.
2020-02-14 17:48:27,890 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x5a310f52 (at 0x02B0003C).
2020-02-14 17:48:27,890 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02B00000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:27,905 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02B00000.
2020-02-14 17:48:27,905 [root] DEBUG: Allocation: 0x02B10000 - 0x02B11000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:27,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:27,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:27,905 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,905 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,905 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:27,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:27,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:27,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:27,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:27,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:27,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:27,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:27,905 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02B10000, size: 0x1000.
2020-02-14 17:48:27,905 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02B10000.
2020-02-14 17:48:27,905 [root] DEBUG: AddTrackedRegion: New region at 0x02B10000 size 0x1000 added to tracked regions.
2020-02-14 17:48:27,905 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02B10000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:27,905 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02B00000 to 0x02B10000.
2020-02-14 17:48:27,905 [root] DEBUG: DumpPEsInRange: Scanning range 0x2b00000 - 0x2b01000.
2020-02-14 17:48:27,905 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2b00000-0x2b01000.
2020-02-14 17:48:27,905 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02B00000 - 0x02B01000.
2020-02-14 17:48:27,921 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_56317488027481614522020
2020-02-14 17:48:27,921 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_56317488027481614522020 (size 0x1000)
2020-02-14 17:48:27,921 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02B00000.
2020-02-14 17:48:27,921 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2b00000 - 0x2b01000.
2020-02-14 17:48:27,921 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02B10000 and Type=0x1.
2020-02-14 17:48:27,921 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02B10000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:27,921 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02B10000
2020-02-14 17:48:27,921 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02B1003C and Type=0x1.
2020-02-14 17:48:27,921 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02B1003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:27,921 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02B1003C
2020-02-14 17:48:27,921 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02B10000 (size 0x1000).
2020-02-14 17:48:27,921 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:27,921 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02B10000.
2020-02-14 17:48:27,921 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02B10000 and Type=0x0.
2020-02-14 17:48:27,921 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2b10000: 0x8b.
2020-02-14 17:48:27,921 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:27,921 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:27,921 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02B10000.
2020-02-14 17:48:27,921 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02B10000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:27,921 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2b10000: 0x8b.
2020-02-14 17:48:27,921 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:27,921 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:27,921 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02B1003C.
2020-02-14 17:48:27,937 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x5ffeb980 (at 0x02B1003C).
2020-02-14 17:48:27,937 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02B10000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:27,937 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02B10000.
2020-02-14 17:48:27,937 [root] DEBUG: Allocation: 0x02E20000 - 0x02E21000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:27,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:27,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:27,937 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,937 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,937 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:27,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:27,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:27,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:27,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:27,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:27,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:27,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:27,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:27,937 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02E20000, size: 0x1000.
2020-02-14 17:48:27,937 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02E20000.
2020-02-14 17:48:27,937 [root] DEBUG: AddTrackedRegion: New region at 0x02E20000 size 0x1000 added to tracked regions.
2020-02-14 17:48:27,937 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02E20000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:27,937 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02B10000 to 0x02E20000.
2020-02-14 17:48:27,937 [root] DEBUG: DumpPEsInRange: Scanning range 0x2b10000 - 0x2b11000.
2020-02-14 17:48:27,937 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2b10000-0x2b11000.
2020-02-14 17:48:27,937 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02B10000 - 0x02B11000.
2020-02-14 17:48:27,953 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_182847390527481614522020
2020-02-14 17:48:27,953 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_182847390527481614522020 (size 0x1000)
2020-02-14 17:48:27,953 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02B10000.
2020-02-14 17:48:27,953 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2b10000 - 0x2b11000.
2020-02-14 17:48:27,953 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02E20000 and Type=0x1.
2020-02-14 17:48:27,953 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02E20000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:27,953 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02E20000
2020-02-14 17:48:27,953 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02E2003C and Type=0x1.
2020-02-14 17:48:27,953 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02E2003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:27,953 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02E2003C
2020-02-14 17:48:27,953 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02E20000 (size 0x1000).
2020-02-14 17:48:27,953 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:27,953 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E20000.
2020-02-14 17:48:27,953 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02E20000 and Type=0x0.
2020-02-14 17:48:27,953 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e20000: 0x8b.
2020-02-14 17:48:27,953 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:27,953 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:27,953 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E20000.
2020-02-14 17:48:27,953 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E20000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:27,953 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e20000: 0x8b.
2020-02-14 17:48:27,953 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:27,967 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:27,967 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02E2003C.
2020-02-14 17:48:27,967 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xa4000000 (at 0x02E2003C).
2020-02-14 17:48:27,967 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E20000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:27,967 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02E20000.
2020-02-14 17:48:27,967 [root] DEBUG: Allocation: 0x02E30000 - 0x02E31000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:27,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:27,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:27,967 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,967 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:27,967 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:27,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:27,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:27,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:27,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:27,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:27,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:27,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:27,983 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:27,983 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:27,983 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02E30000, size: 0x1000.
2020-02-14 17:48:27,983 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 11.
2020-02-14 17:48:27,983 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02E30000.
2020-02-14 17:48:27,983 [root] DEBUG: AddTrackedRegion: New region at 0x02E30000 size 0x1000 added to tracked regions.
2020-02-14 17:48:27,983 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02E30000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:27,983 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02E20000 to 0x02E30000.
2020-02-14 17:48:27,983 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e20000 - 0x2e21000.
2020-02-14 17:48:27,983 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e20000-0x2e21000.
2020-02-14 17:48:27,983 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E20000 - 0x02E21000.
2020-02-14 17:48:28,000 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_190743996827481614522020
2020-02-14 17:48:28,000 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_190743996827481614522020 (size 0x1000)
2020-02-14 17:48:28,000 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E20000.
2020-02-14 17:48:28,000 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e20000 - 0x2e21000.
2020-02-14 17:48:28,000 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02E30000 and Type=0x1.
2020-02-14 17:48:28,000 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02E30000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,000 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02E30000
2020-02-14 17:48:28,000 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02E3003C and Type=0x1.
2020-02-14 17:48:28,015 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02E3003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,015 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02E3003C
2020-02-14 17:48:28,015 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02E30000 (size 0x1000).
2020-02-14 17:48:28,015 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,015 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E30000.
2020-02-14 17:48:28,015 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02E30000 and Type=0x0.
2020-02-14 17:48:28,015 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e30000: 0x8b.
2020-02-14 17:48:28,015 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,015 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,015 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E30000.
2020-02-14 17:48:28,015 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E30000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,015 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e30000: 0x8b.
2020-02-14 17:48:28,015 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,015 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,015 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02E3003C.
2020-02-14 17:48:28,015 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xfa251c8f (at 0x02E3003C).
2020-02-14 17:48:28,015 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E30000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,015 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02E30000.
2020-02-14 17:48:28,030 [root] DEBUG: Allocation: 0x02E40000 - 0x02E41000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,030 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,030 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,030 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02E40000, size: 0x1000.
2020-02-14 17:48:28,030 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 12.
2020-02-14 17:48:28,046 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02E40000.
2020-02-14 17:48:28,046 [root] DEBUG: AddTrackedRegion: New region at 0x02E40000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,046 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02E40000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,046 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02E30000 to 0x02E40000.
2020-02-14 17:48:28,046 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e30000 - 0x2e31000.
2020-02-14 17:48:28,046 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e30000-0x2e31000.
2020-02-14 17:48:28,046 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E30000 - 0x02E31000.
2020-02-14 17:48:28,046 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_127547334628481614522020
2020-02-14 17:48:28,046 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_127547334628481614522020 (size 0x1000)
2020-02-14 17:48:28,046 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E30000.
2020-02-14 17:48:28,046 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e30000 - 0x2e31000.
2020-02-14 17:48:28,046 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02E40000 and Type=0x1.
2020-02-14 17:48:28,046 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02E40000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,046 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02E40000
2020-02-14 17:48:28,046 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02E4003C and Type=0x1.
2020-02-14 17:48:28,046 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02E4003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,062 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02E4003C
2020-02-14 17:48:28,062 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02E40000 (size 0x1000).
2020-02-14 17:48:28,062 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,062 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E40000.
2020-02-14 17:48:28,062 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02E40000 and Type=0x0.
2020-02-14 17:48:28,062 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e40000: 0x8b.
2020-02-14 17:48:28,062 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,062 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,062 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E40000.
2020-02-14 17:48:28,062 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E40000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,062 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e40000: 0x8b.
2020-02-14 17:48:28,062 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,062 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,062 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02E4003C.
2020-02-14 17:48:28,062 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x6063921d (at 0x02E4003C).
2020-02-14 17:48:28,062 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E40000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,062 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02E40000.
2020-02-14 17:48:28,062 [root] DEBUG: Allocation: 0x02E50000 - 0x02E51000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,062 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,062 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,062 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:28,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,078 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02E50000, size: 0x1000.
2020-02-14 17:48:28,078 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 13.
2020-02-14 17:48:28,078 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02E50000.
2020-02-14 17:48:28,078 [root] DEBUG: AddTrackedRegion: New region at 0x02E50000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,078 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02E50000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,078 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02E40000 to 0x02E50000.
2020-02-14 17:48:28,078 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e40000 - 0x2e41000.
2020-02-14 17:48:28,078 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e40000-0x2e41000.
2020-02-14 17:48:28,078 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E40000 - 0x02E41000.
2020-02-14 17:48:28,078 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_104223652028481614522020
2020-02-14 17:48:28,078 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_104223652028481614522020 (size 0x1000)
2020-02-14 17:48:28,078 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E40000.
2020-02-14 17:48:28,078 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e40000 - 0x2e41000.
2020-02-14 17:48:28,078 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02E50000 and Type=0x1.
2020-02-14 17:48:28,078 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02E50000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,078 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02E50000
2020-02-14 17:48:28,078 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02E5003C and Type=0x1.
2020-02-14 17:48:28,078 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02E5003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,078 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02E5003C
2020-02-14 17:48:28,092 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02E50000 (size 0x1000).
2020-02-14 17:48:28,092 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,092 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E50000.
2020-02-14 17:48:28,092 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02E50000 and Type=0x0.
2020-02-14 17:48:28,092 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e50000: 0x6a.
2020-02-14 17:48:28,092 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,092 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,092 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E50000.
2020-02-14 17:48:28,092 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E50000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,092 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e50000: 0x6a.
2020-02-14 17:48:28,092 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,092 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,092 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02E5003C.
2020-02-14 17:48:28,092 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x8df9b8d8 (at 0x02E5003C).
2020-02-14 17:48:28,092 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E50000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,092 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02E50000.
2020-02-14 17:48:28,092 [root] DEBUG: Allocation: 0x02E60000 - 0x02E61000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,092 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,092 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,092 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:28,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,108 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02E60000, size: 0x1000.
2020-02-14 17:48:28,108 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 14.
2020-02-14 17:48:28,108 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02E60000.
2020-02-14 17:48:28,108 [root] DEBUG: AddTrackedRegion: New region at 0x02E60000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,108 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02E60000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,108 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02E50000 to 0x02E60000.
2020-02-14 17:48:28,108 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e50000 - 0x2e51000.
2020-02-14 17:48:28,108 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e50000-0x2e51000.
2020-02-14 17:48:28,108 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E50000 - 0x02E51000.
2020-02-14 17:48:28,108 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_42007345528481614522020
2020-02-14 17:48:28,108 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_42007345528481614522020 (size 0x1000)
2020-02-14 17:48:28,108 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E50000.
2020-02-14 17:48:28,108 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e50000 - 0x2e51000.
2020-02-14 17:48:28,108 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02E60000 and Type=0x1.
2020-02-14 17:48:28,108 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02E60000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,125 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02E60000
2020-02-14 17:48:28,125 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02E6003C and Type=0x1.
2020-02-14 17:48:28,125 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02E6003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,125 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02E6003C
2020-02-14 17:48:28,125 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02E60000 (size 0x1000).
2020-02-14 17:48:28,125 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,125 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E60000.
2020-02-14 17:48:28,125 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02E60000 and Type=0x0.
2020-02-14 17:48:28,125 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e60000: 0x8b.
2020-02-14 17:48:28,125 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,125 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,125 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E60000.
2020-02-14 17:48:28,125 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E60000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,125 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e60000: 0x8b.
2020-02-14 17:48:28,125 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,125 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,125 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02E6003C.
2020-02-14 17:48:28,125 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x2, Address=0x02E60020 and Type=0x1.
2020-02-14 17:48:28,125 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 3 within Context, Size=0x4, Address=0x02E60030 and Type=0x1.
2020-02-14 17:48:28,125 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02E60030.
2020-02-14 17:48:28,125 [root] DEBUG: Allocation: 0x02E70000 - 0x02E71000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,125 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,125 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,125 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:28,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,140 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02E70000, size: 0x1000.
2020-02-14 17:48:28,140 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 15.
2020-02-14 17:48:28,140 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02E70000.
2020-02-14 17:48:28,140 [root] DEBUG: AddTrackedRegion: New region at 0x02E70000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,140 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02E70000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,140 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02E60000 to 0x02E70000.
2020-02-14 17:48:28,140 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e60000 - 0x2e61000.
2020-02-14 17:48:28,140 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e60000-0x2e61000.
2020-02-14 17:48:28,140 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E60000 - 0x02E61000.
2020-02-14 17:48:28,140 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_139747022028481614522020
2020-02-14 17:48:28,140 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_139747022028481614522020 (size 0x1000)
2020-02-14 17:48:28,140 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E60000.
2020-02-14 17:48:28,140 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e60000 - 0x2e61000.
2020-02-14 17:48:28,140 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02E70000 and Type=0x1.
2020-02-14 17:48:28,140 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02E70000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,155 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02E70000
2020-02-14 17:48:28,155 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02E7003C and Type=0x1.
2020-02-14 17:48:28,155 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02E7003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,155 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02E7003C
2020-02-14 17:48:28,155 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02E70000 (size 0x1000).
2020-02-14 17:48:28,155 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,155 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E70000.
2020-02-14 17:48:28,155 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02E70000 and Type=0x0.
2020-02-14 17:48:28,155 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e70000: 0x8b.
2020-02-14 17:48:28,155 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,155 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,155 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E70000.
2020-02-14 17:48:28,155 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E70000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,155 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e70000: 0x8b.
2020-02-14 17:48:28,155 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,155 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,155 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02E7003C.
2020-02-14 17:48:28,155 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf3622d44 (at 0x02E7003C).
2020-02-14 17:48:28,155 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E70000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,155 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02E70000.
2020-02-14 17:48:28,155 [root] DEBUG: Allocation: 0x02E80000 - 0x02E81000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,155 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,155 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,155 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,155 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,155 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,155 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,155 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,155 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,155 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,155 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:28,155 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:28,171 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02E80000, size: 0x1000.
2020-02-14 17:48:28,171 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 16.
2020-02-14 17:48:28,171 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02E80000.
2020-02-14 17:48:28,171 [root] DEBUG: AddTrackedRegion: New region at 0x02E80000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,171 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02E80000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,171 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02E70000 to 0x02E80000.
2020-02-14 17:48:28,171 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e70000 - 0x2e71000.
2020-02-14 17:48:28,171 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e70000-0x2e71000.
2020-02-14 17:48:28,171 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E70000 - 0x02E71000.
2020-02-14 17:48:28,171 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_126339269228481614522020
2020-02-14 17:48:28,171 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_126339269228481614522020 (size 0x1000)
2020-02-14 17:48:28,171 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E70000.
2020-02-14 17:48:28,187 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e70000 - 0x2e71000.
2020-02-14 17:48:28,187 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02E80000 and Type=0x1.
2020-02-14 17:48:28,187 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02E80000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,187 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02E80000
2020-02-14 17:48:28,187 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02E8003C and Type=0x1.
2020-02-14 17:48:28,187 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02E8003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,187 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02E8003C
2020-02-14 17:48:28,187 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02E80000 (size 0x1000).
2020-02-14 17:48:28,187 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,187 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E80000.
2020-02-14 17:48:28,187 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02E80000 and Type=0x0.
2020-02-14 17:48:28,187 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e80000: 0x8b.
2020-02-14 17:48:28,187 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,187 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,187 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E80000.
2020-02-14 17:48:28,187 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E80000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,187 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e80000: 0x8b.
2020-02-14 17:48:28,187 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,187 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,187 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02E8003C.
2020-02-14 17:48:28,187 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x2ab46095 (at 0x02E8003C).
2020-02-14 17:48:28,187 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E80000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,187 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02E80000.
2020-02-14 17:48:28,187 [root] DEBUG: Allocation: 0x02E90000 - 0x02E91000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,187 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,203 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:28,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:28,203 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02E90000, size: 0x1000.
2020-02-14 17:48:28,203 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 17.
2020-02-14 17:48:28,203 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02E90000.
2020-02-14 17:48:28,203 [root] DEBUG: AddTrackedRegion: New region at 0x02E90000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,203 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02E90000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,203 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02E80000 to 0x02E90000.
2020-02-14 17:48:28,203 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e80000 - 0x2e81000.
2020-02-14 17:48:28,203 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e80000-0x2e81000.
2020-02-14 17:48:28,203 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E80000 - 0x02E81000.
2020-02-14 17:48:28,217 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_165270963428481614522020
2020-02-14 17:48:28,217 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_165270963428481614522020 (size 0x1000)
2020-02-14 17:48:28,217 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E80000.
2020-02-14 17:48:28,217 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e80000 - 0x2e81000.
2020-02-14 17:48:28,217 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02E90000 and Type=0x1.
2020-02-14 17:48:28,217 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02E90000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,217 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02E90000
2020-02-14 17:48:28,217 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02E9003C and Type=0x1.
2020-02-14 17:48:28,217 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02E9003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,217 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02E9003C
2020-02-14 17:48:28,217 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02E90000 (size 0x1000).
2020-02-14 17:48:28,217 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,217 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E90000.
2020-02-14 17:48:28,217 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02E90000 and Type=0x0.
2020-02-14 17:48:28,217 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e90000: 0x8b.
2020-02-14 17:48:28,217 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,217 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,217 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02E90000.
2020-02-14 17:48:28,217 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E90000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,217 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2e90000: 0x8b.
2020-02-14 17:48:28,217 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,217 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,217 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02E9003C.
2020-02-14 17:48:28,217 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x4752ba60 (at 0x02E9003C).
2020-02-14 17:48:28,217 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02E90000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,217 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02E90000.
2020-02-14 17:48:28,217 [root] DEBUG: Allocation: 0x02EA0000 - 0x02EA1000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,217 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,217 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,233 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,233 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:28,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:28,233 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02EA0000, size: 0x1000.
2020-02-14 17:48:28,233 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 18.
2020-02-14 17:48:28,233 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02EA0000.
2020-02-14 17:48:28,233 [root] DEBUG: AddTrackedRegion: New region at 0x02EA0000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,233 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02EA0000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,233 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02E90000 to 0x02EA0000.
2020-02-14 17:48:28,233 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e90000 - 0x2e91000.
2020-02-14 17:48:28,233 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e90000-0x2e91000.
2020-02-14 17:48:28,233 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E90000 - 0x02E91000.
2020-02-14 17:48:28,250 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_25848370228481614522020
2020-02-14 17:48:28,250 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_25848370228481614522020 (size 0x1000)
2020-02-14 17:48:28,250 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E90000.
2020-02-14 17:48:28,250 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e90000 - 0x2e91000.
2020-02-14 17:48:28,250 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02EA0000 and Type=0x1.
2020-02-14 17:48:28,250 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02EA0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,250 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02EA0000
2020-02-14 17:48:28,250 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02EA003C and Type=0x1.
2020-02-14 17:48:28,250 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02EA003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,250 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02EA003C
2020-02-14 17:48:28,250 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02EA0000 (size 0x1000).
2020-02-14 17:48:28,250 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,250 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02EA0000.
2020-02-14 17:48:28,250 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02EA0000 and Type=0x0.
2020-02-14 17:48:28,250 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2ea0000: 0x8b.
2020-02-14 17:48:28,250 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,250 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,250 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02EA0000.
2020-02-14 17:48:28,250 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02EA0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,250 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2ea0000: 0x8b.
2020-02-14 17:48:28,250 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,265 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,265 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02EA003C.
2020-02-14 17:48:28,265 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xe99c5e53 (at 0x02EA003C).
2020-02-14 17:48:28,265 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02EA0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,265 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02EA0000.
2020-02-14 17:48:28,265 [root] DEBUG: Allocation: 0x02EB0000 - 0x02EB1000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,265 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,265 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,280 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,280 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:28,280 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:28,280 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:28,280 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:28,280 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02EB0000, size: 0x1000.
2020-02-14 17:48:28,280 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 19.
2020-02-14 17:48:28,280 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02EB0000.
2020-02-14 17:48:28,280 [root] DEBUG: AddTrackedRegion: New region at 0x02EB0000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,280 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02EB0000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,280 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02EA0000 to 0x02EB0000.
2020-02-14 17:48:28,280 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ea0000 - 0x2ea1000.
2020-02-14 17:48:28,280 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ea0000-0x2ea1000.
2020-02-14 17:48:28,280 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02EA0000 - 0x02EA1000.
2020-02-14 17:48:28,312 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_21280777728481614522020
2020-02-14 17:48:28,312 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_21280777728481614522020 (size 0x1000)
2020-02-14 17:48:28,312 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02EA0000.
2020-02-14 17:48:28,312 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ea0000 - 0x2ea1000.
2020-02-14 17:48:28,312 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02EB0000 and Type=0x1.
2020-02-14 17:48:28,312 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02EB0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,312 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02EB0000
2020-02-14 17:48:28,312 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02EB003C and Type=0x1.
2020-02-14 17:48:28,312 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02EB003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,312 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02EB003C
2020-02-14 17:48:28,312 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02EB0000 (size 0x1000).
2020-02-14 17:48:28,312 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,312 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02EB0000.
2020-02-14 17:48:28,312 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02EB0000 and Type=0x0.
2020-02-14 17:48:28,312 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2eb0000: 0x8b.
2020-02-14 17:48:28,312 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,328 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,328 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02EB0000.
2020-02-14 17:48:28,328 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02EB0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,328 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2eb0000: 0x8b.
2020-02-14 17:48:28,328 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,328 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,328 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02EB003C.
2020-02-14 17:48:28,328 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x52505250 (at 0x02EB003C).
2020-02-14 17:48:28,328 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02EB0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,328 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02EB0000.
2020-02-14 17:48:28,328 [root] DEBUG: Allocation: 0x02EC0000 - 0x02EC1000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,328 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,328 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,328 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:28,342 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EB0000.
2020-02-14 17:48:28,342 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02EC0000, size: 0x1000.
2020-02-14 17:48:28,342 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 20.
2020-02-14 17:48:28,342 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02EC0000.
2020-02-14 17:48:28,342 [root] DEBUG: AddTrackedRegion: New region at 0x02EC0000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,342 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02EC0000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,342 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02EB0000 to 0x02EC0000.
2020-02-14 17:48:28,342 [root] DEBUG: DumpPEsInRange: Scanning range 0x2eb0000 - 0x2eb1000.
2020-02-14 17:48:28,358 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2eb0000-0x2eb1000.
2020-02-14 17:48:28,358 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02EB0000 - 0x02EB1000.
2020-02-14 17:48:28,358 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_48550054828481614522020
2020-02-14 17:48:28,358 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_48550054828481614522020 (size 0x1000)
2020-02-14 17:48:28,358 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02EB0000.
2020-02-14 17:48:28,358 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2eb0000 - 0x2eb1000.
2020-02-14 17:48:28,358 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02EC0000 and Type=0x1.
2020-02-14 17:48:28,358 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02EC0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,358 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02EC0000
2020-02-14 17:48:28,358 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02EC003C and Type=0x1.
2020-02-14 17:48:28,358 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02EC003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,358 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02EC003C
2020-02-14 17:48:28,358 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02EC0000 (size 0x1000).
2020-02-14 17:48:28,358 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,358 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02EC0000.
2020-02-14 17:48:28,358 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02EC0000 and Type=0x0.
2020-02-14 17:48:28,358 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2ec0000: 0x8b.
2020-02-14 17:48:28,358 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,375 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,375 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02EC0000.
2020-02-14 17:48:28,375 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02EC0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,375 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2ec0000: 0x8b.
2020-02-14 17:48:28,375 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,375 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,375 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02EC003C.
2020-02-14 17:48:28,375 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x2, Address=0x02EC0023 and Type=0x1.
2020-02-14 17:48:28,375 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 3 within Context, Size=0x4, Address=0x02EC0033 and Type=0x1.
2020-02-14 17:48:28,375 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02EC0033.
2020-02-14 17:48:28,375 [root] DEBUG: Allocation: 0x02ED0000 - 0x02ED2000, size: 0x2000, protection: 0x40.
2020-02-14 17:48:28,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,375 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,375 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,375 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:28,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:28,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:28,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:28,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:28,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EB0000.
2020-02-14 17:48:28,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EC0000.
2020-02-14 17:48:28,390 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02ED0000, size: 0x2000.
2020-02-14 17:48:28,390 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 21.
2020-02-14 17:48:28,390 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02ED0000.
2020-02-14 17:48:28,390 [root] DEBUG: AddTrackedRegion: New region at 0x02ED0000 size 0x2000 added to tracked regions.
2020-02-14 17:48:28,390 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02ED0000, TrackedRegion->RegionSize: 0x2000, thread 340
2020-02-14 17:48:28,390 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02EC0000 to 0x02ED0000.
2020-02-14 17:48:28,390 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ec0000 - 0x2ec1000.
2020-02-14 17:48:28,390 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ec0000-0x2ec1000.
2020-02-14 17:48:28,390 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02EC0000 - 0x02EC1000.
2020-02-14 17:48:28,437 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_101333804028481614522020
2020-02-14 17:48:28,437 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_101333804028481614522020 (size 0x1000)
2020-02-14 17:48:28,437 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02EC0000.
2020-02-14 17:48:28,437 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ec0000 - 0x2ec1000.
2020-02-14 17:48:28,437 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02ED0000 and Type=0x1.
2020-02-14 17:48:28,437 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02ED0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,437 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02ED0000
2020-02-14 17:48:28,453 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02ED003C and Type=0x1.
2020-02-14 17:48:28,453 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02ED003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,453 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02ED003C
2020-02-14 17:48:28,453 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02ED0000 (size 0x2000).
2020-02-14 17:48:28,453 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,453 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02ED0000.
2020-02-14 17:48:28,453 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02ED0000 and Type=0x0.
2020-02-14 17:48:28,453 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2ed0000: 0x6a.
2020-02-14 17:48:28,453 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,453 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,453 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02ED0000.
2020-02-14 17:48:28,453 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02ED0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,453 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2ed0000: 0x6a.
2020-02-14 17:48:28,453 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,453 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,453 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02ED003C.
2020-02-14 17:48:28,453 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x7a243481 (at 0x02ED003C).
2020-02-14 17:48:28,453 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02ED0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,453 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02ED0000.
2020-02-14 17:48:28,453 [root] DEBUG: FreeHandler: Address: 0x029E0000.
2020-02-14 17:48:28,453 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29e0000 - 0x29e2000.
2020-02-14 17:48:28,453 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bec48, AllocationBase 0x0.
2020-02-14 17:48:28,453 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19becf0, AllocationBase 0x2c0000.
2020-02-14 17:48:28,453 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc548, AllocationBase 0x780000.
2020-02-14 17:48:28,453 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc5f0, AllocationBase 0x790000.
2020-02-14 17:48:28,467 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc698, AllocationBase 0x7a0000.
2020-02-14 17:48:28,467 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc740, AllocationBase 0x29d0000.
2020-02-14 17:48:28,467 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc7e8, AllocationBase 0x29e0000.
2020-02-14 17:48:28,467 [root] DEBUG: DropTrackedRegion: removed pages 0x29e0000-0x29e2000 from tracked region list.
2020-02-14 17:48:28,467 [root] DEBUG: Allocation: 0x029E0000 - 0x029E1000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,467 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,467 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:28,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EB0000.
2020-02-14 17:48:28,483 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EC0000.
2020-02-14 17:48:28,483 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02ED0000.
2020-02-14 17:48:28,483 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x029E0000, size: 0x1000.
2020-02-14 17:48:28,483 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 21.
2020-02-14 17:48:28,483 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x029E0000.
2020-02-14 17:48:28,483 [root] DEBUG: AddTrackedRegion: New region at 0x029E0000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,483 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x029E0000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,483 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02ED0000 to 0x029E0000.
2020-02-14 17:48:28,483 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ed0000 - 0x2ed2000.
2020-02-14 17:48:28,483 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ed0000-0x2ed2000.
2020-02-14 17:48:28,483 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02ED0000 - 0x02ED2000.
2020-02-14 17:48:28,483 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_208075362828481614522020
2020-02-14 17:48:28,483 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_208075362828481614522020 (size 0x2000)
2020-02-14 17:48:28,483 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02ED0000.
2020-02-14 17:48:28,483 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ed0000 - 0x2ed2000.
2020-02-14 17:48:28,483 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x029E0000 and Type=0x1.
2020-02-14 17:48:28,483 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x029E0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,483 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x029E0000
2020-02-14 17:48:28,483 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x029E003C and Type=0x1.
2020-02-14 17:48:28,483 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x029E003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,483 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x029E003C
2020-02-14 17:48:28,500 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x029E0000 (size 0x1000).
2020-02-14 17:48:28,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:28,500 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:28,500 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x029E0000 and Type=0x0.
2020-02-14 17:48:28,500 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0xc6.
2020-02-14 17:48:28,500 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:28,500 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:28,500 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,500 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0xe1.
2020-02-14 17:48:28,500 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:28,500 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:28,500 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xa2e284c6 (at 0x029E003C).
2020-02-14 17:48:28,500 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,500 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:28,500 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:28,500 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:28,500 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x2b7428e1 (at 0x029E003C).
2020-02-14 17:48:28,500 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,500 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:28,500 [root] DEBUG: Allocation: 0x02EE0000 - 0x02EE1000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,500 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,500 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,500 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,500 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EB0000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EC0000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02ED0000.
2020-02-14 17:48:28,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029E0000.
2020-02-14 17:48:28,515 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02EE0000, size: 0x1000.
2020-02-14 17:48:28,515 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 22.
2020-02-14 17:48:28,515 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x02EE0000.
2020-02-14 17:48:28,515 [root] DEBUG: AddTrackedRegion: New region at 0x02EE0000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,515 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02EE0000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,530 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x029E0000 to 0x02EE0000.
2020-02-14 17:48:28,530 [root] DEBUG: DumpPEsInRange: Scanning range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:28,530 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29e0000-0x29e1000.
2020-02-14 17:48:28,530 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x029E0000 - 0x029E1000.
2020-02-14 17:48:28,530 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_55277080128481614522020
2020-02-14 17:48:28,530 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_55277080128481614522020 (size 0x1000)
2020-02-14 17:48:28,530 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x029E0000.
2020-02-14 17:48:28,530 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:28,530 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x02EE0000 and Type=0x1.
2020-02-14 17:48:28,530 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x02EE0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,530 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02EE0000
2020-02-14 17:48:28,530 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x02EE003C and Type=0x1.
2020-02-14 17:48:28,530 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x02EE003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,530 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02EE003C
2020-02-14 17:48:28,530 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02EE0000 (size 0x1000).
2020-02-14 17:48:28,530 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,546 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02EE0000.
2020-02-14 17:48:28,546 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x02EE0000 and Type=0x0.
2020-02-14 17:48:28,546 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2ee0000: 0x8b.
2020-02-14 17:48:28,546 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,546 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,546 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02EE0000.
2020-02-14 17:48:28,546 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02EE0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,546 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2ee0000: 0x8b.
2020-02-14 17:48:28,546 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,546 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x005472E1 (thread 340)
2020-02-14 17:48:28,546 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02EE003C.
2020-02-14 17:48:28,546 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x5250310f (at 0x02EE003C).
2020-02-14 17:48:28,546 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x02EE0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,546 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02EE0000.
2020-02-14 17:48:28,546 [root] DEBUG: FreeHandler: Address: 0x029E0000.
2020-02-14 17:48:28,546 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:28,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bec48, AllocationBase 0x0.
2020-02-14 17:48:28,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19becf0, AllocationBase 0x2c0000.
2020-02-14 17:48:28,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc548, AllocationBase 0x780000.
2020-02-14 17:48:28,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc5f0, AllocationBase 0x790000.
2020-02-14 17:48:28,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc698, AllocationBase 0x7a0000.
2020-02-14 17:48:28,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc740, AllocationBase 0x29d0000.
2020-02-14 17:48:28,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc890, AllocationBase 0x29f0000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc938, AllocationBase 0x2b00000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afe18, AllocationBase 0x2b10000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afec0, AllocationBase 0x2e20000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19aff68, AllocationBase 0x2e30000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0010, AllocationBase 0x2e40000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b08b8, AllocationBase 0x2e50000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0960, AllocationBase 0x2e60000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0a08, AllocationBase 0x2e70000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0ab0, AllocationBase 0x2e80000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0b70, AllocationBase 0x2e90000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0c18, AllocationBase 0x2ea0000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0cc0, AllocationBase 0x2eb0000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0d68, AllocationBase 0x2ec0000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0e10, AllocationBase 0x2ed0000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0eb8, AllocationBase 0x29e0000.
2020-02-14 17:48:28,562 [root] DEBUG: DropTrackedRegion: removed pages 0x29e0000-0x29e1000 from tracked region list.
2020-02-14 17:48:28,562 [root] DEBUG: Allocation: 0x029E0000 - 0x029E1000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,562 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,562 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EB0000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EC0000.
2020-02-14 17:48:28,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02ED0000.
2020-02-14 17:48:28,592 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EE0000.
2020-02-14 17:48:28,592 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x029E0000, size: 0x1000.
2020-02-14 17:48:28,592 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 22.
2020-02-14 17:48:28,592 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x029E0000.
2020-02-14 17:48:28,592 [root] DEBUG: AddTrackedRegion: New region at 0x029E0000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,592 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x029E0000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,592 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02EE0000 to 0x029E0000.
2020-02-14 17:48:28,592 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ee0000 - 0x2ee1000.
2020-02-14 17:48:28,592 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ee0000-0x2ee1000.
2020-02-14 17:48:28,592 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02EE0000 - 0x02EE1000.
2020-02-14 17:48:28,592 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_56733578928481614522020
2020-02-14 17:48:28,592 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_56733578928481614522020 (size 0x1000)
2020-02-14 17:48:28,608 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02EE0000.
2020-02-14 17:48:28,608 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ee0000 - 0x2ee1000.
2020-02-14 17:48:28,608 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x029E0000 and Type=0x1.
2020-02-14 17:48:28,608 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x029E0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,608 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x029E0000
2020-02-14 17:48:28,608 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x029E003C and Type=0x1.
2020-02-14 17:48:28,608 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x029E003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,608 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x029E003C
2020-02-14 17:48:28,608 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x029E0000 (size 0x1000).
2020-02-14 17:48:28,608 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:28,608 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:28,608 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x029E0000 and Type=0x0.
2020-02-14 17:48:28,625 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0x3d.
2020-02-14 17:48:28,625 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,625 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:28,625 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:28,625 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,625 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0x58.
2020-02-14 17:48:28,625 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,625 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:28,625 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:28,625 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x78fe2cce (at 0x029E003C).
2020-02-14 17:48:28,625 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,625 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:28,625 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:28,625 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:28,625 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x18fd0e9 (at 0x029E003C).
2020-02-14 17:48:28,625 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,625 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:28,640 [root] DEBUG: FreeHandler: Address: 0x029E0000.
2020-02-14 17:48:28,640 [root] DEBUG: DumpPEsInRange: Scanning range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:28,640 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29e0000-0x29e1000.
2020-02-14 17:48:28,640 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x029E0000 - 0x029E1000.
2020-02-14 17:48:28,640 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_153697382428481614522020
2020-02-14 17:48:28,640 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_153697382428481614522020 (size 0x1000)
2020-02-14 17:48:28,640 [root] DEBUG: FreeHandler: dumped executable memory range at 0x029E0000 prior to its freeing.
2020-02-14 17:48:28,640 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:28,640 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x029E0000.
2020-02-14 17:48:28,671 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x029E003C.
2020-02-14 17:48:28,671 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x029E0000.
2020-02-14 17:48:28,671 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bec48, AllocationBase 0x0.
2020-02-14 17:48:28,671 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19becf0, AllocationBase 0x2c0000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc548, AllocationBase 0x780000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc5f0, AllocationBase 0x790000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc698, AllocationBase 0x7a0000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc740, AllocationBase 0x29d0000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc890, AllocationBase 0x29f0000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc938, AllocationBase 0x2b00000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afe18, AllocationBase 0x2b10000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afec0, AllocationBase 0x2e20000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19aff68, AllocationBase 0x2e30000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0010, AllocationBase 0x2e40000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b08b8, AllocationBase 0x2e50000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0960, AllocationBase 0x2e60000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0a08, AllocationBase 0x2e70000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0ab0, AllocationBase 0x2e80000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0b70, AllocationBase 0x2e90000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0c18, AllocationBase 0x2ea0000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0cc0, AllocationBase 0x2eb0000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0d68, AllocationBase 0x2ec0000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0e10, AllocationBase 0x2ed0000.
2020-02-14 17:48:28,687 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0f60, AllocationBase 0x2ee0000.
2020-02-14 17:48:28,703 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0eb8, AllocationBase 0x29e0000.
2020-02-14 17:48:28,703 [root] DEBUG: DropTrackedRegion: removed pages 0x29e0000-0x29e1000 from the end of the tracked region list.
2020-02-14 17:48:28,703 [root] DEBUG: Allocation: 0x029E0000 - 0x029E1000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,703 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,703 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,703 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:28,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:28,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:28,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:28,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EB0000.
2020-02-14 17:48:28,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EC0000.
2020-02-14 17:48:28,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02ED0000.
2020-02-14 17:48:28,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EE0000.
2020-02-14 17:48:28,717 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x029E0000, size: 0x1000.
2020-02-14 17:48:28,717 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 22.
2020-02-14 17:48:28,717 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x029E0000.
2020-02-14 17:48:28,717 [root] DEBUG: AddTrackedRegion: New region at 0x029E0000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,717 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x029E0000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,717 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x029E0000 and Type=0x1.
2020-02-14 17:48:28,717 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x029E0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,717 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x029E0000
2020-02-14 17:48:28,717 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x029E003C and Type=0x1.
2020-02-14 17:48:28,717 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x029E003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,733 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x029E003C
2020-02-14 17:48:28,733 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x029E0000 (size 0x1000).
2020-02-14 17:48:28,733 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:28,733 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:28,733 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x029E0000 and Type=0x0.
2020-02-14 17:48:28,733 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0x94.
2020-02-14 17:48:28,733 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,733 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:28,733 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:28,733 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,733 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0xaf.
2020-02-14 17:48:28,733 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,733 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:28,733 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:28,733 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x2d13bef2 (at 0x029E003C).
2020-02-14 17:48:28,733 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,733 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:28,733 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:28,750 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:28,750 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xb5a5630d (at 0x029E003C).
2020-02-14 17:48:28,750 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,750 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:28,828 [root] DEBUG: FreeHandler: Address: 0x029E0000.
2020-02-14 17:48:28,828 [root] DEBUG: DumpPEsInRange: Scanning range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:28,828 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29e0000-0x29e1000.
2020-02-14 17:48:28,842 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x029E0000 - 0x029E1000.
2020-02-14 17:48:28,842 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_171130761028481614522020
2020-02-14 17:48:28,842 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_171130761028481614522020 (size 0x1000)
2020-02-14 17:48:28,842 [root] DEBUG: FreeHandler: dumped executable memory range at 0x029E0000 prior to its freeing.
2020-02-14 17:48:28,842 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:28,842 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x029E0000.
2020-02-14 17:48:28,842 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x029E003C.
2020-02-14 17:48:28,842 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x029E0000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bec48, AllocationBase 0x0.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19becf0, AllocationBase 0x2c0000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc548, AllocationBase 0x780000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc5f0, AllocationBase 0x790000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc698, AllocationBase 0x7a0000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc740, AllocationBase 0x29d0000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc890, AllocationBase 0x29f0000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc938, AllocationBase 0x2b00000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afe18, AllocationBase 0x2b10000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afec0, AllocationBase 0x2e20000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19aff68, AllocationBase 0x2e30000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0010, AllocationBase 0x2e40000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b08b8, AllocationBase 0x2e50000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0960, AllocationBase 0x2e60000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0a08, AllocationBase 0x2e70000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0ab0, AllocationBase 0x2e80000.
2020-02-14 17:48:28,858 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0b70, AllocationBase 0x2e90000.
2020-02-14 17:48:28,875 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0c18, AllocationBase 0x2ea0000.
2020-02-14 17:48:28,875 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0cc0, AllocationBase 0x2eb0000.
2020-02-14 17:48:28,875 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0d68, AllocationBase 0x2ec0000.
2020-02-14 17:48:28,875 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0e10, AllocationBase 0x2ed0000.
2020-02-14 17:48:28,875 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0f60, AllocationBase 0x2ee0000.
2020-02-14 17:48:28,875 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0eb8, AllocationBase 0x29e0000.
2020-02-14 17:48:28,875 [root] DEBUG: DropTrackedRegion: removed pages 0x29e0000-0x29e1000 from the end of the tracked region list.
2020-02-14 17:48:28,875 [root] DEBUG: Allocation: 0x029E0000 - 0x029E1000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,875 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,875 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,875 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EB0000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EC0000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02ED0000.
2020-02-14 17:48:28,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EE0000.
2020-02-14 17:48:28,890 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x029E0000, size: 0x1000.
2020-02-14 17:48:28,890 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 22.
2020-02-14 17:48:28,890 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x029E0000.
2020-02-14 17:48:28,890 [root] DEBUG: AddTrackedRegion: New region at 0x029E0000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,890 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x029E0000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,905 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x029E0000 and Type=0x1.
2020-02-14 17:48:28,905 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x029E0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,905 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x029E0000
2020-02-14 17:48:28,905 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x029E003C and Type=0x1.
2020-02-14 17:48:28,905 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x029E003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,905 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x029E003C
2020-02-14 17:48:28,905 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x029E0000 (size 0x1000).
2020-02-14 17:48:28,905 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:28,905 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:28,905 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x029E0000 and Type=0x0.
2020-02-14 17:48:28,905 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0x99.
2020-02-14 17:48:28,905 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,905 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:28,905 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:28,905 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,905 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0xb4.
2020-02-14 17:48:28,905 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,921 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:28,921 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:28,921 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x9266e9cb (at 0x029E003C).
2020-02-14 17:48:28,921 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,921 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:28,921 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:28,921 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:28,921 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x1af88de6 (at 0x029E003C).
2020-02-14 17:48:28,921 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,921 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:28,921 [root] DEBUG: FreeHandler: Address: 0x029E0000.
2020-02-14 17:48:28,921 [root] DEBUG: DumpPEsInRange: Scanning range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:28,921 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29e0000-0x29e1000.
2020-02-14 17:48:28,921 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x029E0000 - 0x029E1000.
2020-02-14 17:48:28,921 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_174853955928481614522020
2020-02-14 17:48:28,921 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_174853955928481614522020 (size 0x1000)
2020-02-14 17:48:28,937 [root] DEBUG: FreeHandler: dumped executable memory range at 0x029E0000 prior to its freeing.
2020-02-14 17:48:28,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:28,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x029E0000.
2020-02-14 17:48:28,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x029E003C.
2020-02-14 17:48:28,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x029E0000.
2020-02-14 17:48:28,937 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bec48, AllocationBase 0x0.
2020-02-14 17:48:28,937 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19becf0, AllocationBase 0x2c0000.
2020-02-14 17:48:28,937 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc548, AllocationBase 0x780000.
2020-02-14 17:48:28,937 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc5f0, AllocationBase 0x790000.
2020-02-14 17:48:28,937 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc698, AllocationBase 0x7a0000.
2020-02-14 17:48:28,937 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc740, AllocationBase 0x29d0000.
2020-02-14 17:48:28,937 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc890, AllocationBase 0x29f0000.
2020-02-14 17:48:28,937 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc938, AllocationBase 0x2b00000.
2020-02-14 17:48:28,937 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afe18, AllocationBase 0x2b10000.
2020-02-14 17:48:28,937 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afec0, AllocationBase 0x2e20000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19aff68, AllocationBase 0x2e30000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0010, AllocationBase 0x2e40000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b08b8, AllocationBase 0x2e50000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0960, AllocationBase 0x2e60000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0a08, AllocationBase 0x2e70000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0ab0, AllocationBase 0x2e80000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0b70, AllocationBase 0x2e90000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0c18, AllocationBase 0x2ea0000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0cc0, AllocationBase 0x2eb0000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0d68, AllocationBase 0x2ec0000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0e10, AllocationBase 0x2ed0000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0f60, AllocationBase 0x2ee0000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0eb8, AllocationBase 0x29e0000.
2020-02-14 17:48:28,953 [root] DEBUG: DropTrackedRegion: removed pages 0x29e0000-0x29e1000 from the end of the tracked region list.
2020-02-14 17:48:28,953 [root] DEBUG: Allocation: 0x029E0000 - 0x029E1000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:28,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:28,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:28,953 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,953 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:28,953 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:28,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EB0000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EC0000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02ED0000.
2020-02-14 17:48:28,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EE0000.
2020-02-14 17:48:28,967 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x029E0000, size: 0x1000.
2020-02-14 17:48:28,983 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 22.
2020-02-14 17:48:28,983 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x029E0000.
2020-02-14 17:48:28,983 [root] DEBUG: AddTrackedRegion: New region at 0x029E0000 size 0x1000 added to tracked regions.
2020-02-14 17:48:28,983 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x029E0000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:28,983 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x029E0000 and Type=0x1.
2020-02-14 17:48:28,983 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x029E0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:28,983 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x029E0000
2020-02-14 17:48:28,983 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x029E003C and Type=0x1.
2020-02-14 17:48:28,983 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x029E003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:28,983 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x029E003C
2020-02-14 17:48:28,983 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x029E0000 (size 0x1000).
2020-02-14 17:48:28,983 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:28,983 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:28,983 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x029E0000 and Type=0x0.
2020-02-14 17:48:28,983 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0x8d.
2020-02-14 17:48:28,983 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:28,983 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:28,983 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:28,983 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:28,983 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0xa8.
2020-02-14 17:48:28,983 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:29,000 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:29,000 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:29,000 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x4b1b2d6d (at 0x029E003C).
2020-02-14 17:48:29,000 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:29,000 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:29,000 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:29,000 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:29,000 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xd3acd188 (at 0x029E003C).
2020-02-14 17:48:29,000 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:29,000 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:29,000 [root] DEBUG: FreeHandler: Address: 0x029E0000.
2020-02-14 17:48:29,000 [root] DEBUG: DumpPEsInRange: Scanning range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:29,000 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29e0000-0x29e1000.
2020-02-14 17:48:29,000 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x029E0000 - 0x029E1000.
2020-02-14 17:48:29,000 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_029481614522020
2020-02-14 17:48:29,000 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_029481614522020 (size 0x1000)
2020-02-14 17:48:29,000 [root] DEBUG: FreeHandler: dumped executable memory range at 0x029E0000 prior to its freeing.
2020-02-14 17:48:29,000 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:29,000 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x029E0000.
2020-02-14 17:48:29,015 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x029E003C.
2020-02-14 17:48:29,015 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x029E0000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bec48, AllocationBase 0x0.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19becf0, AllocationBase 0x2c0000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc548, AllocationBase 0x780000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc5f0, AllocationBase 0x790000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc698, AllocationBase 0x7a0000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc740, AllocationBase 0x29d0000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc890, AllocationBase 0x29f0000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc938, AllocationBase 0x2b00000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afe18, AllocationBase 0x2b10000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afec0, AllocationBase 0x2e20000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19aff68, AllocationBase 0x2e30000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0010, AllocationBase 0x2e40000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b08b8, AllocationBase 0x2e50000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0960, AllocationBase 0x2e60000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0a08, AllocationBase 0x2e70000.
2020-02-14 17:48:29,015 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0ab0, AllocationBase 0x2e80000.
2020-02-14 17:48:29,030 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0b70, AllocationBase 0x2e90000.
2020-02-14 17:48:29,030 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0c18, AllocationBase 0x2ea0000.
2020-02-14 17:48:29,030 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0cc0, AllocationBase 0x2eb0000.
2020-02-14 17:48:29,030 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0d68, AllocationBase 0x2ec0000.
2020-02-14 17:48:29,030 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0e10, AllocationBase 0x2ed0000.
2020-02-14 17:48:29,030 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0f60, AllocationBase 0x2ee0000.
2020-02-14 17:48:29,030 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0eb8, AllocationBase 0x29e0000.
2020-02-14 17:48:29,030 [root] DEBUG: DropTrackedRegion: removed pages 0x29e0000-0x29e1000 from the end of the tracked region list.
2020-02-14 17:48:29,030 [root] DEBUG: Allocation: 0x029E0000 - 0x029E1000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:29,030 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:29,030 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:29,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:29,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:29,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:29,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EB0000.
2020-02-14 17:48:29,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EC0000.
2020-02-14 17:48:29,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02ED0000.
2020-02-14 17:48:29,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EE0000.
2020-02-14 17:48:29,046 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x029E0000, size: 0x1000.
2020-02-14 17:48:29,046 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 22.
2020-02-14 17:48:29,046 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x029E0000.
2020-02-14 17:48:29,046 [root] DEBUG: AddTrackedRegion: New region at 0x029E0000 size 0x1000 added to tracked regions.
2020-02-14 17:48:29,046 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x029E0000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:29,046 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x029E0000 and Type=0x1.
2020-02-14 17:48:29,046 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x029E0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:29,046 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x029E0000
2020-02-14 17:48:29,046 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x029E003C and Type=0x1.
2020-02-14 17:48:29,046 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x029E003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:29,046 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x029E003C
2020-02-14 17:48:29,046 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x029E0000 (size 0x1000).
2020-02-14 17:48:29,046 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:29,046 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:29,046 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x029E0000 and Type=0x0.
2020-02-14 17:48:29,046 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0x8a.
2020-02-14 17:48:29,046 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:29,046 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:29,062 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:29,062 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:29,062 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0xa5.
2020-02-14 17:48:29,062 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:29,062 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:29,062 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:29,062 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xb1c7daef (at 0x029E003C).
2020-02-14 17:48:29,062 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:29,062 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:29,062 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:29,062 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:29,062 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x3a597f0a (at 0x029E003C).
2020-02-14 17:48:29,062 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:29,062 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:29,062 [root] DEBUG: FreeHandler: Address: 0x029E0000.
2020-02-14 17:48:29,062 [root] DEBUG: DumpPEsInRange: Scanning range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:29,062 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29e0000-0x29e1000.
2020-02-14 17:48:29,062 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x029E0000 - 0x029E1000.
2020-02-14 17:48:29,078 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_78583406029481614522020
2020-02-14 17:48:29,078 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_78583406029481614522020 (size 0x1000)
2020-02-14 17:48:29,078 [root] DEBUG: FreeHandler: dumped executable memory range at 0x029E0000 prior to its freeing.
2020-02-14 17:48:29,078 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:29,078 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x029E0000.
2020-02-14 17:48:29,078 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x029E003C.
2020-02-14 17:48:29,078 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x029E0000.
2020-02-14 17:48:29,078 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bec48, AllocationBase 0x0.
2020-02-14 17:48:29,078 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19becf0, AllocationBase 0x2c0000.
2020-02-14 17:48:29,078 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc548, AllocationBase 0x780000.
2020-02-14 17:48:29,078 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc5f0, AllocationBase 0x790000.
2020-02-14 17:48:29,078 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc698, AllocationBase 0x7a0000.
2020-02-14 17:48:29,078 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc740, AllocationBase 0x29d0000.
2020-02-14 17:48:29,078 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc890, AllocationBase 0x29f0000.
2020-02-14 17:48:29,078 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc938, AllocationBase 0x2b00000.
2020-02-14 17:48:29,078 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afe18, AllocationBase 0x2b10000.
2020-02-14 17:48:29,078 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afec0, AllocationBase 0x2e20000.
2020-02-14 17:48:29,078 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19aff68, AllocationBase 0x2e30000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0010, AllocationBase 0x2e40000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b08b8, AllocationBase 0x2e50000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0960, AllocationBase 0x2e60000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0a08, AllocationBase 0x2e70000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0ab0, AllocationBase 0x2e80000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0b70, AllocationBase 0x2e90000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0c18, AllocationBase 0x2ea0000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0cc0, AllocationBase 0x2eb0000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0d68, AllocationBase 0x2ec0000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0e10, AllocationBase 0x2ed0000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0f60, AllocationBase 0x2ee0000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0eb8, AllocationBase 0x29e0000.
2020-02-14 17:48:29,092 [root] DEBUG: DropTrackedRegion: removed pages 0x29e0000-0x29e1000 from the end of the tracked region list.
2020-02-14 17:48:29,092 [root] DEBUG: Allocation: 0x029E0000 - 0x029E1000, size: 0x1000, protection: 0x40.
2020-02-14 17:48:29,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:29,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:29,092 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:29,092 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:29,092 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:29,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:29,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00790000.
2020-02-14 17:48:29,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x007A0000.
2020-02-14 17:48:29,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029D0000.
2020-02-14 17:48:29,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:29,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:29,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:29,092 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:29,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:29,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:29,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:29,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:29,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:29,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:29,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:29,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:29,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EB0000.
2020-02-14 17:48:29,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EC0000.
2020-02-14 17:48:29,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02ED0000.
2020-02-14 17:48:29,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EE0000.
2020-02-14 17:48:29,108 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x029E0000, size: 0x1000.
2020-02-14 17:48:29,108 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 22.
2020-02-14 17:48:29,108 [root] DEBUG: AddTrackedRegion: Created new tracked region for address 0x029E0000.
2020-02-14 17:48:29,108 [root] DEBUG: AddTrackedRegion: New region at 0x029E0000 size 0x1000 added to tracked regions.
2020-02-14 17:48:29,108 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x029E0000, TrackedRegion->RegionSize: 0x1000, thread 340
2020-02-14 17:48:29,108 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xc0, Size=0x2, Address=0x029E0000 and Type=0x1.
2020-02-14 17:48:29,108 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 340 type 1 at address 0x029E0000, size 2 with Callback 0x6c3b7890.
2020-02-14 17:48:29,108 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x029E0000
2020-02-14 17:48:29,108 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xc0, Size=0x4, Address=0x029E003C and Type=0x1.
2020-02-14 17:48:29,108 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 340 type 1 at address 0x029E003C, size 4 with Callback 0x6c3b74e0.
2020-02-14 17:48:29,108 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x029E003C
2020-02-14 17:48:29,108 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x029E0000 (size 0x1000).
2020-02-14 17:48:29,108 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:29,108 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:29,125 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x029E0000 and Type=0x0.
2020-02-14 17:48:29,125 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0xc9.
2020-02-14 17:48:29,125 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:29,125 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:29,125 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x029E0000.
2020-02-14 17:48:29,125 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:29,125 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x29e0000: 0xe4.
2020-02-14 17:48:29,125 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-02-14 17:48:29,125 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DDB (thread 340)
2020-02-14 17:48:29,125 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:29,125 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xe7bdd0c3 (at 0x029E003C).
2020-02-14 17:48:29,125 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:29,125 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:29,125 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00543DE1 (thread 340)
2020-02-14 17:48:29,125 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x029E003C.
2020-02-14 17:48:29,125 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x704f74de (at 0x029E003C).
2020-02-14 17:48:29,125 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x029E0000 already exists for thread 340 (process 3468), skipping.
2020-02-14 17:48:29,125 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x029E0000.
2020-02-14 17:48:29,125 [root] DEBUG: FreeHandler: Address: 0x029E0000.
2020-02-14 17:48:29,125 [root] DEBUG: DumpPEsInRange: Scanning range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:29,125 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29e0000-0x29e1000.
2020-02-14 17:48:29,125 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x029E0000 - 0x029E1000.
2020-02-14 17:48:29,125 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_91183525029481614522020
2020-02-14 17:48:29,125 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_91183525029481614522020 (size 0x1000)
2020-02-14 17:48:29,140 [root] DEBUG: FreeHandler: dumped executable memory range at 0x029E0000 prior to its freeing.
2020-02-14 17:48:29,140 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29e0000 - 0x29e1000.
2020-02-14 17:48:29,140 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x029E0000.
2020-02-14 17:48:29,140 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x029E003C.
2020-02-14 17:48:29,140 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x029E0000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bec48, AllocationBase 0x0.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19becf0, AllocationBase 0x2c0000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc548, AllocationBase 0x780000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc5f0, AllocationBase 0x790000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc698, AllocationBase 0x7a0000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc740, AllocationBase 0x29d0000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc890, AllocationBase 0x29f0000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc938, AllocationBase 0x2b00000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afe18, AllocationBase 0x2b10000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19afec0, AllocationBase 0x2e20000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19aff68, AllocationBase 0x2e30000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0010, AllocationBase 0x2e40000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b08b8, AllocationBase 0x2e50000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0960, AllocationBase 0x2e60000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0a08, AllocationBase 0x2e70000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0ab0, AllocationBase 0x2e80000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0b70, AllocationBase 0x2e90000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0c18, AllocationBase 0x2ea0000.
2020-02-14 17:48:29,140 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0cc0, AllocationBase 0x2eb0000.
2020-02-14 17:48:29,155 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0d68, AllocationBase 0x2ec0000.
2020-02-14 17:48:29,155 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0e10, AllocationBase 0x2ed0000.
2020-02-14 17:48:29,155 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0f60, AllocationBase 0x2ee0000.
2020-02-14 17:48:29,155 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19b0eb8, AllocationBase 0x29e0000.
2020-02-14 17:48:29,155 [root] DEBUG: DropTrackedRegion: removed pages 0x29e0000-0x29e1000 from the end of the tracked region list.
2020-02-14 17:48:29,155 [root] DEBUG: FreeHandler: Address: 0x007A0000.
2020-02-14 17:48:29,155 [root] DEBUG: DumpPEsInRange: Scanning range 0x7a0000 - 0x7a2000.
2020-02-14 17:48:29,155 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x7a0000-0x7a2000.
2020-02-14 17:48:29,155 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x007A0000 - 0x007A2000.
2020-02-14 17:48:29,155 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_185460006829481614522020
2020-02-14 17:48:29,155 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_185460006829481614522020 (size 0x2000)
2020-02-14 17:48:29,155 [root] DEBUG: FreeHandler: dumped executable memory range at 0x007A0000 prior to its freeing.
2020-02-14 17:48:29,155 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x7a0000 - 0x7a2000.
2020-02-14 17:48:29,155 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bec48, AllocationBase 0x0.
2020-02-14 17:48:29,155 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19becf0, AllocationBase 0x2c0000.
2020-02-14 17:48:29,171 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc548, AllocationBase 0x780000.
2020-02-14 17:48:29,171 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc5f0, AllocationBase 0x790000.
2020-02-14 17:48:29,171 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc698, AllocationBase 0x7a0000.
2020-02-14 17:48:29,171 [root] DEBUG: DropTrackedRegion: removed pages 0x7a0000-0x7a2000 from tracked region list.
2020-02-14 17:48:29,171 [root] DEBUG: FreeHandler: Address: 0x029D0000.
2020-02-14 17:48:29,171 [root] DEBUG: DumpPEsInRange: Scanning range 0x29d0000 - 0x29e0000.
2020-02-14 17:48:29,171 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29d0000-0x29e0000.
2020-02-14 17:48:29,171 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x029D0000 - 0x029E0000.
2020-02-14 17:48:29,546 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_162227821729481614522020
2020-02-14 17:48:29,546 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_162227821729481614522020 (size 0x10000)
2020-02-14 17:48:29,546 [root] DEBUG: FreeHandler: dumped executable memory range at 0x029D0000 prior to its freeing.
2020-02-14 17:48:29,546 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29d0000 - 0x29e0000.
2020-02-14 17:48:29,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bec48, AllocationBase 0x0.
2020-02-14 17:48:29,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19becf0, AllocationBase 0x2c0000.
2020-02-14 17:48:29,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc548, AllocationBase 0x780000.
2020-02-14 17:48:29,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc5f0, AllocationBase 0x790000.
2020-02-14 17:48:29,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc740, AllocationBase 0x29d0000.
2020-02-14 17:48:29,546 [root] DEBUG: DropTrackedRegion: removed pages 0x29d0000-0x29e0000 from tracked region list.
2020-02-14 17:48:29,546 [root] DEBUG: FreeHandler: Address: 0x00790000.
2020-02-14 17:48:29,546 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x790000 - 0x791000.
2020-02-14 17:48:29,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bec48, AllocationBase 0x0.
2020-02-14 17:48:29,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19becf0, AllocationBase 0x2c0000.
2020-02-14 17:48:29,546 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc548, AllocationBase 0x780000.
2020-02-14 17:48:29,562 [root] DEBUG: DropTrackedRegion: CurrentTrackedRegion 0x19bc5f0, AllocationBase 0x790000.
2020-02-14 17:48:29,562 [root] DEBUG: DropTrackedRegion: removed pages 0x790000-0x791000 from tracked region list.
2020-02-14 17:48:29,562 [root] DEBUG: set_caller_info: Adding region at 0x02E30000 to caller regions list (ntdll::memcpy).
2020-02-14 17:48:29,562 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e30000 - 0x2e31000.
2020-02-14 17:48:29,562 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e30000-0x2e31000.
2020-02-14 17:48:29,562 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E30000 - 0x02E31000.
2020-02-14 17:48:29,562 [root] DEBUG: set_caller_info: Adding region at 0x015C0000 to caller regions list (kernel32::GetSystemTime).
2020-02-14 17:48:29,780 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_49124338029152214522020
2020-02-14 17:48:29,780 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_49124338029152214522020 (size 0x1000)
2020-02-14 17:48:29,796 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E30000.
2020-02-14 17:48:29,796 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e30000 - 0x2e31000.
2020-02-14 17:48:29,796 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 3468).
2020-02-14 17:48:29,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:29,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:29,796 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:29,796 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:29,812 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:29,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:29,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:29,812 [root] DEBUG: DumpPEsInRange: Scanning range 0x29f0000 - 0x29f1000.
2020-02-14 17:48:29,812 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29f0000-0x29f1000.
2020-02-14 17:48:29,812 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x029F0000 - 0x029F1000.
2020-02-14 17:48:29,812 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_196116680029152214522020
2020-02-14 17:48:29,812 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_196116680029152214522020 (size 0x1000)
2020-02-14 17:48:29,812 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x029F0000.
2020-02-14 17:48:29,812 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29f0000 - 0x29f1000.
2020-02-14 17:48:29,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:29,828 [root] DEBUG: DumpPEsInRange: Scanning range 0x2b00000 - 0x2b01000.
2020-02-14 17:48:29,828 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2b00000-0x2b01000.
2020-02-14 17:48:29,828 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02B00000 - 0x02B01000.
2020-02-14 17:48:29,828 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_75713683229152214522020
2020-02-14 17:48:29,828 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_75713683229152214522020 (size 0x1000)
2020-02-14 17:48:29,828 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02B00000.
2020-02-14 17:48:29,828 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2b00000 - 0x2b01000.
2020-02-14 17:48:29,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:29,828 [root] DEBUG: DumpPEsInRange: Scanning range 0x2b10000 - 0x2b11000.
2020-02-14 17:48:29,828 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2b10000-0x2b11000.
2020-02-14 17:48:29,828 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02B10000 - 0x02B11000.
2020-02-14 17:48:29,842 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_200945954429152214522020
2020-02-14 17:48:29,842 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_200945954429152214522020 (size 0x1000)
2020-02-14 17:48:29,842 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02B10000.
2020-02-14 17:48:29,842 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2b10000 - 0x2b11000.
2020-02-14 17:48:29,842 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:29,842 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e20000 - 0x2e21000.
2020-02-14 17:48:29,842 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e20000-0x2e21000.
2020-02-14 17:48:29,842 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E20000 - 0x02E21000.
2020-02-14 17:48:30,000 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_182307977629152214522020
2020-02-14 17:48:30,000 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_182307977629152214522020 (size 0x1000)
2020-02-14 17:48:30,015 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E20000.
2020-02-14 17:48:30,015 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e20000 - 0x2e21000.
2020-02-14 17:48:30,015 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:30,015 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e30000 - 0x2e31000.
2020-02-14 17:48:30,015 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e30000-0x2e31000.
2020-02-14 17:48:30,015 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E30000 - 0x02E31000.
2020-02-14 17:48:30,015 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_186351868430152214522020
2020-02-14 17:48:30,015 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_186351868430152214522020 (size 0x1000)
2020-02-14 17:48:30,015 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E30000.
2020-02-14 17:48:30,015 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e30000 - 0x2e31000.
2020-02-14 17:48:30,015 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:30,015 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e40000 - 0x2e41000.
2020-02-14 17:48:30,015 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e40000-0x2e41000.
2020-02-14 17:48:30,015 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E40000 - 0x02E41000.
2020-02-14 17:48:30,030 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_92633759630152214522020
2020-02-14 17:48:30,030 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_92633759630152214522020 (size 0x1000)
2020-02-14 17:48:30,030 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E40000.
2020-02-14 17:48:30,030 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e40000 - 0x2e41000.
2020-02-14 17:48:30,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:30,030 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e50000 - 0x2e51000.
2020-02-14 17:48:30,030 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e50000-0x2e51000.
2020-02-14 17:48:30,030 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E50000 - 0x02E51000.
2020-02-14 17:48:30,108 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_18084215730152214522020
2020-02-14 17:48:30,108 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_18084215730152214522020 (size 0x1000)
2020-02-14 17:48:30,108 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E50000.
2020-02-14 17:48:30,108 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e50000 - 0x2e51000.
2020-02-14 17:48:30,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:30,125 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e60000 - 0x2e61000.
2020-02-14 17:48:30,125 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e60000-0x2e61000.
2020-02-14 17:48:30,125 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E60000 - 0x02E61000.
2020-02-14 17:48:30,125 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_11913290830152214522020
2020-02-14 17:48:30,125 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_11913290830152214522020 (size 0x1000)
2020-02-14 17:48:30,125 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E60000.
2020-02-14 17:48:30,125 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e60000 - 0x2e61000.
2020-02-14 17:48:30,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:30,125 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e70000 - 0x2e71000.
2020-02-14 17:48:30,125 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e70000-0x2e71000.
2020-02-14 17:48:30,125 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E70000 - 0x02E71000.
2020-02-14 17:48:30,125 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_188339771130152214522020
2020-02-14 17:48:30,125 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_188339771130152214522020 (size 0x1000)
2020-02-14 17:48:30,140 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E70000.
2020-02-14 17:48:30,140 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e70000 - 0x2e71000.
2020-02-14 17:48:30,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:30,140 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e80000 - 0x2e81000.
2020-02-14 17:48:30,140 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e80000-0x2e81000.
2020-02-14 17:48:30,140 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E80000 - 0x02E81000.
2020-02-14 17:48:30,140 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_164964554030152214522020
2020-02-14 17:48:30,140 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_164964554030152214522020 (size 0x1000)
2020-02-14 17:48:30,140 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E80000.
2020-02-14 17:48:30,140 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e80000 - 0x2e81000.
2020-02-14 17:48:30,140 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:30,140 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e90000 - 0x2e91000.
2020-02-14 17:48:30,140 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e90000-0x2e91000.
2020-02-14 17:48:30,140 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E90000 - 0x02E91000.
2020-02-14 17:48:30,155 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_183896198430152214522020
2020-02-14 17:48:30,155 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_183896198430152214522020 (size 0x1000)
2020-02-14 17:48:30,155 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E90000.
2020-02-14 17:48:30,155 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e90000 - 0x2e91000.
2020-02-14 17:48:30,155 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:30,155 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ea0000 - 0x2ea1000.
2020-02-14 17:48:30,155 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ea0000-0x2ea1000.
2020-02-14 17:48:30,155 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02EA0000 - 0x02EA1000.
2020-02-14 17:48:30,155 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_54886004430152214522020
2020-02-14 17:48:30,155 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_54886004430152214522020 (size 0x1000)
2020-02-14 17:48:30,155 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02EA0000.
2020-02-14 17:48:30,155 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ea0000 - 0x2ea1000.
2020-02-14 17:48:30,155 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EB0000.
2020-02-14 17:48:30,155 [root] DEBUG: DumpPEsInRange: Scanning range 0x2eb0000 - 0x2eb1000.
2020-02-14 17:48:30,155 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2eb0000-0x2eb1000.
2020-02-14 17:48:30,155 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02EB0000 - 0x02EB1000.
2020-02-14 17:48:30,171 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_156892449230152214522020
2020-02-14 17:48:30,171 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_156892449230152214522020 (size 0x1000)
2020-02-14 17:48:30,171 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02EB0000.
2020-02-14 17:48:30,171 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2eb0000 - 0x2eb1000.
2020-02-14 17:48:30,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EC0000.
2020-02-14 17:48:30,171 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ec0000 - 0x2ec1000.
2020-02-14 17:48:30,171 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ec0000-0x2ec1000.
2020-02-14 17:48:30,171 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02EC0000 - 0x02EC1000.
2020-02-14 17:48:30,171 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_18130831430152214522020
2020-02-14 17:48:30,171 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_18130831430152214522020 (size 0x1000)
2020-02-14 17:48:30,171 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02EC0000.
2020-02-14 17:48:30,171 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ec0000 - 0x2ec1000.
2020-02-14 17:48:30,171 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02ED0000.
2020-02-14 17:48:30,171 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ed0000 - 0x2ed2000.
2020-02-14 17:48:30,171 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ed0000-0x2ed2000.
2020-02-14 17:48:30,187 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02ED0000 - 0x02ED2000.
2020-02-14 17:48:30,187 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_47463265330152214522020
2020-02-14 17:48:30,187 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_47463265330152214522020 (size 0x2000)
2020-02-14 17:48:30,187 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02ED0000.
2020-02-14 17:48:30,187 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ed0000 - 0x2ed2000.
2020-02-14 17:48:30,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EE0000.
2020-02-14 17:48:30,187 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ee0000 - 0x2ee1000.
2020-02-14 17:48:30,187 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ee0000-0x2ee1000.
2020-02-14 17:48:30,187 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02EE0000 - 0x02EE1000.
2020-02-14 17:48:30,187 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_1159969630152214522020
2020-02-14 17:48:30,203 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_1159969630152214522020 (size 0x1000)
2020-02-14 17:48:30,203 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02EE0000.
2020-02-14 17:48:30,203 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ee0000 - 0x2ee1000.
2020-02-14 17:48:30,203 [root] DEBUG: DLL unloaded from 0x75270000.
2020-02-14 17:48:30,203 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 3468).
2020-02-14 17:48:30,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-02-14 17:48:30,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x002C0000.
2020-02-14 17:48:30,203 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:30,203 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 6, RVA 0x81616349 and size 0x311d83.
2020-02-14 17:48:30,203 [root] DEBUG: ProcessImageBase: EP 0x00000000 image base 0x002C0000 size 0x0 entropy 0.000000e+00.
2020-02-14 17:48:30,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00780000.
2020-02-14 17:48:30,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x029F0000.
2020-02-14 17:48:30,203 [root] DEBUG: DumpPEsInRange: Scanning range 0x29f0000 - 0x29f1000.
2020-02-14 17:48:30,203 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x29f0000-0x29f1000.
2020-02-14 17:48:30,203 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x029F0000 - 0x029F1000.
2020-02-14 17:48:30,203 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_22098435110172214522020
2020-02-14 17:48:30,203 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_22098435110172214522020 (size 0x1000)
2020-02-14 17:48:30,217 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x029F0000.
2020-02-14 17:48:30,217 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x29f0000 - 0x29f1000.
2020-02-14 17:48:30,217 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B00000.
2020-02-14 17:48:30,217 [root] DEBUG: DumpPEsInRange: Scanning range 0x2b00000 - 0x2b01000.
2020-02-14 17:48:30,217 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2b00000-0x2b01000.
2020-02-14 17:48:30,217 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02B00000 - 0x02B01000.
2020-02-14 17:48:30,217 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_33757471610172214522020
2020-02-14 17:48:30,217 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_33757471610172214522020 (size 0x1000)
2020-02-14 17:48:30,217 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02B00000.
2020-02-14 17:48:30,217 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2b00000 - 0x2b01000.
2020-02-14 17:48:30,217 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-02-14 17:48:30,217 [root] DEBUG: DumpPEsInRange: Scanning range 0x2b10000 - 0x2b11000.
2020-02-14 17:48:30,217 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2b10000-0x2b11000.
2020-02-14 17:48:30,217 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02B10000 - 0x02B11000.
2020-02-14 17:48:30,233 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_94636549210172214522020
2020-02-14 17:48:30,233 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_94636549210172214522020 (size 0x1000)
2020-02-14 17:48:30,233 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02B10000.
2020-02-14 17:48:30,233 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2b10000 - 0x2b11000.
2020-02-14 17:48:30,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E20000.
2020-02-14 17:48:30,233 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e20000 - 0x2e21000.
2020-02-14 17:48:30,233 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e20000-0x2e21000.
2020-02-14 17:48:30,233 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E20000 - 0x02E21000.
2020-02-14 17:48:30,233 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_128535956210172214522020
2020-02-14 17:48:30,233 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_128535956210172214522020 (size 0x1000)
2020-02-14 17:48:30,233 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E20000.
2020-02-14 17:48:30,233 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e20000 - 0x2e21000.
2020-02-14 17:48:30,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E30000.
2020-02-14 17:48:30,233 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e30000 - 0x2e31000.
2020-02-14 17:48:30,233 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e30000-0x2e31000.
2020-02-14 17:48:30,233 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E30000 - 0x02E31000.
2020-02-14 17:48:30,250 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_28181814210172214522020
2020-02-14 17:48:30,250 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_28181814210172214522020 (size 0x1000)
2020-02-14 17:48:30,250 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E30000.
2020-02-14 17:48:30,250 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e30000 - 0x2e31000.
2020-02-14 17:48:30,250 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E40000.
2020-02-14 17:48:30,250 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e40000 - 0x2e41000.
2020-02-14 17:48:30,250 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e40000-0x2e41000.
2020-02-14 17:48:30,250 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E40000 - 0x02E41000.
2020-02-14 17:48:30,250 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_15289823810172214522020
2020-02-14 17:48:30,250 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_15289823810172214522020 (size 0x1000)
2020-02-14 17:48:30,250 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E40000.
2020-02-14 17:48:30,250 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e40000 - 0x2e41000.
2020-02-14 17:48:30,250 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E50000.
2020-02-14 17:48:30,250 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e50000 - 0x2e51000.
2020-02-14 17:48:30,250 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e50000-0x2e51000.
2020-02-14 17:48:30,250 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E50000 - 0x02E51000.
2020-02-14 17:48:30,265 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_70830244010172214522020
2020-02-14 17:48:30,265 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_70830244010172214522020 (size 0x1000)
2020-02-14 17:48:30,265 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E50000.
2020-02-14 17:48:30,265 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e50000 - 0x2e51000.
2020-02-14 17:48:30,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E60000.
2020-02-14 17:48:30,265 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e60000 - 0x2e61000.
2020-02-14 17:48:30,265 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e60000-0x2e61000.
2020-02-14 17:48:30,265 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E60000 - 0x02E61000.
2020-02-14 17:48:30,265 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_149348642710172214522020
2020-02-14 17:48:30,265 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_149348642710172214522020 (size 0x1000)
2020-02-14 17:48:30,265 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E60000.
2020-02-14 17:48:30,265 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e60000 - 0x2e61000.
2020-02-14 17:48:30,265 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E70000.
2020-02-14 17:48:30,265 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e70000 - 0x2e71000.
2020-02-14 17:48:30,280 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e70000-0x2e71000.
2020-02-14 17:48:30,280 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E70000 - 0x02E71000.
2020-02-14 17:48:30,280 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_209922034110172214522020
2020-02-14 17:48:30,280 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_209922034110172214522020 (size 0x1000)
2020-02-14 17:48:30,280 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E70000.
2020-02-14 17:48:30,280 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e70000 - 0x2e71000.
2020-02-14 17:48:30,280 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E80000.
2020-02-14 17:48:30,280 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e80000 - 0x2e81000.
2020-02-14 17:48:30,280 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e80000-0x2e81000.
2020-02-14 17:48:30,280 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E80000 - 0x02E81000.
2020-02-14 17:48:30,280 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_8908870010172214522020
2020-02-14 17:48:30,280 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_8908870010172214522020 (size 0x1000)
2020-02-14 17:48:30,280 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E80000.
2020-02-14 17:48:30,296 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e80000 - 0x2e81000.
2020-02-14 17:48:30,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02E90000.
2020-02-14 17:48:30,296 [root] DEBUG: DumpPEsInRange: Scanning range 0x2e90000 - 0x2e91000.
2020-02-14 17:48:30,296 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2e90000-0x2e91000.
2020-02-14 17:48:30,296 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02E90000 - 0x02E91000.
2020-02-14 17:48:30,296 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_90574307210172214522020
2020-02-14 17:48:30,296 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_90574307210172214522020 (size 0x1000)
2020-02-14 17:48:30,296 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02E90000.
2020-02-14 17:48:30,296 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2e90000 - 0x2e91000.
2020-02-14 17:48:30,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EA0000.
2020-02-14 17:48:30,296 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ea0000 - 0x2ea1000.
2020-02-14 17:48:30,296 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ea0000-0x2ea1000.
2020-02-14 17:48:30,296 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02EA0000 - 0x02EA1000.
2020-02-14 17:48:30,296 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_188683385610172214522020
2020-02-14 17:48:30,312 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_188683385610172214522020 (size 0x1000)
2020-02-14 17:48:30,312 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02EA0000.
2020-02-14 17:48:30,312 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ea0000 - 0x2ea1000.
2020-02-14 17:48:30,312 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EB0000.
2020-02-14 17:48:30,312 [root] DEBUG: DumpPEsInRange: Scanning range 0x2eb0000 - 0x2eb1000.
2020-02-14 17:48:30,312 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2eb0000-0x2eb1000.
2020-02-14 17:48:30,312 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02EB0000 - 0x02EB1000.
2020-02-14 17:48:30,358 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_131208612810172214522020
2020-02-14 17:48:30,358 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_131208612810172214522020 (size 0x1000)
2020-02-14 17:48:30,358 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02EB0000.
2020-02-14 17:48:30,358 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2eb0000 - 0x2eb1000.
2020-02-14 17:48:30,358 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EC0000.
2020-02-14 17:48:30,358 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ec0000 - 0x2ec1000.
2020-02-14 17:48:30,358 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ec0000-0x2ec1000.
2020-02-14 17:48:30,358 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02EC0000 - 0x02EC1000.
2020-02-14 17:48:30,358 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_148370077410172214522020
2020-02-14 17:48:30,358 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_148370077410172214522020 (size 0x1000)
2020-02-14 17:48:30,375 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02EC0000.
2020-02-14 17:48:30,375 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ec0000 - 0x2ec1000.
2020-02-14 17:48:30,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02ED0000.
2020-02-14 17:48:30,375 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ed0000 - 0x2ed2000.
2020-02-14 17:48:30,375 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ed0000-0x2ed2000.
2020-02-14 17:48:30,375 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02ED0000 - 0x02ED2000.
2020-02-14 17:48:30,375 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_90428427210172214522020
2020-02-14 17:48:30,375 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_90428427210172214522020 (size 0x2000)
2020-02-14 17:48:30,375 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02ED0000.
2020-02-14 17:48:30,375 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ed0000 - 0x2ed2000.
2020-02-14 17:48:30,375 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02EE0000.
2020-02-14 17:48:30,375 [root] DEBUG: DumpPEsInRange: Scanning range 0x2ee0000 - 0x2ee1000.
2020-02-14 17:48:30,375 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2ee0000-0x2ee1000.
2020-02-14 17:48:30,375 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x02EE0000 - 0x02EE1000.
2020-02-14 17:48:30,390 [root] INFO: Added new CAPE file to list with path: C:\XLqwGvRVH\CAPE\3468_46758209010172214522020
2020-02-14 17:48:30,390 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\XLqwGvRVH\CAPE\3468_46758209010172214522020 (size 0x1000)
2020-02-14 17:48:30,390 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x02EE0000.
2020-02-14 17:48:30,390 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ee0000 - 0x2ee1000.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2832.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2656.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1064.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2428.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2420.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2816.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2708.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 3408.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 932.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 3040.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1544.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1228.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1648.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1632.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 824.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 160.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1464.
2020-02-14 17:48:30,390 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2904.
2020-02-14 17:48:30,405 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2984.
2020-02-14 17:48:30,405 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2776.
2020-02-14 17:48:30,405 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2348.
2020-02-14 17:48:30,405 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 3156.
2020-02-14 17:48:30,405 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2704.
2020-02-14 17:48:30,405 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2768.
2020-02-14 17:48:30,405 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 972.
2020-02-14 17:48:30,405 [root] INFO: Notified of termination of process with pid 3468.
2020-02-14 17:48:35,703 [root] INFO: Process list is empty, terminating analysis.
2020-02-14 17:48:36,733 [root] INFO: Created shutdown mutex.
2020-02-14 17:48:37,750 [root] INFO: Shutting down package.
2020-02-14 17:48:37,750 [root] INFO: Stopping auxiliary modules.
2020-02-14 17:48:38,546 [root] INFO: Finishing auxiliary modules.
2020-02-14 17:48:38,546 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-02-14 17:48:38,546 [root] WARNING: File at path "C:\XLqwGvRVH\debugger" does not exist, skip.
2020-02-14 17:48:38,546 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
win7_3 win7_3 KVM 2020-02-14 16:47:55 2020-02-14 16:49:11

File Details

File Name a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442.exe
File Size 1658880 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f2b9d1cb2c4b1cd11a8682755bcc52fa
SHA1 579884fad55207b54e4c2fe2644290211baec8b5
SHA256 a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442
SHA512 b047a4275f0fa7c0025945800acbffb5be1d327160a135c6ba8ff54352be603cbb47fff71f180ab1a915229778b7a883ed19e1d6a954ab82435913ed95c40752
CRC32 89CEFD79
Ssdeep 24576:darngxIJfX2+8mGrvs5pdUIPv3eAUW/Y8w9ejjERAjYrNFtI937sTR7R5NwrzD:da7gx2B81gdVXvfAnHRFtIl7k7RPwr
TrID None matched
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 3468 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 3468 trigged the Yara rule 'shellcode_stack_strings'
NtSetInformationThread: attempt to hide thread from debugger
Possible date expiration check, exits too soon after checking local time
process: ZB3fZZU5YjP.exe, PID 3468
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: winmm.dll/timeGetTime
DynamicLoader: ntdll.dll/NtOpenThread
DynamicLoader: winmm.dll/timeGetTime
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlAllocateHeap
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlAllocateHeap
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
Expresses interest in specific running processes
process: System
CAPE extracted potentially suspicious content
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted PE Image: 32-bit executable
ZB3fZZU5YjP.exe: Extracted PE Image: 32-bit executable
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
ZB3fZZU5YjP.exe: Extracted Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
The binary contains an unknown PE section name indicative of packing
unknown section: name: \x00 , entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00026200, virtual_size: 0x0004c000
unknown section: name: .rsrc , entropy: 0.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00001000
unknown section: name: .idata , entropy: 1.31, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000200, virtual_size: 0x00001000
unknown section: name: , entropy: 0.24, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000200, virtual_size: 0x0025e000
unknown section: name: htusmqub, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0016d800, virtual_size: 0x0016e000
unknown section: name: ijybpcqb, entropy: 3.64, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000200, virtual_size: 0x00001000
The binary likely contains encrypted or compressed data.
section: name: \x00 , entropy: 7.98, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00026200, virtual_size: 0x0004c000
section: name: htusmqub, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0016d800, virtual_size: 0x0016e000
Checks for the presence of known windows from debuggers and forensic tools
Window: OLLYDBG
Window: GBDYLLO
Window: pediy06
Window: FilemonClass
Window: File Monitor - Sysinternals: www.sysinternals.com
Window: PROCMON_WINDOW_CLASS
Window: Process Monitor - Sysinternals: www.sysinternals.com
Window: RegmonClass
Window: Registry Monitor - Sysinternals: www.sysinternals.com
Window: 18467-41
The following process appear to have been packed with Themida: ZB3fZZU5YjP.exe
Checks for the presence of known devices from debuggers and forensic tools
Detects the presence of Wine emulator via registry key
File has been identified by 61 Antiviruses on VirusTotal as malicious
Bkav: W32.HfsAutoB.
MicroWorld-eScan: Trojan.GenericKD.41987817
McAfee: Trojan-NukeSped.a
Cylance: Unsafe
VIPRE: Backdoor.Win32.Ircbot.gen (v)
Sangfor: Malware
CrowdStrike: win/malicious_confidence_100% (W)
Alibaba: Trojan:Win32/BlueNoroff.89bf74c9
K7GW: Trojan ( 0040f4ef1 )
K7AntiVirus: Trojan ( 0040f4ef1 )
Invincea: heuristic
F-Prot: W32/Nukesped.B
Symantec: Trojan Horse
ESET-NOD32: Win32/NukeSped.CL
APEX: Malicious
Paloalto: generic.ml
ClamAV: Win.Trojan.Agent-7376505-0
GData: Trojan.GenericKD.41987817
Kaspersky: Trojan.Win32.BlueNoroff.f
BitDefender: Trojan.GenericKD.41987817
NANO-Antivirus: Trojan.Win32.BlueNoroff.ggbrdv
ViRobot: Trojan.Win32.S.Agent.1658880
Tencent: Win32.Trojan.Bluenoroff.Eddp
Endgame: malicious (high confidence)
Sophos: Troj/Agent-BCXR
Comodo: [email protected]#3pq9urfgrl2d6
F-Secure: Trojan.TR/Crypt.TPM.Gen
DrWeb: Trojan.Siggen8.55781
Zillya: Trojan.NukeSped.Win32.184
TrendMicro: TROJ_THCSIM.A
McAfee-GW-Edition: BehavesLike.Win32.Miuref.tc
Trapmine: malicious.high.ml.score
FireEye: Generic.mg.f2b9d1cb2c4b1cd1
Emsisoft: Trojan.GenericKD.41987817 (B)
SentinelOne: DFI - Suspicious PE
Cyren: W32/Trojan.SXNN-1599
Jiangmin: Trojan.BlueNoroff.h
Webroot: W32.Trojan.Gen
Avira: TR/Crypt.TPM.Gen
eGambit: Unsafe.AI_Score_99%
Antiy-AVL: Trojan/Win32.BlueNoroff
Arcabit: Trojan.Generic.D280AEE9
ZoneAlarm: Trojan.Win32.BlueNoroff.f
Microsoft: Trojan:Win32/Thcsim
AhnLab-V3: Trojan/Win32.Xpacked.C2581424
Acronis: suspicious
VBA32: BScope.TrojanPSW.Predator
ALYac: Trojan.Nukesped.A
MAX: malware (ai score=100)
Ad-Aware: Trojan.GenericKD.41987817
Panda: Trj/CI.A
TrendMicro-HouseCall: TROJ_THCSIM.A
Rising: Trojan.NukeSped!8.3184 (CLOUD)
Ikarus: Trojan.Win32.NukeSped
MaxSecure: Trojan.Malware.300983.susgen
Fortinet: W32/BlueNoroff.CL!tr
BitDefenderTheta: Gen:NN.ZexaF.34090.LzWaau4D29h
AVG: Win32:Trojan-gen
Cybereason: malicious.ad5520
Avast: Win32:Trojan-gen
Qihoo-360: Win32/Trojan.06f
Checks the version of Bios, possibly for anti-virtualization
Detects VirtualBox through the presence of a registry key
Anomalous binary characteristics
anomaly: Unprintable characters found in section name

Screenshots


Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

\??\SICE
\??\SIWVID
\??\NTICE
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\ntdll.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
\??\SICE
\??\SIWVID
\??\NTICE
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\ntdll.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
\??\SICE
\??\SIWVID
\??\NTICE
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Wine
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
\xec\x96\xa0\xc6\x9bEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
HKEY_LOCAL_MACHINE\Hardware\description\System
\xec\x94\x88\xc6\x9bEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
\xec\x96\xa0\xc6\x9bEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\xec\x94\x88\xc6\x9bEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
kernel32.dll.GetNativeSystemInfo
winmm.dll.timeGetTime
ntdll.dll.NtOpenThread
ntdll.dll.NtQuerySystemInformation
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ntdll.dll.RtlAllocateHeap

BinGraph

PE Information

Image Base 0x00400000
Entry Point 0x0081b000
Reported Checksum 0x0019cc42
Actual Checksum 0x0019cc42
Minimum OS Version 5.1
Compile Time 2017-02-20 10:45:37
Import Hash baa93d47220682c04d92f7797d9224ce

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
\x00 0x00001000 0x0004c000 0x00026200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.98
.rsrc 0x0004d000 0x00001000 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x0004e000 0x00001000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.31
0x0004f000 0x0025e000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.24
htusmqub 0x002ad000 0x0016e000 0x0016d800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.95
ijybpcqb 0x0041b000 0x00001000 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.64

Imports

Library kernel32.dll:
0x44e033 lstrcpy
Library comctl32.dll:
0x44e03b InitCommonControls

.rsrc
.idata
htusmqub
ijybpcqb
"!?`gC
loo)pNs]`
lstrcpy
InitCommonControls
kernel32.dll
comctl32.dll
=,VTG
gH$;j
%".)k
e~Kx:
KG>)Jt
34Cy*
O/UX~d
B9'nhm
|SU?y/
r?'pxT
5X`(A/
7%"~T#
}}Y=z
J46t1p
c|h2(
]1K3v
G86~1P8
x&?If
AlPtJ;}
W3Z2X58d)dL
TX^Fp
Ft:0c
^lPO\
`t5I(
J`Stc
I{O}c
J.,pX
//8#R
T%pBR
Vh^F]
+0Zd/p#Z
(a }4
4wln*
'.)@zj}
oD0jq
^5uL
z9v/,
jU9kv
yH(%
zw8JM
[TIdL
_=z":
O5|v?
Djsd(
tBRhV
X<T5<
6n`x<W
F2R0S
8YIZoH
&M',z
a&Yh4
PKRin=
p(C"s
iMa8
yMvA
fF1L&
4#t.+d
>i t+
:$`JO
xLK7s
J7"1;Z3
IRZL:
n0!=eV
Tz;~_
FD:*.
L"|MWH^`;
NDH5Pt
7FH0/
jp$}+\
>K5V
sx,vq
%OE,8
D0>zJ&4
!Dcs(4
:wawQ
!2|.}o
0w.((
+#y,*H*D
I`<|^
? 1}7
kTLEx
@TvaX%Pk !
4BD|I=|
;3&o6R~
mPxJN
T:~<]<g>VHD
sn86p
46I)s
t^<js
A~6t>
yyLv`
kB(M[8r,
d&*[0
N? 8>JH
<CQ=f
T#r)<
!sr'Y
_6(Ap<
~yWXC
{vQk?
Ff6o0
(R'+{
--4{{us
1hp[{

Full Results

VirusTotal Signature
Bkav W32.HfsAutoB.
MicroWorld-eScan Trojan.GenericKD.41987817
CMC Clean
CAT-QuickHeal Clean
Qihoo-360 Win32/Trojan.06f
McAfee Trojan-NukeSped.a
Cylance Unsafe
Zillya Trojan.NukeSped.Win32.184
AegisLab Clean
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Trojan.GenericKD.41987817
K7GW Trojan ( 0040f4ef1 )
K7AntiVirus Trojan ( 0040f4ef1 )
TrendMicro TROJ_THCSIM.A
Baidu Clean
F-Prot W32/Nukesped.B
Symantec Trojan Horse
ESET-NOD32 Win32/NukeSped.CL
APEX Malicious
Paloalto generic.ml
ClamAV Win.Trojan.Agent-7376505-0
Kaspersky Trojan.Win32.BlueNoroff.f
Alibaba Trojan:Win32/BlueNoroff.89bf74c9
NANO-Antivirus Trojan.Win32.BlueNoroff.ggbrdv
SUPERAntiSpyware Clean
Avast Win32:Trojan-gen
Rising Trojan.NukeSped!8.3184 (CLOUD)
Endgame malicious (high confidence)
Emsisoft Trojan.GenericKD.41987817 (B)
Comodo [email protected]#3pq9urfgrl2d6
F-Secure Trojan.TR/Crypt.TPM.Gen
DrWeb Trojan.Siggen8.55781
VIPRE Backdoor.Win32.Ircbot.gen (v)
Invincea heuristic
McAfee-GW-Edition BehavesLike.Win32.Miuref.tc
Trapmine malicious.high.ml.score
FireEye Generic.mg.f2b9d1cb2c4b1cd1
Sophos Troj/Agent-BCXR
Ikarus Trojan.Win32.NukeSped
Cyren W32/Trojan.SXNN-1599
Jiangmin Trojan.BlueNoroff.h
Webroot W32.Trojan.Gen
Avira TR/Crypt.TPM.Gen
MAX malware (ai score=100)
Antiy-AVL Trojan/Win32.BlueNoroff
Kingsoft Clean
Microsoft Trojan:Win32/Thcsim
Arcabit Trojan.Generic.D280AEE9
ViRobot Trojan.Win32.S.Agent.1658880
ZoneAlarm Trojan.Win32.BlueNoroff.f
Avast-Mobile Clean
GData Trojan.GenericKD.41987817
AhnLab-V3 Trojan/Win32.Xpacked.C2581424
Acronis suspicious
VBA32 BScope.TrojanPSW.Predator
ALYac Trojan.Nukesped.A
TACHYON Clean
Ad-Aware Trojan.GenericKD.41987817
Zoner Clean
TrendMicro-HouseCall TROJ_THCSIM.A
Tencent Win32.Trojan.Bluenoroff.Eddp
Yandex Clean
SentinelOne DFI - Suspicious PE
eGambit Unsafe.AI_Score_99%
Fortinet W32/BlueNoroff.CL!tr
BitDefenderTheta Gen:NN.ZexaF.34090.LzWaau4D29h
AVG Win32:Trojan-gen
Cybereason malicious.ad5520
Panda Trj/CI.A
MaxSecure Trojan.Malware.300983.susgen

Process Tree


ZB3fZZU5YjP.exe, PID: 3468, Parent PID: 1736
Full Path: C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe
Command Line: "C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe"

Hosts

Direct IP Country Name
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.3 62840 1.1.1.1 53
192.168.1.3 62988 1.1.1.1 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x02B00000
Process ZB3fZZU5YjP.exe
PID 3468
Path C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe
MD5 501f75319119930400b8776b642943af
SHA1 8842eac50a175f9c4dd1b441564c56d420376eae
SHA256 27ecf4f13bbc41864de486e89634aa35e73984f6f510d17012242d9cfa010274
CRC32 10442EC9
Ssdeep 96:sJQFzqeE5mFPozvXSZs3PJRn3FqPnbN6MVIq:sJQdqeEOoekJxVkF
Yara None matched
CAPE Yara None matched
Download Download ZIP

BinGraph

Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x02E90000
Process ZB3fZZU5YjP.exe
PID 3468
Path C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe
MD5 6083203c42303a4b159c4017e3190106
SHA1 da2f2a2f2836f649680943f5ab70066299fa428d
SHA256 7310c8bda947527e23856afd2797ad341ea51f105d8da83f1e519b3a6e6ba452
CRC32 C3BC3728
Ssdeep 96:Z1P3ChtE/js8NBP/RQuvNGUcizDz6+zTz:n3MQvRQscOSk
Yara None matched
CAPE Yara None matched
Download Download ZIP

BinGraph

Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x02E80000
Process ZB3fZZU5YjP.exe
PID 3468
Path C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe
MD5 494af9c8298421f581c57bacdb06af1e
SHA1 0588892b838b504bd972942a05eb6c691204d041
SHA256 560248a86379a43509eb400dd4a30971af240efe466870a591b271cced8739da
CRC32 C976CD7C
Ssdeep 96:+ksvpNNnpzQnAJ67FRVFC6PPlz4XZYU66:hi9dQK6F3Pd+YU66
Yara None matched
CAPE Yara None matched
Download Download ZIP

BinGraph

Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x00790000
Process ZB3fZZU5YjP.exe
PID 3468
Path C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe
MD5 e68e24149642add4abe9ab1ad57ce31d
SHA1 00e38f54cbb2a57ce08eb38b1330a71597a50717
SHA256 2ac7a2d08fd657e9970d3d75f55a552b648ff6cacc1feb1a435ff36f4b18437f
CRC32 9426D59C
Ssdeep 24:ZRBLAaHvMhBLAm7A5zoFfA23c+QPGYJpPH9SEJ0agGj:ZTAaPMXLZFFuGY8bS
Yara None matched
CAPE Yara None matched
Download Download ZIP

BinGraph

Type Extracted Shellcode
Size 8192 bytes
Virtual Address 0x02ED0000
Process ZB3fZZU5YjP.exe
PID 3468
Path C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe
MD5 610d102123934dd21ae065f321178ae0
SHA1 111504078658fa37732b687787116be26a39bef9
SHA256 4b96af16d1b6fcddb6f1685f519925e5caff619fa7e5f65a2a6fb54afa5b2d54
CRC32 3F5D8A38
Ssdeep 96:T8SYhSSCHddzU36unB87pMqB4rPmQfP2RqsPmoSdywpdyPl21OC3B11FsQcmsZX1:T8f8+3n6pHB4bmQn2hmoyyzlw3BRGhr
Yara None matched
CAPE Yara None matched
Download Download ZIP

BinGraph

Type Extracted PE Image: 32-bit executable
Size 1658880 bytes
Virtual Address 0x002C0000
Process ZB3fZZU5YjP.exe
PID 3468
Path C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe
MD5 d85ce1f696fb5bbf76269f8bf2193f1e
SHA1 7bcd3fdfc567053eaeb844abc68871bab163a4aa
SHA256 7949322d64673d7ca913f54de5c86841cc1ed95c86b67aabf93ace5c18226d5a
CRC32 DDCF4E3C
Ssdeep 24576:UL4WM8y1cU3V7n9TewLjFF7C9KO5GzVL3tHDypLo3Yi8iP1LjX+b:xKU33THjFhCbwzVL3RDyptU14
Yara
  • shellcode_get_eip - Match x86 that appears to fetch $PC.
  • shellcode_stack_strings - Match x86 that appears to be stack string creation.
CAPE Yara None matched
Download Download ZIP

BinGraph

Type Extracted PE Image: 32-bit executable
Size 1658880 bytes
Virtual Address 0x002C0000
Process ZB3fZZU5YjP.exe
PID 3468
Path C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe
MD5 3c903389c3c2ae60721ca7c830361aea
SHA1 0e352e34c1739b5d267c29758056f561d29609f4
SHA256 cd225243be824a335b4a5a296bf85654adcd8e3fd46deab6e750e4e449b9da28
CRC32 871C5AEB
Ssdeep 24576:RarngxIJjYTjFF7C9KO5GzVL3tHDypLo3Yi8iP1LjX+b:Ra7gxBjFhCbwzVL3RDyptU14
Yara
  • shellcode_get_eip - Match x86 that appears to fetch $PC.
CAPE Yara None matched
Download Download ZIP

BinGraph

Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x029E0000
Process ZB3fZZU5YjP.exe
PID 3468
Path C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe
MD5 af09dd1fb84fe2c71b4795e8e4e3d2e6
SHA1 0a220b5dbd0a6c36c6509e1b38a6ff50a19fef60
SHA256 41ae62519512be463c30ebcbb6cb6fa96f85d7ba07748fa208e0b8261c99ae76
CRC32 73EED695
Ssdeep 24:FxeOwipWUq54CQfMGHyBsXvMB11r1lyH7Z8zEnTZhbUXgw7OF4C:beliYU0xwyK411JAv4X76
Yara None matched
CAPE Yara None matched
Download Download ZIP

BinGraph

Type Extracted Shellcode
Size 65536 bytes
Virtual Address 0x029D0000
Process ZB3fZZU5YjP.exe
PID 3468
Path C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe
MD5 d4f5952c7890e9868962e4843d4174b9
SHA1 3088b2d2fd8a2ce60b68f9a7f34838d57fce97ce
SHA256 ea7e8dafb408c694c5dee8a5e5daf9972d361db5f1195cdc306a9874afb2608c
CRC32 911E44D9
Ssdeep 96:HdVfmsZXEHddzU36unB87pMqB4rPmQfP2RqsPmoSdywpdyPl21OC3B:Hzrh8+3n6pHB4bmQn2hmoyyzlw3B
Yara None matched
CAPE Yara None matched
Download Download ZIP

BinGraph

Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x02E60000
Process ZB3fZZU5YjP.exe
PID 3468
Path C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe
MD5 e480165d110d9be6be700cc3c7484e5d
SHA1 a9986a581cefbb69e9f49e1e3393fbfde39b8ad6
SHA256 8689e832010f098c483195bdae33e1f384628a9a53f2e6cdaa526eeae2ae18ef
CRC32 9664E5E8
Ssdeep 96:ABOtP1p/0fzcP01FnUpFLJ/+DlM0GwfP9:A4t9Ozu01Kp9Yn
Yara None matched
CAPE Yara None matched
Download Download ZIP

BinGraph

Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x02E70000
Process ZB3fZZU5YjP.exe
PID 3468
Path C:\Users\Rebecca\AppData\Local\Temp\ZB3fZZU5YjP.exe
MD5 f4d76008fb028f8394a589227262dba0
SHA1 1dee52c20db243d41c8afa5ac5e6258e20441d77
SHA256 067b8008cfc5da174ac39396b04e33f9c08df59d68749a6675b0387f5697f63b
CRC32 CCD9F278
Ssdeep 96:q1ME40a7icD6kxkLd+OiIPA9r2iBx9qRs:0vkPSEBIPiBx9q
Yara None matched
CAPE Yara None matched
Download Download ZIP

BinGraph