FlareOn 8 - Task 7: tracelog 3 - after receiving the command "flare-on.com
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 3750;section: [.text] | |
| 4118;CPUID:0 | |
| 4176;CPUID:1 | |
| 4211;CPUID:7 | |
| 4bb0;kernel32.LoadLibraryExW | |
| 4c47;kernel32.GetProcAddress | |
| Arg[0] = ptr 0x00007ffd42590000 -> {MZ\x90\x00\x03\x00\x00\x00} | |
| Arg[1] = ptr 0x00007ffd3a70e3e8 -> "InitializeCriticalSectionEx" | |
| 4e83;kernelbase.InitializeCriticalSectionEx | |
| 4bb0;kernel32.LoadLibraryExW | |
| 4c47;kernel32.GetProcAddress | |
| Arg[0] = ptr 0x00007ffd42590000 -> {MZ\x90\x00\x03\x00\x00\x00} | |
| Arg[1] = ptr 0x00007ffd3a70e390 -> "FlsAlloc" | |
| 4d0b;kernelbase.FlsAlloc | |
| 4c47;kernel32.GetProcAddress | |
| Arg[0] = ptr 0x00007ffd42590000 -> {MZ\x90\x00\x03\x00\x00\x00} | |
| Arg[1] = ptr 0x00007ffd3a70e3d0 -> "FlsSetValue" | |
| 4e10;kernelbase.FlsSetValue | |
| 7424;kernel32.LoadLibraryExW | |
| 74aa;kernel32.GetProcAddress | |
| Arg[0] = ptr 0x00007ffd42590000 -> {MZ\x90\x00\x03\x00\x00\x00} | |
| Arg[1] = ptr 0x00007ffd3a70e3e8 -> "InitializeCriticalSectionEx" | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 8c00;kernel32.GetProcessHeap | |
| 7424;kernel32.LoadLibraryExW | |
| 74aa;kernel32.GetProcAddress | |
| Arg[0] = ptr 0x00007ffd42590000 -> {MZ\x90\x00\x03\x00\x00\x00} | |
| Arg[1] = ptr 0x00007ffd3a70e390 -> "FlsAlloc" | |
| 7568;kernelbase.FlsAlloc | |
| 7123;kernel32.GetLastError | |
| 74aa;kernel32.GetProcAddress | |
| Arg[0] = ptr 0x00007ffd42590000 -> {MZ\x90\x00\x03\x00\x00\x00} | |
| Arg[1] = ptr 0x00007ffd3a70e3b8 -> "FlsGetValue" | |
| 7616;kernelbase.FlsGetValue | |
| 6815;ntdll.RtlAllocateHeap | |
| 74aa;kernel32.GetProcAddress | |
| Arg[0] = ptr 0x00007ffd42590000 -> {MZ\x90\x00\x03\x00\x00\x00} | |
| Arg[1] = ptr 0x00007ffd3a70e3d0 -> "FlsSetValue" | |
| 7679;kernelbase.FlsSetValue | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 7197;kernel32.SetLastError | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 6815;ntdll.RtlAllocateHeap | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 8c44;kernel32.GetStartupInfoW | |
| 8d82;kernel32.GetStdHandle | |
| 8d98;kernel32.GetFileType | |
| 8d82;kernel32.GetStdHandle | |
| 8d98;kernel32.GetFileType | |
| 8d82;kernel32.GetStdHandle | |
| 8d98;kernel32.GetFileType | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 8a34;kernel32.GetCommandLineA | |
| 8a41;kernel32.GetCommandLineW | |
| 708a;kernel32.GetLastError | |
| 7616;kernelbase.FlsGetValue | |
| 70f2;kernel32.SetLastError | |
| 708a;kernel32.GetLastError | |
| 7616;kernelbase.FlsGetValue | |
| 70f2;kernel32.SetLastError | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 81a9;kernel32.GetACP | |
| 66e6;ntdll.RtlAllocateHeap | |
| 8776;kernel32.IsValidCodePage | |
| 878b;kernel32.GetCPInfo | |
| 82ae;kernel32.GetCPInfo | |
| 9753;kernel32.MultiByteToWideChar | |
| 981c;kernel32.MultiByteToWideChar | |
| 9836;kernel32.GetStringTypeW | |
| a663;kernel32.MultiByteToWideChar | |
| a728;kernel32.MultiByteToWideChar | |
| 7424;kernel32.LoadLibraryExW | |
| 74aa;kernel32.GetProcAddress | |
| Arg[0] = ptr 0x00007ffd42590000 -> {MZ\x90\x00\x03\x00\x00\x00} | |
| Arg[1] = ptr 0x00007ffd3a7102f0 -> "LCMapStringEx" | |
| 77ae;kernelbase.LCMapStringEx | |
| 77ae;kernelbase.LCMapStringEx | |
| a8b8;kernel32.WideCharToMultiByte | |
| a663;kernel32.MultiByteToWideChar | |
| a728;kernel32.MultiByteToWideChar | |
| 77ae;kernelbase.LCMapStringEx | |
| 77ae;kernelbase.LCMapStringEx | |
| a8b8;kernel32.WideCharToMultiByte | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 66e6;ntdll.RtlAllocateHeap | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 3ebb;ntdll.RtlInitializeSListHead | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 6815;ntdll.RtlAllocateHeap | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| 76ec;kernelbase.InitializeCriticalSectionEx | |
| c579;CPUID:1 | |
| 5ccf;kernel32.GetModuleFileNameA | |
| 6815;ntdll.RtlAllocateHeap | |
| 8a71;kernel32.GetEnvironmentStringsW | |
| 8ad3;kernel32.WideCharToMultiByte | |
| 66e6;ntdll.RtlAllocateHeap | |
| 8b0d;kernel32.WideCharToMultiByte | |
| 8b37;kernel32.FreeEnvironmentStringsW | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 6815;ntdll.RtlAllocateHeap | |
| 667e;kernel32.HeapFree | |
| 36f8;ntdll.[RtlActivateActivationContextUnsafeFast+114]* | |
| 66e6;ntdll.RtlAllocateHeap | |
| 66e6;ntdll.RtlAllocateHeap | |
| 66e6;ntdll.RtlAllocateHeap | |
| 66e6;ntdll.RtlAllocateHeap | |
| 66e6;ntdll.RtlAllocateHeap | |
| 66e6;ntdll.RtlAllocateHeap | |
| 66e6;ntdll.RtlAllocateHeap | |
| 66e6;ntdll.RtlAllocateHeap | |
| 66e6;ntdll.RtlAllocateHeap | |
| 66e6;ntdll.RtlAllocateHeap | |
| 19c7;kernel32.VirtualAlloc | |
| 1a8e;kernel32.VirtualAlloc | |
| 1b4d;kernel32.GetModuleFileNameA | |
| 1b63;kernel32.GetModuleHandleA | |
| 1ba8;kernel32.FindResourceA | |
| Arg[0] = ptr 0x00007ff6ebae0000 -> {MZ\x90\x00\x03\x00\x00\x00} | |
| Arg[1] = 0x0000000000000080 = 128 | |
| Arg[2] = ptr 0x000000726cd4f964 -> "PNG" | |
| 1bc5;kernel32.SizeofResource | |
| Arg[0] = ptr 0x00007ff6ebae0000 -> {MZ\x90\x00\x03\x00\x00\x00} | |
| Arg[1] = ptr 0x00007ff6ebae6080 -> {\xb0`\x00\x00\xd6\x00\x00\x00} | |
| 1be2;kernel32.LoadResource | |
| 1bfc;kernel32.LockResource | |
| 1dfb;kernel32.GetCurrentProcess | |
| 1e1c;kernel32.IsWow64Process | |
| 2daf;kernel32.GetSystemTime | |
| 2e47;kernel32.GetDateFormatW | |
| 2eb5;kernel32.lstrlenA | |
| 1a1e;kernel32.SleepEx | |
| Arg[0] = 0x0000000000057e40 = 360000 | |
| Arg[1] = 0 | |
| NtDelayExecution hooked. Overwriting DelayInterval: ffffffff296c5c00 -> fffffffffffe7960 | |
| 1c3a;kernel32.VirtualAlloc | |
| 1318;kernel32.GetModuleHandleA | |
| 1339;kernel32.LoadLibraryA | |
| Arg[0] = ptr 0x000000726ce824a0 -> "ws2_32.dll" | |
| 1fc4;ws2_32.WSAStartup | |
| 1318;kernel32.GetModuleHandleA | |
| 20b8;ws2_32.socket | |
| 1318;kernel32.GetModuleHandleA | |
| 1339;kernel32.LoadLibraryA | |
| Arg[0] = ptr 0x000000726ce81f20 -> "user32.dll" | |
| 2d6c;user32.wvsprintfA | |
| 1318;kernel32.GetModuleHandleA | |
| 2146;ws2_32.gethostbyname | |
| Arg[0] = ptr 0x000000726cd4f720 -> "inactive.flare-on.com" | |
| 1318;kernel32.GetModuleHandleA | |
| 21ba;ws2_32.ntohs | |
| 1318;kernel32.GetModuleHandleA | |
| 21df;ws2_32.connect | |
| 2221;kernel32.lstrlenA | |
| 1318;kernel32.GetModuleHandleA | |
| 2267;ws2_32.send | |
| 1318;kernel32.GetModuleHandleA | |
| 2d25;ws2_32.recv | |
| 4987;kernel32.GetLastError | |
| 4c47;kernel32.GetProcAddress | |
| Arg[0] = ptr 0x00007ffd42590000 -> {MZ\x90\x00\x03\x00\x00\x00} | |
| Arg[1] = ptr 0x00007ffd3a70e3b8 -> "FlsGetValue" | |
| 4db1;kernelbase.FlsGetValue | |
| 4e10;kernelbase.FlsSetValue | |
| 6815;ntdll.RtlAllocateHeap | |
| 4e10;kernelbase.FlsSetValue | |
| 4a07;kernel32.SetLastError | |
| 7123;kernel32.GetLastError | |
| 7616;kernelbase.FlsGetValue | |
| 6815;ntdll.RtlAllocateHeap | |
| 7679;kernelbase.FlsSetValue | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 7197;kernel32.SetLastError | |
| 36f8;ntdll.[RtlActivateActivationContextUnsafeFast+114]* | |
| 4987;kernel32.GetLastError | |
| 4db1;kernelbase.FlsGetValue | |
| 4e10;kernelbase.FlsSetValue | |
| 6815;ntdll.RtlAllocateHeap | |
| 4e10;kernelbase.FlsSetValue | |
| 4a07;kernel32.SetLastError | |
| 7123;kernel32.GetLastError | |
| 7616;kernelbase.FlsGetValue | |
| 6815;ntdll.RtlAllocateHeap | |
| 7679;kernelbase.FlsSetValue | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 7197;kernel32.SetLastError | |
| 36f8;ntdll.[RtlActivateActivationContextUnsafeFast+114]* | |
| 667e;kernel32.HeapFree | |
| 4916;ntdll.[RtlProcessFlsData+127]* | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 732a;ntdll.RtlEnterCriticalSection | |
| 737e;ntdll.RtlLeaveCriticalSection | |
| 667e;kernel32.HeapFree | |
| 6edb;ntdll.[RtlProcessFlsData+127]* | |
| 7616;kernelbase.FlsGetValue | |
| 4db1;kernelbase.FlsGetValue | |
| 4e10;kernelbase.FlsSetValue | |
| 36f8;ntdll.[RtlActivateActivationContextUnsafeFast+114]* | |
| 1d88;kernel32.lstrlenA | |
| 2a7c;kernel32.VirtualAlloc | |
| 1318;kernel32.GetModuleHandleA | |
| 2d6c;user32.wvsprintfA | |
| 1318;kernel32.GetModuleHandleA | |
| 1339;kernel32.LoadLibraryA | |
| Arg[0] = ptr 0x000000726ce82580 -> "advapi32.dll" | |
| 2b77;advapi32.RegOpenKeyExA | |
| 1318;kernel32.GetModuleHandleA | |
| 2c89;advapi32.RegSetValueExA | |
| 1318;kernel32.GetModuleHandleA | |
| 2cb0;advapi32.RegCloseKey | |
| 1318;kernel32.GetModuleHandleA | |
| 1339;kernel32.LoadLibraryA | |
| Arg[0] = ptr 0x000000726ce82180 -> "bcrypt.dll" | |
| 3047;bcrypt.BCryptOpenAlgorithmProvider | |
| 1318;kernel32.GetModuleHandleA | |
| 30eb;bcrypt.BCryptGetProperty | |
| 310f;kernel32.GetProcessHeap | |
| 1318;kernel32.GetModuleHandleA | |
| 3131;ntdll.RtlAllocateHeap | |
| 1318;kernel32.GetModuleHandleA | |
| 3231;bcrypt.BCryptSetProperty | |
| 1318;kernel32.GetModuleHandleA | |
| 327e;bcrypt.BCryptGenerateSymmetricKey | |
| 1318;kernel32.GetModuleHandleA | |
| 32dc;bcrypt.BCryptDecrypt | |
| 1318;kernel32.GetModuleHandleA | |
| 3353;bcrypt.BCryptCloseAlgorithmProvider | |
| 1318;kernel32.GetModuleHandleA | |
| 3373;bcrypt.BCryptDestroyKey | |
| 338c;kernel32.GetProcessHeap | |
| 33ab;kernel32.HeapFree | |
| 2979;kernel32.lstrlenA | |
| 2a7c;kernel32.VirtualAlloc | |
| 1318;kernel32.GetModuleHandleA | |
| 2d6c;user32.wvsprintfA | |
| 1318;kernel32.GetModuleHandleA | |
| 2b77;advapi32.RegOpenKeyExA | |
| 1318;kernel32.GetModuleHandleA | |
| 2c89;advapi32.RegSetValueExA | |
| 1318;kernel32.GetModuleHandleA | |
| 2cb0;advapi32.RegCloseKey | |
| 101f;spell.[.text+2ff]* |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment