# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Jun 3 2020 08:38:37 # Log Creation Date: 05.10.2020 17:35:15.317 Process: id = "1" image_name = "oxi_joiner.exe" filename = "c:\\users\\fd1hvy\\desktop\\oxi_joiner.exe" page_root = "0x19175000" os_pid = "0x1170" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x560" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\Oxi_Joiner.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x1168 [0062.211] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\Oxi_Joiner.exe\" " [0062.213] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0062.213] GetProcessHeap () returned 0x5a0000 [0062.213] LoadIconA (hInstance=0x400000, lpIconName=0x1f4) returned 0x0 [0062.225] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0062.225] RegisterClassExA (param_1=0x19ff3c) returned 0xc199 [0062.226] CreateWindowExA (dwExStyle=0x0, lpClassName="WinClass32", lpWindowName="WinClass32", dwStyle=0xcf0000, X=200, Y=200, nWidth=200, nHeight=200, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) [0064.794] NtdllDefWindowProc_A (hWnd=0x302d2, Msg=0x24, wParam=0x0, lParam=0x19fa9c) returned 0x0 [0064.794] NtdllDefWindowProc_A (hWnd=0x302d2, Msg=0x81, wParam=0x0, lParam=0x19fa90) returned 0x1 [0064.805] NtdllDefWindowProc_A (hWnd=0x302d2, Msg=0x83, wParam=0x0, lParam=0x19fa7c) returned 0x0 [0065.268] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x75760000 [0077.477] GetProcAddress (hModule=0x75760000, lpProcName="ShellExecuteA") returned 0x75963ef0 [0077.478] GetProcAddress (hModule=0x75760000, lpProcName="SHGetSpecialFolderPathA") returned 0x759bcc90 [0077.478] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x76ba0000 [0077.478] GetProcAddress (hModule=0x76ba0000, lpProcName="PathFindFileNameA") returned 0x76bb4640 [0077.478] GetProcAddress (hModule=0x76ba0000, lpProcName="PathAddBackslashA") returned 0x76bb7700 [0077.478] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x756e0000 [0077.479] GetProcAddress (hModule=0x756e0000, lpProcName="RegCreateKeyExA") returned 0x756ff560 [0077.479] GetProcAddress (hModule=0x756e0000, lpProcName="RegSetValueExA") returned 0x756fffc0 [0077.480] GetProcAddress (hModule=0x756e0000, lpProcName="RegCloseKey") returned 0x756fed60 [0077.480] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77970000 [0077.480] GetProcAddress (hModule=0x77970000, lpProcName="RtlDecompressBuffer") returned 0x779e1bc0 [0077.480] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x40bc84, nSize=0x1000 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\Oxi_Joiner.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\oxi_joiner.exe")) returned 0x26 [0077.481] GetEnvironmentVariableA (in: lpName="ComSpec", lpBuffer=0x40fc84, nSize=0x500 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0077.481] SendMessageA (hWnd=0x302d2, Msg=0x9d99, wParam=0x0, lParam=0x0) [0077.481] GetSystemDirectoryA (in: lpBuffer=0x403c84, uSize=0x1000 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0077.482] PathAddBackslashA (in: pszPath="C:\\WINDOWS\\system32" | out: pszPath="C:\\WINDOWS\\system32\\") returned="" [0077.482] GetWindowsDirectoryA (in: lpBuffer=0x404c84, uSize=0x1000 | out: lpBuffer="C:\\WINDOWS") returned 0xa [0077.483] PathAddBackslashA (in: pszPath="C:\\WINDOWS" | out: pszPath="C:\\WINDOWS\\") returned="" [0077.483] GetTempPathA (in: nBufferLength=0x1000, lpBuffer=0x405c84 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned 0x23 [0077.483] PathAddBackslashA (in: pszPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned="" [0077.483] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x403a60, nSize=0x200 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\Oxi_Joiner.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\oxi_joiner.exe")) returned 0x26 [0077.483] PathFindFileNameA (pszPath="C:\\Users\\FD1HVy\\Desktop\\Oxi_Joiner.exe") returned="Oxi_Joiner.exe" [0077.483] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x407c84, nSize=0x1000 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x1f [0077.483] PathAddBackslashA (in: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming" | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="" [0077.484] SHGetSpecialFolderPathA (in: hwnd=0x0, pszPath=0x408c84, csidl=7, fCreate=1 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0077.757] PathAddBackslashA (in: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\") returned="" [0077.757] SHGetSpecialFolderPathA (in: hwnd=0x0, pszPath=0x409c84, csidl=16, fCreate=1 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 1 [0077.759] PathAddBackslashA (in: pszPath="C:\\Users\\FD1HVy\\Desktop" | out: pszPath="C:\\Users\\FD1HVy\\Desktop\\") returned="" [0077.759] FindResourceA (hModule=0x0, lpName=0x1001, lpType=0xa) returned 0x411178 [0077.759] SizeofResource (hModule=0x0, hResInfo=0x411178) returned 0x5a [0077.759] LoadResource (hModule=0x0, hResInfo=0x411178) returned 0x41c868 [0077.759] LockResource (hResData=0x41c868) returned 0x41c868 [0077.759] RtlMoveMemory (in: Destination=0x403450, Source=0x41c868, Length=0x10 | out: Destination=0x403450) [0077.759] RtlMoveMemory (in: Destination=0x5b6628, Source=0x41c888, Length=0x3a | out: Destination=0x5b6628) [0077.759] FreeResource (hResData=0x41c868) returned 0 [0077.759] FindResourceA (hModule=0x0, lpName=0x1, lpType=0xa) returned 0x411168 [0077.759] SizeofResource (hModule=0x0, hResInfo=0x411168) returned 0x90b2 [0077.759] LoadResource (hModule=0x0, hResInfo=0x411168) returned 0x4137b4 [0077.759] LockResource (hResData=0x4137b4) returned 0x4137b4 [0077.760] RtlMoveMemory (in: Destination=0x5bf6f0, Source=0x4137bc, Length=0x90aa | out: Destination=0x5bf6f0) [0077.762] RtlDecompressBuffer (in: CompressionFormat=0x2, UncompressedBuffer=0x5c87b0, UncompressedBufferSize=0x11e00, CompressedBuffer=0x5bf6f0, CompressedBufferSize=0x90aa, FinalUncompressedSize=0x19f60c | out: UncompressedBuffer=0x5c87b0, FinalUncompressedSize=0x19f60c) returned 0x0 [0077.763] lstrcpynA (in: lpString1=0x403660, lpString2="EyeCry.exe", iMaxLength=11 | out: lpString1="EyeCry.exe") returned="EyeCry.exe" [0077.763] lstrcpyA (in: lpString1=0x40334d, lpString2="C:\\Dir1\\SubDir" | out: lpString1="C:\\Dir1\\SubDir") returned="C:\\Dir1\\SubDir" [0077.763] lstrlenA (lpString="C:\\Dir1\\SubDir") returned 14 [0077.763] lstrcpyA (in: lpString1=0x406c84, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" [0077.763] PathAddBackslashA (in: pszPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned="" [0077.763] lstrcatA (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpString2="EyeCry.exe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe" [0077.763] CreateFileA (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\eyecry.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x214 [0077.765] WriteFile (in: hFile=0x214, lpBuffer=0x5c87b0*, nNumberOfBytesToWrite=0x11e00, lpNumberOfBytesWritten=0x4106bc, lpOverlapped=0x0 | out: lpBuffer=0x5c87b0*, lpNumberOfBytesWritten=0x4106bc*=0x11e00, lpOverlapped=0x0) returned 1 [0077.769] CloseHandle (hObject=0x214) returned 1 [0077.773] SetFileAttributesA (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe", dwFileAttributes=0x0) returned 1 [0077.775] lstrcpyA (in: lpString1=0x403860, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe" [0077.775] PathFindFileNameA (pszPath="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe") returned="EyeCry.exe" [0077.854] ShellExecuteA (hwnd=0x0, lpOperation="open", lpFile="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe", lpParameters=0x0, lpDirectory="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", nShowCmd=5) returned 0x2a [0102.255] FreeResource (hResData=0x4137b4) returned 0 [0102.255] ExitProcess (uExitCode=0x0) Thread: id = 2 os_tid = 0x113c Thread: id = 3 os_tid = 0x1100 Thread: id = 4 os_tid = 0x120c Thread: id = 5 os_tid = 0x109c Thread: id = 6 os_tid = 0x10a8 Thread: id = 7 os_tid = 0x10ac Thread: id = 8 os_tid = 0x10b0 Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4c27d000" os_pid = "0x5b0" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x23c" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000f8bc" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 9 os_tid = 0xd18 Thread: id = 10 os_tid = 0x9bc Thread: id = 11 os_tid = 0x7ec Thread: id = 12 os_tid = 0x770 Thread: id = 13 os_tid = 0x7d8 Thread: id = 14 os_tid = 0x698 Thread: id = 15 os_tid = 0x690 Thread: id = 16 os_tid = 0x5fc Thread: id = 17 os_tid = 0x5f8 Thread: id = 18 os_tid = 0x5f4 Thread: id = 19 os_tid = 0x5b4 Process: id = "3" image_name = "eyecry.exe" filename = "c:\\users\\fd1hvy\\appdata\\local\\temp\\eyecry.exe" page_root = "0x9607000" os_pid = "0x12ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x1170" cmd_line = "\"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe\" " cur_dir = "C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 20 os_tid = 0x12b4 [0102.226] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0103.035] GetKeyboardType (nTypeFlag=0) returned 4 [0103.035] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe\" " [0103.035] GetStartupInfoA (in: lpStartupInfo=0x19fee8 | out: lpStartupInfo=0x19fee8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x5, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0103.035] GetVersion () returned 0x23f00206 [0103.035] GetVersion () returned 0x23f00206 [0103.035] GetCurrentThreadId () returned 0x12b4 [0103.035] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x19f9e4, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\eyecry.exe")) returned 0x2d [0103.035] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x19f8bf, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\eyecry.exe")) returned 0x2d [0103.035] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x19f9d4 | out: phkResult=0x19f9d4*=0x0) returned 0x2 [0103.035] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x19f9d4 | out: phkResult=0x19f9d4*=0x0) returned 0x2 [0103.036] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x19f9d4 | out: phkResult=0x19f9d4*=0x0) returned 0x2 [0103.036] lstrcpynA (in: lpString1=0x19f8bf, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe", iMaxLength=261 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe" [0103.036] GetThreadLocale () returned 0x409 [0103.036] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0x19f9cf, cchData=5 | out: lpLCData="ENU") returned 4 [0103.036] lstrlenA (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.exe") returned 45 [0103.036] lstrcpynA (in: lpString1=0x19f8e9, lpString2="ENU", iMaxLength=219 | out: lpString1="ENU") returned="ENU" [0103.036] LoadLibraryExA (lpLibFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.ENU", hFile=0x0, dwFlags=0x2) returned 0x0 [0103.037] lstrcpynA (in: lpString1=0x19f8e9, lpString2="EN", iMaxLength=219 | out: lpString1="EN") returned="EN" [0103.037] LoadLibraryExA (lpLibFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\EyeCry.EN", hFile=0x0, dwFlags=0x2) returned 0x0 [0103.037] LoadStringA (in: hInstance=0x400000, uID=0xffd6, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Exception in safecall method") returned 0x1c [0103.037] LocalAlloc (uFlags=0x0, uBytes=0xff8) returned 0x59b7d8 [0103.037] VirtualAlloc (lpAddress=0x0, dwSize=0x100000, flAllocationType=0x2000, flProtect=0x1) returned 0x1f60000 [0103.037] LocalAlloc (uFlags=0x0, uBytes=0x644) returned 0x59c7d8 [0103.037] VirtualAlloc (lpAddress=0x1f60000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x1f60000 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffd5, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Interface not supported") returned 0x17 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="External exception %x") returned 0x15 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffd4, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Assertion failed") returned 0x10 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffef, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Invalid argument") returned 0x10 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffee, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffeb, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffd1, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Invalid variant operation") returned 0x19 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffd0, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffe4, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Stack overflow") returned 0xe [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Control-C hit") returned 0xd [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Privileged instruction") returned 0x16 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Access violation") returned 0x10 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Invalid class typecast") returned 0x16 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Floating point underflow") returned 0x18 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xfffe, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Floating point overflow") returned 0x17 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Floating point division by zero") returned 0x1f [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xfffc, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xfffb, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Integer overflow") returned 0x10 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xfffa, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Range check error") returned 0x11 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xfff9, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Division by zero") returned 0x10 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xfff8, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Invalid numeric input") returned 0x15 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xfff7, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Disk full") returned 0x9 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xfff6, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Read beyond end of file") returned 0x17 [0103.038] LoadStringA (in: hInstance=0x400000, uID=0xfff5, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="File access denied") returned 0x12 [0103.039] LoadStringA (in: hInstance=0x400000, uID=0xfff4, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Too many open files") returned 0x13 [0103.039] LoadStringA (in: hInstance=0x400000, uID=0xfff3, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="Invalid filename") returned 0x10 [0103.039] LoadStringA (in: hInstance=0x400000, uID=0xfff2, lpBuffer=0x19fb08, cchBufferMax=1024 | out: lpBuffer="File not found") returned 0xe [0103.039] LoadStringA (in: hInstance=0x400000, uID=0xfff0, lpBuffer=0x19faf4, cchBufferMax=1024 | out: lpBuffer="Out of memory") returned 0xd [0103.039] LoadStringA (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x19faf4, cchBufferMax=1024 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0103.039] GetVersionExA (in: lpVersionInformation=0x19fe8c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x19fe8c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0103.039] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x772d0000 [0103.039] GetProcAddress (hModule=0x772d0000, lpProcName="GetDiskFreeSpaceExA") returned 0x7733ee90 [0103.039] GetThreadLocale () returned 0x409 [0103.039] GetThreadLocale () returned 0x409 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Jan") returned 4 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0x19fd64, cchData=256 | out: lpLCData="January") returned 8 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Feb") returned 4 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0x19fd64, cchData=256 | out: lpLCData="February") returned 9 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Mar") returned 4 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0x19fd64, cchData=256 | out: lpLCData="March") returned 6 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Apr") returned 4 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0x19fd64, cchData=256 | out: lpLCData="April") returned 6 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0x19fd64, cchData=256 | out: lpLCData="May") returned 4 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0x19fd64, cchData=256 | out: lpLCData="May") returned 4 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Jun") returned 4 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0x19fd64, cchData=256 | out: lpLCData="June") returned 5 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Jul") returned 4 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0x19fd64, cchData=256 | out: lpLCData="July") returned 5 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Aug") returned 4 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0x19fd64, cchData=256 | out: lpLCData="August") returned 7 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Sep") returned 4 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0x19fd64, cchData=256 | out: lpLCData="September") returned 10 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Oct") returned 4 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0x19fd64, cchData=256 | out: lpLCData="October") returned 8 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Nov") returned 4 [0103.039] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0x19fd64, cchData=256 | out: lpLCData="November") returned 9 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Dec") returned 4 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0x19fd64, cchData=256 | out: lpLCData="December") returned 9 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Sun") returned 4 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Sunday") returned 7 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Mon") returned 4 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Monday") returned 7 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Tue") returned 4 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Tuesday") returned 8 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Wed") returned 4 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Wednesday") returned 10 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Thu") returned 4 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Thursday") returned 9 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Fri") returned 4 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Friday") returned 7 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Sat") returned 4 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0x19fd64, cchData=256 | out: lpLCData="Saturday") returned 9 [0103.040] GetThreadLocale () returned 0x409 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0x19fdc0, cchData=256 | out: lpLCData="$") returned 2 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0x19fdc0, cchData=256 | out: lpLCData="0") returned 2 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0x19fdc0, cchData=256 | out: lpLCData="0") returned 2 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0x19feb8, cchData=2 | out: lpLCData=",") returned 2 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0x19feb8, cchData=2 | out: lpLCData=".") returned 2 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0x19fdc0, cchData=256 | out: lpLCData="2") returned 2 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0x19feb8, cchData=2 | out: lpLCData="/") returned 2 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0x19fdc0, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0103.040] GetThreadLocale () returned 0x409 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x19fd8c, cchData=256 | out: lpLCData="1") returned 2 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0x19fdc0, cchData=256 | out: lpLCData="dddd, MMMM d, yyyy") returned 19 [0103.040] GetThreadLocale () returned 0x409 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x19fd8c, cchData=256 | out: lpLCData="1") returned 2 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0x19feb8, cchData=2 | out: lpLCData=":") returned 2 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0x19fdc0, cchData=256 | out: lpLCData="AM") returned 3 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0x19fdc0, cchData=256 | out: lpLCData="PM") returned 3 [0103.040] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0x19fdc0, cchData=256 | out: lpLCData="0") returned 2 [0103.041] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0x19fdc0, cchData=256 | out: lpLCData="0") returned 2 [0103.041] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0x19fdc0, cchData=256 | out: lpLCData="0") returned 2 [0103.041] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0x19feb8, cchData=2 | out: lpLCData=",") returned 2 [0103.041] CreateFileA (lpFileName="\\\\.\\PhysicalDrive0" (normalized: "\\device\\harddisk0\\dr0"), dwDesiredAccess=0x10000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x140 [0103.094] CreateFileA (lpFileName="\\\\.\\PhysicalDrive1" (normalized: "physicaldrive1"), dwDesiredAccess=0x10000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0103.118] CreateFileA (lpFileName="\\\\.\\PhysicalDrive2" (normalized: "physicaldrive2"), dwDesiredAccess=0x10000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0103.127] CreateFileA (lpFileName="\\\\.\\PhysicalDrive3" (normalized: "physicaldrive3"), dwDesiredAccess=0x10000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0103.137] CreateFileA (lpFileName="\\\\.\\I" (normalized: "i"), dwDesiredAccess=0x10000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0103.139] WriteFile (in: hFile=0x140, lpBuffer=0x4117a4*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x4397a4, lpOverlapped=0x0 | out: lpBuffer=0x4117a4*, lpNumberOfBytesWritten=0x4397a4*=0x8000, lpOverlapped=0x0) returned 1 [0103.197] WriteFile (in: hFile=0xffffffff, lpBuffer=0x4197a4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x4397a4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x4397a4, lpOverlapped=0x0) returned 0 [0103.208] WriteFile (in: hFile=0xffffffff, lpBuffer=0x4217a4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x4397a4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x4397a4, lpOverlapped=0x0) returned 0 [0103.209] WriteFile (in: hFile=0xffffffff, lpBuffer=0x4297a4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x4397a4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x4397a4, lpOverlapped=0x0) returned 0 [0103.209] WriteFile (in: hFile=0xffffffff, lpBuffer=0x4317a4, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x4397a4, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x4397a4, lpOverlapped=0x0) returned 0 [0103.209] CloseHandle (hObject=0x140) returned 1 [0103.210] CloseHandle (hObject=0xffffffff) returned 1 [0103.210] CloseHandle (hObject=0xffffffff) returned 1 [0103.210] CloseHandle (hObject=0xffffffff) returned 1 [0103.210] CloseHandle (hObject=0xffffffff) returned 1 [0103.210] WinExec (lpCmdLine="shutdown.exe -r -f -t 0", uCmdShow=0x0) returned 0x21 [0103.580] WinExec (lpCmdLine="C:\\Windows\\System32\\shutdown.exe -r -f -t 0", uCmdShow=0x0) returned 0x21 [0103.603] VirtualFree (lpAddress=0x1f60000, dwSize=0x4000, dwFreeType=0x4000) returned 1 [0103.604] VirtualFree (lpAddress=0x1f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0103.604] LocalFree (hMem=0x59b7d8) returned 0x0 [0103.604] LocalFree (hMem=0x59c7d8) returned 0x0 [0103.604] ExitProcess (uExitCode=0x0) Thread: id = 21 os_tid = 0x12c8 Process: id = "4" image_name = "shutdown.exe" filename = "c:\\windows\\syswow64\\shutdown.exe" page_root = "0x8a4c000" os_pid = "0xcf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x12ac" cmd_line = "shutdown.exe -r -f -t 0" cur_dir = "C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 22 os_tid = 0x53c Thread: id = 32 os_tid = 0xd60 Process: id = "5" image_name = "shutdown.exe" filename = "c:\\windows\\syswow64\\shutdown.exe" page_root = "0x914d000" os_pid = "0x1250" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x12ac" cmd_line = "C:\\Windows\\System32\\shutdown.exe -r -f -t 0" cur_dir = "C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 23 os_tid = 0x1214 Thread: id = 35 os_tid = 0xda0 Process: id = "6" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x992b000" os_pid = "0xc48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xcf8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 24 os_tid = 0x12c4 Thread: id = 26 os_tid = 0x104c Thread: id = 27 os_tid = 0xf98 Thread: id = 29 os_tid = 0x550 Thread: id = 30 os_tid = 0xd20 Process: id = "7" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xfd8b000" os_pid = "0xa50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1250" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 25 os_tid = 0x900 Thread: id = 28 os_tid = 0x4e4 Thread: id = 31 os_tid = 0xd04 Thread: id = 33 os_tid = 0xd48 Thread: id = 34 os_tid = 0xd90