URL Details

URL
http://nvipgfrdixwl.com/

Score

This url shows numerous signs of malicious behavior.

The score of this url is 3.4 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL Jan. 21, 2019, 5:17 a.m. Jan. 21, 2019, 5:23 a.m. 349 seconds

Machine

Name Label Started On Shutdown On
win7x32 win7x32 2019-01-21 05:17:12 2019-01-21 05:23:02

Analyzer Log

2019-01-20 21:17:12,015 [analyzer] DEBUG: Starting analyzer from: C:\bzxmq
2019-01-20 21:17:12,015 [analyzer] DEBUG: Pipe server name: \\.\PIPE\DclKIqCBqBtqMlvu
2019-01-20 21:17:12,015 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\MbjYGgBJxeGHGPkalcieQzQT
2019-01-20 21:17:25,040 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-20 21:17:25,338 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-01-20 21:17:25,338 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-01-20 21:17:25,400 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit ncrypt.dll (with timestamp 0x586e85bb)
2019-01-20 21:17:25,400 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit ncrypt.dll (with timestamp 0x586e85bb)
2019-01-20 21:17:25,400 [analyzer] DEBUG: Loaded monitor into process with pid 476
2019-01-20 21:17:25,400 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-20 21:17:25,400 [analyzer] DEBUG: Started auxiliary module Human
2019-01-20 21:17:25,400 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-20 21:17:25,400 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-20 21:17:25,509 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-20 21:17:25,509 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-20 21:17:25,572 [lib.api.process] INFO: Successfully executed process from path 'C:\\Windows\\System32\\cmd.exe' with arguments ['/c', 'start', '/wait', '"noInfZClo"', 'http://nvipgfrdixwl.com/'] and pid 3076
2019-01-20 21:17:25,727 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-01-20 21:17:25,727 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-01-20 21:17:25,898 [analyzer] DEBUG: Loaded monitor into process with pid 3076
2019-01-20 21:17:25,976 [analyzer] DEBUG: Received request to inject pid=3076, but we are already injected there.
2019-01-20 21:17:32,934 [analyzer] INFO: Injected into process with pid 3284 and name u'firefox.exe'
2019-01-20 21:17:34,276 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-01-20 21:17:34,276 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-01-20 21:17:34,354 [analyzer] DEBUG: Loaded monitor into process with pid 3284
2019-01-20 21:17:34,697 [analyzer] DEBUG: Received request to inject pid=3284, but we are already injected there.
2019-01-20 21:17:34,947 [analyzer] INFO: Added new file to list with pid 3284 and path C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\places.sqlite-journal
2019-01-20 21:17:34,963 [analyzer] INFO: Added new file to list with pid 3284 and path C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\bookmarkbackups\bookmarks-2019-01-21.json
2019-01-20 21:17:35,352 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-20 21:17:35,976 [analyzer] INFO: Added new file to list with pid 3284 and path C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\pluginreg.dat
2019-01-20 21:17:36,398 [lib.api.process] WARNING: The process with pid 3076 is not alive, memory dump aborted
2019-01-20 21:17:37,006 [analyzer] INFO: Process with pid 3076 has terminated
2019-01-20 21:17:39,815 [analyzer] INFO: Added new file to list with pid 3284 and path C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\formhistory.sqlite-journal
2019-01-20 21:17:39,970 [analyzer] INFO: Added new file to list with pid 3284 and path C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\cookies.sqlite-journal
2019-01-20 21:17:40,003 [analyzer] INFO: Added new file to list with pid 3284 and path C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\Cache\_CACHE_MAP_
2019-01-20 21:17:42,062 [analyzer] INFO: Added new file to list with pid 3284 and path C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\urlclassifier3.sqlite-journal
2019-01-20 21:17:42,076 [analyzer] INFO: Added new file to list with pid 3284 and path C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\urlclassifier3.sqlite
2019-01-20 21:17:42,092 [analyzer] INFO: Added new file to list with pid 3284 and path C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\sessionstore.js
2019-01-20 21:17:50,875 [analyzer] INFO: Added new file to list with pid 3284 and path C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\downloads.sqlite-journal
2019-01-20 21:17:51,109 [analyzer] INFO: Added new file to list with pid 3284 and path C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\downloads.sqlite-journal
2019-01-20 21:17:51,125 [analyzer] INFO: Added new file to list with pid 3284 and path C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\downloads.sqlite-journal
2019-01-20 21:21:38,588 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-20 21:22:26,184 [lib.api.process] INFO: Memory dump of process with pid 3284 completed
2019-01-20 21:22:26,184 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-20 21:22:26,184 [lib.api.process] INFO: Successfully terminated process with pid 3284.
2019-01-20 21:22:26,232 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-21 05:17:12,456 [lib.cuckoo.core.scheduler] INFO: Task #1188: acquired machine win7x32 (label=win7x32)
2019-01-21 05:17:12,485 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 7399 (interface=eth2, host=192.168.128.112, pcap=/opt/cuckoo/storage/analyses/1188/dump.pcap)
2019-01-21 05:17:18,312 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x32, ip=192.168.128.112)
2019-01-21 05:22:59,312 [lib.cuckoo.core.guest] INFO: win7x32: analysis completed successfully
2019-01-21 05:22:59,784 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2019-01-21 05:24:41,512 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-21 05:24:46,333 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9366cb4850>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-21 05:24:46,334 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9366cb4d50>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-21 05:24:46,335 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9366cb4590>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-21 05:24:46,336 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9366cb4850>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-21 05:24:46,336 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9366cb4850>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9366cb4850>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Queries for the computername (1 event)
Time & API Arguments Status Return Repeated
Jan. 21, 2019, 12:17 a.m.
GetComputerNameA
computer_name: ADMIN-PC
success 1 0
Tries to locate where the browsers are installed (1 event)
file C:\Program Files\Mozilla Firefox\chrome\classic.manifest
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (2 events)
Time & API Arguments Status Return Repeated
Jan. 21, 2019, 12:17 a.m.
GlobalMemoryStatusEx
success 1 0
Jan. 21, 2019, 12:17 a.m.
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (17 events)
Time & API Arguments Status Return Repeated
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoCreateInstanceEx+0xb77 CoFreeUnusedLibrariesEx-0xd9c ole32+0x4a875 @ 0x756ca875
CoCreateInstanceEx+0xd7e CoFreeUnusedLibrariesEx-0xb95 ole32+0x4aa7c @ 0x756caa7c
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoCreateInstanceEx+0xe41 CoFreeUnusedLibrariesEx-0xad2 ole32+0x4ab3f @ 0x756cab3f
CoCreateInstanceEx+0x1d0 CoFreeUnusedLibrariesEx-0x1743 ole32+0x49ece @ 0x756c9ece
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
SHParseDisplayName+0x315 SHGetKnownFolderIDList-0x2003 shell32+0x88190 @ 0x75ab8190
SHParseDisplayName+0x412 SHGetKnownFolderIDList-0x1f06 shell32+0x8828d @ 0x75ab828d
SHParseDisplayName+0xaf5 SHGetKnownFolderIDList-0x1823 shell32+0x88970 @ 0x75ab8970
SHGetDesktopFolder+0x2e3 SHGetIDListFromObject-0xd4a shell32+0xa1b7d @ 0x75ad1b7d
SHCreateShellItemArrayFromIDLists+0x1bf8 SHDefExtractIconW-0x65f shell32+0x667a1 @ 0x75a967a1
SHGetMalloc+0x1500 ShellExecuteExW-0x393 shell32+0x21ada @ 0x75a51ada
SHParseDisplayName+0xa9 SHGetKnownFolderIDList-0x226f shell32+0x87f24 @ 0x75ab7f24
ShellExecuteExW+0x355 SHGetNameFromIDList-0x8806 shell32+0x221c2 @ 0x75a521c2
ShellExecuteExW+0x43e SHGetNameFromIDList-0x871d shell32+0x222ab @ 0x75a522ab
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21558340
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21558352
registers.edx: 14007
registers.ebx: 21558588
registers.esi: 1
registers.ecx: 20522028
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoInitializeSecurity+0x21a8 CoGetTreatAsClass-0x1332 ole32+0x293c1 @ 0x756a93c1
CoSetState+0xeba IsValidInterface-0x764 ole32+0x43577 @ 0x756c3577
CoSetState+0xced IsValidInterface-0x931 ole32+0x433aa @ 0x756c33aa
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoCreateInstanceEx+0xe41 CoFreeUnusedLibrariesEx-0xad2 ole32+0x4ab3f @ 0x756cab3f
CoCreateInstanceEx+0x1d0 CoFreeUnusedLibrariesEx-0x1743 ole32+0x49ece @ 0x756c9ece
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
SHParseDisplayName+0x315 SHGetKnownFolderIDList-0x2003 shell32+0x88190 @ 0x75ab8190
SHParseDisplayName+0x412 SHGetKnownFolderIDList-0x1f06 shell32+0x8828d @ 0x75ab828d
SHParseDisplayName+0xaf5 SHGetKnownFolderIDList-0x1823 shell32+0x88970 @ 0x75ab8970
SHGetDesktopFolder+0x2e3 SHGetIDListFromObject-0xd4a shell32+0xa1b7d @ 0x75ad1b7d
SHCreateShellItemArrayFromIDLists+0x1bf8 SHDefExtractIconW-0x65f shell32+0x667a1 @ 0x75a967a1
SHGetMalloc+0x1500 ShellExecuteExW-0x393 shell32+0x21ada @ 0x75a51ada
SHParseDisplayName+0xa9 SHGetKnownFolderIDList-0x226f shell32+0x87f24 @ 0x75ab7f24
ShellExecuteExW+0x355 SHGetNameFromIDList-0x8806 shell32+0x221c2 @ 0x75a521c2
ShellExecuteExW+0x43e SHGetNameFromIDList-0x871d shell32+0x222ab @ 0x75a522ab
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21557944
registers.edi: 162
registers.eax: 20520960
registers.ebp: 21557956
registers.edx: 1994746996
registers.ebx: 1994742960
registers.esi: 1
registers.ecx: 20521484
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoSetState+0x11a0 IsValidInterface-0x47e ole32+0x4385d @ 0x756c385d
CoSetState+0xff8 IsValidInterface-0x626 ole32+0x436b5 @ 0x756c36b5
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoCreateInstanceEx+0xe41 CoFreeUnusedLibrariesEx-0xad2 ole32+0x4ab3f @ 0x756cab3f
CoCreateInstanceEx+0x1d0 CoFreeUnusedLibrariesEx-0x1743 ole32+0x49ece @ 0x756c9ece
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
SHParseDisplayName+0x315 SHGetKnownFolderIDList-0x2003 shell32+0x88190 @ 0x75ab8190
SHParseDisplayName+0x412 SHGetKnownFolderIDList-0x1f06 shell32+0x8828d @ 0x75ab828d
SHParseDisplayName+0xaf5 SHGetKnownFolderIDList-0x1823 shell32+0x88970 @ 0x75ab8970
SHGetDesktopFolder+0x2e3 SHGetIDListFromObject-0xd4a shell32+0xa1b7d @ 0x75ad1b7d
SHCreateShellItemArrayFromIDLists+0x1bf8 SHDefExtractIconW-0x65f shell32+0x667a1 @ 0x75a967a1
SHGetMalloc+0x1500 ShellExecuteExW-0x393 shell32+0x21ada @ 0x75a51ada
SHParseDisplayName+0xa9 SHGetKnownFolderIDList-0x226f shell32+0x87f24 @ 0x75ab7f24
ShellExecuteExW+0x355 SHGetNameFromIDList-0x8806 shell32+0x221c2 @ 0x75a521c2
ShellExecuteExW+0x43e SHGetNameFromIDList-0x871d shell32+0x222ab @ 0x75a522ab
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21558344
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21558356
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 20522028
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoCreateInstanceEx+0xb77 CoFreeUnusedLibrariesEx-0xd9c ole32+0x4a875 @ 0x756ca875
CoCreateInstanceEx+0xd7e CoFreeUnusedLibrariesEx-0xb95 ole32+0x4aa7c @ 0x756caa7c
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoSetState+0xac4 IsValidInterface-0xb5a ole32+0x43181 @ 0x756c3181
PropVariantClear+0x14d7 CoGetComCatalog-0xb15 ole32+0x45208 @ 0x756c5208
CoCreateInstanceEx+0x157c CoFreeUnusedLibrariesEx-0x397 ole32+0x4b27a @ 0x756cb27a
CoCreateInstanceEx+0x21c CoFreeUnusedLibrariesEx-0x16f7 ole32+0x49f1a @ 0x756c9f1a
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
SHParseDisplayName+0x315 SHGetKnownFolderIDList-0x2003 shell32+0x88190 @ 0x75ab8190
SHParseDisplayName+0x412 SHGetKnownFolderIDList-0x1f06 shell32+0x8828d @ 0x75ab828d
SHParseDisplayName+0xaf5 SHGetKnownFolderIDList-0x1823 shell32+0x88970 @ 0x75ab8970
SHGetDesktopFolder+0x2e3 SHGetIDListFromObject-0xd4a shell32+0xa1b7d @ 0x75ad1b7d
SHCreateShellItemArrayFromIDLists+0x1bf8 SHDefExtractIconW-0x65f shell32+0x667a1 @ 0x75a967a1
SHGetMalloc+0x1500 ShellExecuteExW-0x393 shell32+0x21ada @ 0x75a51ada
SHParseDisplayName+0xa9 SHGetKnownFolderIDList-0x226f shell32+0x87f24 @ 0x75ab7f24
ShellExecuteExW+0x355 SHGetNameFromIDList-0x8806 shell32+0x221c2 @ 0x75a521c2
ShellExecuteExW+0x43e SHGetNameFromIDList-0x871d shell32+0x222ab @ 0x75a522ab
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21558228
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21558240
registers.edx: 14007
registers.ebx: 21558476
registers.esi: 1
registers.ecx: 20521916
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoCreateInstanceEx+0xb77 CoFreeUnusedLibrariesEx-0xd9c ole32+0x4a875 @ 0x756ca875
CoCreateInstanceEx+0xd7e CoFreeUnusedLibrariesEx-0xb95 ole32+0x4aa7c @ 0x756caa7c
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoSetState+0xac4 IsValidInterface-0xb5a ole32+0x43181 @ 0x756c3181
PropVariantClear+0x1057 CoGetComCatalog-0xf95 ole32+0x44d88 @ 0x756c4d88
CoSetState+0x8e9 IsValidInterface-0xd35 ole32+0x42fa6 @ 0x756c2fa6
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
SHParseDisplayName+0x315 SHGetKnownFolderIDList-0x2003 shell32+0x88190 @ 0x75ab8190
SHParseDisplayName+0x412 SHGetKnownFolderIDList-0x1f06 shell32+0x8828d @ 0x75ab828d
SHParseDisplayName+0xaf5 SHGetKnownFolderIDList-0x1823 shell32+0x88970 @ 0x75ab8970
SHGetDesktopFolder+0x2e3 SHGetIDListFromObject-0xd4a shell32+0xa1b7d @ 0x75ad1b7d
SHCreateShellItemArrayFromIDLists+0x1bf8 SHDefExtractIconW-0x65f shell32+0x667a1 @ 0x75a967a1
SHGetMalloc+0x1500 ShellExecuteExW-0x393 shell32+0x21ada @ 0x75a51ada
SHParseDisplayName+0xa9 SHGetKnownFolderIDList-0x226f shell32+0x87f24 @ 0x75ab7f24
ShellExecuteExW+0x355 SHGetNameFromIDList-0x8806 shell32+0x221c2 @ 0x75a521c2
ShellExecuteExW+0x43e SHGetNameFromIDList-0x871d shell32+0x222ab @ 0x75a522ab
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21556524
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21556536
registers.edx: 14007
registers.ebx: 21556772
registers.esi: 1
registers.ecx: 20520204
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoCreateInstanceEx+0xb77 CoFreeUnusedLibrariesEx-0xd9c ole32+0x4a875 @ 0x756ca875
CoCreateInstanceEx+0xd7e CoFreeUnusedLibrariesEx-0xb95 ole32+0x4aa7c @ 0x756caa7c
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoCreateInstanceEx+0xe41 CoFreeUnusedLibrariesEx-0xad2 ole32+0x4ab3f @ 0x756cab3f
CoCreateInstanceEx+0x1d0 CoFreeUnusedLibrariesEx-0x1743 ole32+0x49ece @ 0x756c9ece
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
DllGetClassObject+0x3a6 PropVariantToBoolean-0x1750 propsys+0x9cef @ 0x739c9cef
PropVariantToVariant+0x4a4 PSCreatePropertyStoreFromObject-0x14a2 propsys+0x6907 @ 0x739c6907
PSCreateAdapterFromPropertyStore+0x46 PSGetItemPropertyHandlerWithCreateObject-0x153a propsys+0x4a5c7 @ 0x73a0a5c7
DllGetClassObject+0x49d4a IEGetWriteableHKCU-0x44456 ieframe+0x6e52a @ 0x6db1e52a
DllGetClassObject+0x49e94 IEGetWriteableHKCU-0x4430c ieframe+0x6e674 @ 0x6db1e674
DllGetClassObject+0x406a7 IEGetWriteableHKCU-0x4daf9 ieframe+0x64e87 @ 0x6db14e87
DllGetClassObject+0x408a8 IEGetWriteableHKCU-0x4d8f8 ieframe+0x65088 @ 0x6db15088
DllGetClassObject+0x498c8 IEGetWriteableHKCU-0x448d8 ieframe+0x6e0a8 @ 0x6db1e0a8
IEIsInPrivateBrowsing+0xaede CreateExtensionGuidEnumerator-0x171b2 ieframe+0xeb37e @ 0x6db9b37e
SHILCreateFromPath+0x81b SHEvaluateSystemCommandTemplate-0x3bff shell32+0x60251 @ 0x75a90251
SHGetPathFromIDList+0xa8bd ReadCabinetState-0x3d8 shell32+0x12c3f1 @ 0x75b5c3f1
SHGetPathFromIDList+0xa878 ReadCabinetState-0x41d shell32+0x12c3ac @ 0x75b5c3ac
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21549368
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21549380
registers.edx: 14007
registers.ebx: 21549616
registers.esi: 1
registers.ecx: 20513052
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoInitializeSecurity+0x21a8 CoGetTreatAsClass-0x1332 ole32+0x293c1 @ 0x756a93c1
CoSetState+0xeba IsValidInterface-0x764 ole32+0x43577 @ 0x756c3577
CoSetState+0xced IsValidInterface-0x931 ole32+0x433aa @ 0x756c33aa
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoCreateInstanceEx+0xe41 CoFreeUnusedLibrariesEx-0xad2 ole32+0x4ab3f @ 0x756cab3f
CoCreateInstanceEx+0x1d0 CoFreeUnusedLibrariesEx-0x1743 ole32+0x49ece @ 0x756c9ece
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
DllGetClassObject+0x3a6 PropVariantToBoolean-0x1750 propsys+0x9cef @ 0x739c9cef
PropVariantToVariant+0x4a4 PSCreatePropertyStoreFromObject-0x14a2 propsys+0x6907 @ 0x739c6907
PSCreateAdapterFromPropertyStore+0x46 PSGetItemPropertyHandlerWithCreateObject-0x153a propsys+0x4a5c7 @ 0x73a0a5c7
DllGetClassObject+0x49d4a IEGetWriteableHKCU-0x44456 ieframe+0x6e52a @ 0x6db1e52a
DllGetClassObject+0x49e94 IEGetWriteableHKCU-0x4430c ieframe+0x6e674 @ 0x6db1e674
DllGetClassObject+0x406a7 IEGetWriteableHKCU-0x4daf9 ieframe+0x64e87 @ 0x6db14e87
DllGetClassObject+0x408a8 IEGetWriteableHKCU-0x4d8f8 ieframe+0x65088 @ 0x6db15088
DllGetClassObject+0x498c8 IEGetWriteableHKCU-0x448d8 ieframe+0x6e0a8 @ 0x6db1e0a8
IEIsInPrivateBrowsing+0xaede CreateExtensionGuidEnumerator-0x171b2 ieframe+0xeb37e @ 0x6db9b37e
SHILCreateFromPath+0x81b SHEvaluateSystemCommandTemplate-0x3bff shell32+0x60251 @ 0x75a90251
SHGetPathFromIDList+0xa8bd ReadCabinetState-0x3d8 shell32+0x12c3f1 @ 0x75b5c3f1
SHGetPathFromIDList+0xa878 ReadCabinetState-0x41d shell32+0x12c3ac @ 0x75b5c3ac
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21548972
registers.edi: 162
registers.eax: 20520960
registers.ebp: 21548984
registers.edx: 1994746996
registers.ebx: 1994742960
registers.esi: 1
registers.ecx: 20512508
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoSetState+0x11a0 IsValidInterface-0x47e ole32+0x4385d @ 0x756c385d
CoSetState+0xff8 IsValidInterface-0x626 ole32+0x436b5 @ 0x756c36b5
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoCreateInstanceEx+0xe41 CoFreeUnusedLibrariesEx-0xad2 ole32+0x4ab3f @ 0x756cab3f
CoCreateInstanceEx+0x1d0 CoFreeUnusedLibrariesEx-0x1743 ole32+0x49ece @ 0x756c9ece
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
DllGetClassObject+0x3a6 PropVariantToBoolean-0x1750 propsys+0x9cef @ 0x739c9cef
PropVariantToVariant+0x4a4 PSCreatePropertyStoreFromObject-0x14a2 propsys+0x6907 @ 0x739c6907
PSCreateAdapterFromPropertyStore+0x46 PSGetItemPropertyHandlerWithCreateObject-0x153a propsys+0x4a5c7 @ 0x73a0a5c7
DllGetClassObject+0x49d4a IEGetWriteableHKCU-0x44456 ieframe+0x6e52a @ 0x6db1e52a
DllGetClassObject+0x49e94 IEGetWriteableHKCU-0x4430c ieframe+0x6e674 @ 0x6db1e674
DllGetClassObject+0x406a7 IEGetWriteableHKCU-0x4daf9 ieframe+0x64e87 @ 0x6db14e87
DllGetClassObject+0x408a8 IEGetWriteableHKCU-0x4d8f8 ieframe+0x65088 @ 0x6db15088
DllGetClassObject+0x498c8 IEGetWriteableHKCU-0x448d8 ieframe+0x6e0a8 @ 0x6db1e0a8
IEIsInPrivateBrowsing+0xaede CreateExtensionGuidEnumerator-0x171b2 ieframe+0xeb37e @ 0x6db9b37e
SHILCreateFromPath+0x81b SHEvaluateSystemCommandTemplate-0x3bff shell32+0x60251 @ 0x75a90251
SHGetPathFromIDList+0xa8bd ReadCabinetState-0x3d8 shell32+0x12c3f1 @ 0x75b5c3f1
SHGetPathFromIDList+0xa878 ReadCabinetState-0x41d shell32+0x12c3ac @ 0x75b5c3ac
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21549372
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21549384
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 20513052
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoCreateInstanceEx+0xb77 CoFreeUnusedLibrariesEx-0xd9c ole32+0x4a875 @ 0x756ca875
CoCreateInstanceEx+0xd7e CoFreeUnusedLibrariesEx-0xb95 ole32+0x4aa7c @ 0x756caa7c
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoSetState+0xac4 IsValidInterface-0xb5a ole32+0x43181 @ 0x756c3181
PropVariantClear+0x14d7 CoGetComCatalog-0xb15 ole32+0x45208 @ 0x756c5208
CoCreateInstanceEx+0x157c CoFreeUnusedLibrariesEx-0x397 ole32+0x4b27a @ 0x756cb27a
CoCreateInstanceEx+0x21c CoFreeUnusedLibrariesEx-0x16f7 ole32+0x49f1a @ 0x756c9f1a
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
DllGetClassObject+0x3a6 PropVariantToBoolean-0x1750 propsys+0x9cef @ 0x739c9cef
PropVariantToVariant+0x4a4 PSCreatePropertyStoreFromObject-0x14a2 propsys+0x6907 @ 0x739c6907
PSCreateAdapterFromPropertyStore+0x46 PSGetItemPropertyHandlerWithCreateObject-0x153a propsys+0x4a5c7 @ 0x73a0a5c7
DllGetClassObject+0x49d4a IEGetWriteableHKCU-0x44456 ieframe+0x6e52a @ 0x6db1e52a
DllGetClassObject+0x49e94 IEGetWriteableHKCU-0x4430c ieframe+0x6e674 @ 0x6db1e674
DllGetClassObject+0x406a7 IEGetWriteableHKCU-0x4daf9 ieframe+0x64e87 @ 0x6db14e87
DllGetClassObject+0x408a8 IEGetWriteableHKCU-0x4d8f8 ieframe+0x65088 @ 0x6db15088
DllGetClassObject+0x498c8 IEGetWriteableHKCU-0x448d8 ieframe+0x6e0a8 @ 0x6db1e0a8
IEIsInPrivateBrowsing+0xaede CreateExtensionGuidEnumerator-0x171b2 ieframe+0xeb37e @ 0x6db9b37e
SHILCreateFromPath+0x81b SHEvaluateSystemCommandTemplate-0x3bff shell32+0x60251 @ 0x75a90251
SHGetPathFromIDList+0xa8bd ReadCabinetState-0x3d8 shell32+0x12c3f1 @ 0x75b5c3f1
SHGetPathFromIDList+0xa878 ReadCabinetState-0x41d shell32+0x12c3ac @ 0x75b5c3ac
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21549256
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21549268
registers.edx: 14007
registers.ebx: 21549504
registers.esi: 1
registers.ecx: 20512940
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoCreateInstanceEx+0xb77 CoFreeUnusedLibrariesEx-0xd9c ole32+0x4a875 @ 0x756ca875
CoCreateInstanceEx+0xd7e CoFreeUnusedLibrariesEx-0xb95 ole32+0x4aa7c @ 0x756caa7c
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoSetState+0xac4 IsValidInterface-0xb5a ole32+0x43181 @ 0x756c3181
PropVariantClear+0x1057 CoGetComCatalog-0xf95 ole32+0x44d88 @ 0x756c4d88
CoSetState+0x8e9 IsValidInterface-0xd35 ole32+0x42fa6 @ 0x756c2fa6
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
DllGetClassObject+0x3a6 PropVariantToBoolean-0x1750 propsys+0x9cef @ 0x739c9cef
PropVariantToVariant+0x4a4 PSCreatePropertyStoreFromObject-0x14a2 propsys+0x6907 @ 0x739c6907
PSCreateAdapterFromPropertyStore+0x46 PSGetItemPropertyHandlerWithCreateObject-0x153a propsys+0x4a5c7 @ 0x73a0a5c7
DllGetClassObject+0x49d4a IEGetWriteableHKCU-0x44456 ieframe+0x6e52a @ 0x6db1e52a
DllGetClassObject+0x49e94 IEGetWriteableHKCU-0x4430c ieframe+0x6e674 @ 0x6db1e674
DllGetClassObject+0x406a7 IEGetWriteableHKCU-0x4daf9 ieframe+0x64e87 @ 0x6db14e87
DllGetClassObject+0x408a8 IEGetWriteableHKCU-0x4d8f8 ieframe+0x65088 @ 0x6db15088
DllGetClassObject+0x498c8 IEGetWriteableHKCU-0x448d8 ieframe+0x6e0a8 @ 0x6db1e0a8
IEIsInPrivateBrowsing+0xaede CreateExtensionGuidEnumerator-0x171b2 ieframe+0xeb37e @ 0x6db9b37e
SHILCreateFromPath+0x81b SHEvaluateSystemCommandTemplate-0x3bff shell32+0x60251 @ 0x75a90251
SHGetPathFromIDList+0xa8bd ReadCabinetState-0x3d8 shell32+0x12c3f1 @ 0x75b5c3f1
SHGetPathFromIDList+0xa878 ReadCabinetState-0x41d shell32+0x12c3ac @ 0x75b5c3ac
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21547548
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21547560
registers.edx: 14007
registers.ebx: 21547796
registers.esi: 1
registers.ecx: 20511228
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoCreateInstanceEx+0xb77 CoFreeUnusedLibrariesEx-0xd9c ole32+0x4a875 @ 0x756ca875
CoCreateInstanceEx+0xd7e CoFreeUnusedLibrariesEx-0xb95 ole32+0x4aa7c @ 0x756caa7c
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoCreateInstanceEx+0xe41 CoFreeUnusedLibrariesEx-0xad2 ole32+0x4ab3f @ 0x756cab3f
CoCreateInstanceEx+0x1d0 CoFreeUnusedLibrariesEx-0x1743 ole32+0x49ece @ 0x756c9ece
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
TF_CreateLangBarItemMgr+0x3053 CtfImeInquireExW-0x13ff msctf+0x116fa @ 0x753816fa
TF_CreateLangBarItemMgr+0x2c4b CtfImeInquireExW-0x1807 msctf+0x112f2 @ 0x753812f2
TF_CreateLangBarItemMgr+0x2e8f CtfImeInquireExW-0x15c3 msctf+0x11536 @ 0x75381536
TF_CreateLangBarItemMgr+0x29a9 CtfImeInquireExW-0x1aa9 msctf+0x11050 @ 0x75381050
TF_CreateLangBarItemMgr+0x2736 CtfImeInquireExW-0x1d1c msctf+0x10ddd @ 0x75380ddd
TF_CreateLangBarItemMgr+0x26bb CtfImeInquireExW-0x1d97 msctf+0x10d62 @ 0x75380d62
TF_CreateLangBarItemMgr+0x24ba CtfImeInquireExW-0x1f98 msctf+0x10b61 @ 0x75380b61
TF_CreateThreadMgr+0x39a CtfImeSelectEx-0x1232 msctf+0x800e @ 0x7537800e
TF_CreateLangBarItemMgr+0x265f CtfImeInquireExW-0x1df3 msctf+0x10d06 @ 0x75380d06
TF_CreateLangBarItemMgr+0x323d CtfImeInquireExW-0x1215 msctf+0x118e4 @ 0x753818e4
TrackMouseEvent+0x3e DrawEdge-0x2e user32+0x130bc @ 0x76c930bc
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x46bae @ 0x76e56bae
GetGadgetRect-0x1e51 duser+0x14e9 @ 0x73e414e9
KillTimer+0x58 TranslateAcceleratorW-0x12f user32+0x1651f @ 0x76c9651f
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x46bae @ 0x76e56bae
PeekMessageW+0x157 TranslateMessage-0x26 user32+0x16471 @ 0x76c96471
DrawStateW+0x24a GetActiveWindow-0x361 user32+0x337a2 @ 0x76cb37a2
DrawStateW+0x59f GetActiveWindow-0xc user32+0x33af7 @ 0x76cb3af7
DialogBoxIndirectParamAorW+0x36 DialogBoxIndirectParamW-0x9 user32+0x33b46 @ 0x76cb3b46
DialogBoxIndirectParamW+0x1b EndDialog-0x9 user32+0x33b6a @ 0x76cb3b6a
DllInstall+0x1083f ImageList_SetBkColor-0x2c0f comctl32+0x7d504 @ 0x73d1d504
DllInstall+0x107cf ImageList_SetBkColor-0x2c7f comctl32+0x7d494 @ 0x73d1d494
ShellMessageBoxW+0x163 StrCpyW-0xf1 shlwapi+0x3df34 @ 0x7562df34
SHGetFileInfo+0xa9b1 SHCreateStdEnumFmtEtc-0x4b161 shell32+0x1b919c @ 0x75be919c
RegenerateUserEnvironment+0xf77 StrCmpNIW-0x1d9e shell32+0xbbd80 @ 0x75aebd80
SHEnableServiceObject+0x284d DoEnvironmentSubstW-0xf34 shell32+0x10cfe @ 0x75a40cfe
ShellExecuteExW+0x40c SHGetNameFromIDList-0x874f shell32+0x22279 @ 0x75a52279
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21557864
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21557876
registers.edx: 14007
registers.ebx: 21558112
registers.esi: 1
registers.ecx: 20521548
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoSetState+0x11a0 IsValidInterface-0x47e ole32+0x4385d @ 0x756c385d
CoSetState+0xff8 IsValidInterface-0x626 ole32+0x436b5 @ 0x756c36b5
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoCreateInstanceEx+0xe41 CoFreeUnusedLibrariesEx-0xad2 ole32+0x4ab3f @ 0x756cab3f
CoCreateInstanceEx+0x1d0 CoFreeUnusedLibrariesEx-0x1743 ole32+0x49ece @ 0x756c9ece
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
TF_CreateLangBarItemMgr+0x3053 CtfImeInquireExW-0x13ff msctf+0x116fa @ 0x753816fa
TF_CreateLangBarItemMgr+0x2c4b CtfImeInquireExW-0x1807 msctf+0x112f2 @ 0x753812f2
TF_CreateLangBarItemMgr+0x2e8f CtfImeInquireExW-0x15c3 msctf+0x11536 @ 0x75381536
TF_CreateLangBarItemMgr+0x29a9 CtfImeInquireExW-0x1aa9 msctf+0x11050 @ 0x75381050
TF_CreateLangBarItemMgr+0x2736 CtfImeInquireExW-0x1d1c msctf+0x10ddd @ 0x75380ddd
TF_CreateLangBarItemMgr+0x26bb CtfImeInquireExW-0x1d97 msctf+0x10d62 @ 0x75380d62
TF_CreateLangBarItemMgr+0x24ba CtfImeInquireExW-0x1f98 msctf+0x10b61 @ 0x75380b61
TF_CreateThreadMgr+0x39a CtfImeSelectEx-0x1232 msctf+0x800e @ 0x7537800e
TF_CreateLangBarItemMgr+0x265f CtfImeInquireExW-0x1df3 msctf+0x10d06 @ 0x75380d06
TF_CreateLangBarItemMgr+0x323d CtfImeInquireExW-0x1215 msctf+0x118e4 @ 0x753818e4
TrackMouseEvent+0x3e DrawEdge-0x2e user32+0x130bc @ 0x76c930bc
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x46bae @ 0x76e56bae
GetGadgetRect-0x1e51 duser+0x14e9 @ 0x73e414e9
KillTimer+0x58 TranslateAcceleratorW-0x12f user32+0x1651f @ 0x76c9651f
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x46bae @ 0x76e56bae
PeekMessageW+0x157 TranslateMessage-0x26 user32+0x16471 @ 0x76c96471
DrawStateW+0x24a GetActiveWindow-0x361 user32+0x337a2 @ 0x76cb37a2
DrawStateW+0x59f GetActiveWindow-0xc user32+0x33af7 @ 0x76cb3af7
DialogBoxIndirectParamAorW+0x36 DialogBoxIndirectParamW-0x9 user32+0x33b46 @ 0x76cb3b46
DialogBoxIndirectParamW+0x1b EndDialog-0x9 user32+0x33b6a @ 0x76cb3b6a
DllInstall+0x1083f ImageList_SetBkColor-0x2c0f comctl32+0x7d504 @ 0x73d1d504
DllInstall+0x107cf ImageList_SetBkColor-0x2c7f comctl32+0x7d494 @ 0x73d1d494
ShellMessageBoxW+0x163 StrCpyW-0xf1 shlwapi+0x3df34 @ 0x7562df34
SHGetFileInfo+0xa9b1 SHCreateStdEnumFmtEtc-0x4b161 shell32+0x1b919c @ 0x75be919c
RegenerateUserEnvironment+0xf77 StrCmpNIW-0x1d9e shell32+0xbbd80 @ 0x75aebd80
SHEnableServiceObject+0x284d DoEnvironmentSubstW-0xf34 shell32+0x10cfe @ 0x75a40cfe
ShellExecuteExW+0x40c SHGetNameFromIDList-0x874f shell32+0x22279 @ 0x75a52279
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21557868
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21557880
registers.edx: 1970051772
registers.ebx: 0
registers.esi: 1
registers.ecx: 20521548
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoCreateInstanceEx+0xb77 CoFreeUnusedLibrariesEx-0xd9c ole32+0x4a875 @ 0x756ca875
CoCreateInstanceEx+0xd7e CoFreeUnusedLibrariesEx-0xb95 ole32+0x4aa7c @ 0x756caa7c
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoSetState+0xac4 IsValidInterface-0xb5a ole32+0x43181 @ 0x756c3181
PropVariantClear+0x14d7 CoGetComCatalog-0xb15 ole32+0x45208 @ 0x756c5208
CoCreateInstanceEx+0x157c CoFreeUnusedLibrariesEx-0x397 ole32+0x4b27a @ 0x756cb27a
CoCreateInstanceEx+0x21c CoFreeUnusedLibrariesEx-0x16f7 ole32+0x49f1a @ 0x756c9f1a
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
TF_CreateLangBarItemMgr+0x3053 CtfImeInquireExW-0x13ff msctf+0x116fa @ 0x753816fa
TF_CreateLangBarItemMgr+0x2c4b CtfImeInquireExW-0x1807 msctf+0x112f2 @ 0x753812f2
TF_CreateLangBarItemMgr+0x2e8f CtfImeInquireExW-0x15c3 msctf+0x11536 @ 0x75381536
TF_CreateLangBarItemMgr+0x29a9 CtfImeInquireExW-0x1aa9 msctf+0x11050 @ 0x75381050
TF_CreateLangBarItemMgr+0x2736 CtfImeInquireExW-0x1d1c msctf+0x10ddd @ 0x75380ddd
TF_CreateLangBarItemMgr+0x26bb CtfImeInquireExW-0x1d97 msctf+0x10d62 @ 0x75380d62
TF_CreateLangBarItemMgr+0x24ba CtfImeInquireExW-0x1f98 msctf+0x10b61 @ 0x75380b61
TF_CreateThreadMgr+0x39a CtfImeSelectEx-0x1232 msctf+0x800e @ 0x7537800e
TF_CreateLangBarItemMgr+0x265f CtfImeInquireExW-0x1df3 msctf+0x10d06 @ 0x75380d06
TF_CreateLangBarItemMgr+0x323d CtfImeInquireExW-0x1215 msctf+0x118e4 @ 0x753818e4
TrackMouseEvent+0x3e DrawEdge-0x2e user32+0x130bc @ 0x76c930bc
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x46bae @ 0x76e56bae
GetGadgetRect-0x1e51 duser+0x14e9 @ 0x73e414e9
KillTimer+0x58 TranslateAcceleratorW-0x12f user32+0x1651f @ 0x76c9651f
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x46bae @ 0x76e56bae
PeekMessageW+0x157 TranslateMessage-0x26 user32+0x16471 @ 0x76c96471
DrawStateW+0x24a GetActiveWindow-0x361 user32+0x337a2 @ 0x76cb37a2
DrawStateW+0x59f GetActiveWindow-0xc user32+0x33af7 @ 0x76cb3af7
DialogBoxIndirectParamAorW+0x36 DialogBoxIndirectParamW-0x9 user32+0x33b46 @ 0x76cb3b46
DialogBoxIndirectParamW+0x1b EndDialog-0x9 user32+0x33b6a @ 0x76cb3b6a
DllInstall+0x1083f ImageList_SetBkColor-0x2c0f comctl32+0x7d504 @ 0x73d1d504
DllInstall+0x107cf ImageList_SetBkColor-0x2c7f comctl32+0x7d494 @ 0x73d1d494
ShellMessageBoxW+0x163 StrCpyW-0xf1 shlwapi+0x3df34 @ 0x7562df34
SHGetFileInfo+0xa9b1 SHCreateStdEnumFmtEtc-0x4b161 shell32+0x1b919c @ 0x75be919c
RegenerateUserEnvironment+0xf77 StrCmpNIW-0x1d9e shell32+0xbbd80 @ 0x75aebd80
SHEnableServiceObject+0x284d DoEnvironmentSubstW-0xf34 shell32+0x10cfe @ 0x75a40cfe
ShellExecuteExW+0x40c SHGetNameFromIDList-0x874f shell32+0x22279 @ 0x75a52279
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21557752
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21557764
registers.edx: 14007
registers.ebx: 21558000
registers.esi: 1
registers.ecx: 20521436
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoCreateInstanceEx+0xb77 CoFreeUnusedLibrariesEx-0xd9c ole32+0x4a875 @ 0x756ca875
CoCreateInstanceEx+0xd7e CoFreeUnusedLibrariesEx-0xb95 ole32+0x4aa7c @ 0x756caa7c
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoSetState+0xac4 IsValidInterface-0xb5a ole32+0x43181 @ 0x756c3181
PropVariantClear+0x1057 CoGetComCatalog-0xf95 ole32+0x44d88 @ 0x756c4d88
CoSetState+0x8e9 IsValidInterface-0xd35 ole32+0x42fa6 @ 0x756c2fa6
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
TF_CreateLangBarItemMgr+0x3053 CtfImeInquireExW-0x13ff msctf+0x116fa @ 0x753816fa
TF_CreateLangBarItemMgr+0x2c4b CtfImeInquireExW-0x1807 msctf+0x112f2 @ 0x753812f2
TF_CreateLangBarItemMgr+0x2e8f CtfImeInquireExW-0x15c3 msctf+0x11536 @ 0x75381536
TF_CreateLangBarItemMgr+0x29a9 CtfImeInquireExW-0x1aa9 msctf+0x11050 @ 0x75381050
TF_CreateLangBarItemMgr+0x2736 CtfImeInquireExW-0x1d1c msctf+0x10ddd @ 0x75380ddd
TF_CreateLangBarItemMgr+0x26bb CtfImeInquireExW-0x1d97 msctf+0x10d62 @ 0x75380d62
TF_CreateLangBarItemMgr+0x24ba CtfImeInquireExW-0x1f98 msctf+0x10b61 @ 0x75380b61
TF_CreateThreadMgr+0x39a CtfImeSelectEx-0x1232 msctf+0x800e @ 0x7537800e
TF_CreateLangBarItemMgr+0x265f CtfImeInquireExW-0x1df3 msctf+0x10d06 @ 0x75380d06
TF_CreateLangBarItemMgr+0x323d CtfImeInquireExW-0x1215 msctf+0x118e4 @ 0x753818e4
TrackMouseEvent+0x3e DrawEdge-0x2e user32+0x130bc @ 0x76c930bc
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x46bae @ 0x76e56bae
GetGadgetRect-0x1e51 duser+0x14e9 @ 0x73e414e9
KillTimer+0x58 TranslateAcceleratorW-0x12f user32+0x1651f @ 0x76c9651f
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x46bae @ 0x76e56bae
PeekMessageW+0x157 TranslateMessage-0x26 user32+0x16471 @ 0x76c96471
DrawStateW+0x24a GetActiveWindow-0x361 user32+0x337a2 @ 0x76cb37a2
DrawStateW+0x59f GetActiveWindow-0xc user32+0x33af7 @ 0x76cb3af7
DialogBoxIndirectParamAorW+0x36 DialogBoxIndirectParamW-0x9 user32+0x33b46 @ 0x76cb3b46
DialogBoxIndirectParamW+0x1b EndDialog-0x9 user32+0x33b6a @ 0x76cb3b6a
DllInstall+0x1083f ImageList_SetBkColor-0x2c0f comctl32+0x7d504 @ 0x73d1d504
DllInstall+0x107cf ImageList_SetBkColor-0x2c7f comctl32+0x7d494 @ 0x73d1d494
ShellMessageBoxW+0x163 StrCpyW-0xf1 shlwapi+0x3df34 @ 0x7562df34
SHGetFileInfo+0xa9b1 SHCreateStdEnumFmtEtc-0x4b161 shell32+0x1b919c @ 0x75be919c
RegenerateUserEnvironment+0xf77 StrCmpNIW-0x1d9e shell32+0xbbd80 @ 0x75aebd80
SHEnableServiceObject+0x284d DoEnvironmentSubstW-0xf34 shell32+0x10cfe @ 0x75a40cfe
ShellExecuteExW+0x40c SHGetNameFromIDList-0x874f shell32+0x22279 @ 0x75a52279
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21556044
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21556056
registers.edx: 14007
registers.ebx: 21556292
registers.esi: 1
registers.ecx: 20519724
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoCreateInstanceEx+0xb77 CoFreeUnusedLibrariesEx-0xd9c ole32+0x4a875 @ 0x756ca875
CoCreateInstanceEx+0xd7e CoFreeUnusedLibrariesEx-0xb95 ole32+0x4aa7c @ 0x756caa7c
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoCreateInstanceEx+0xe41 CoFreeUnusedLibrariesEx-0xad2 ole32+0x4ab3f @ 0x756cab3f
CoCreateInstanceEx+0x1d0 CoFreeUnusedLibrariesEx-0x1743 ole32+0x49ece @ 0x756c9ece
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
TF_CreateLangBarItemMgr+0x3053 CtfImeInquireExW-0x13ff msctf+0x116fa @ 0x753816fa
TF_CreateLangBarItemMgr+0x2c4b CtfImeInquireExW-0x1807 msctf+0x112f2 @ 0x753812f2
TF_CreateLangBarItemMgr+0x2e8f CtfImeInquireExW-0x15c3 msctf+0x11536 @ 0x75381536
TF_CreateLangBarItemMgr+0x29a9 CtfImeInquireExW-0x1aa9 msctf+0x11050 @ 0x75381050
TF_CreateLangBarItemMgr+0x2736 CtfImeInquireExW-0x1d1c msctf+0x10ddd @ 0x75380ddd
TF_CreateLangBarItemMgr+0x26bb CtfImeInquireExW-0x1d97 msctf+0x10d62 @ 0x75380d62
TF_CreateLangBarItemMgr+0x24ba CtfImeInquireExW-0x1f98 msctf+0x10b61 @ 0x75380b61
TF_CreateThreadMgr+0x39a CtfImeSelectEx-0x1232 msctf+0x800e @ 0x7537800e
TF_CreateLangBarItemMgr+0x265f CtfImeInquireExW-0x1df3 msctf+0x10d06 @ 0x75380d06
TF_CreateLangBarItemMgr+0x323d CtfImeInquireExW-0x1215 msctf+0x118e4 @ 0x753818e4
TrackMouseEvent+0x3e DrawEdge-0x2e user32+0x130bc @ 0x76c930bc
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x46bae @ 0x76e56bae
DrawStateW+0x59f GetActiveWindow-0xc user32+0x33af7 @ 0x76cb3af7
DialogBoxIndirectParamAorW+0x36 DialogBoxIndirectParamW-0x9 user32+0x33b46 @ 0x76cb3b46
DialogBoxIndirectParamW+0x1b EndDialog-0x9 user32+0x33b6a @ 0x76cb3b6a
DllInstall+0x1083f ImageList_SetBkColor-0x2c0f comctl32+0x7d504 @ 0x73d1d504
DllInstall+0x107cf ImageList_SetBkColor-0x2c7f comctl32+0x7d494 @ 0x73d1d494
ShellMessageBoxW+0x163 StrCpyW-0xf1 shlwapi+0x3df34 @ 0x7562df34
SHGetFileInfo+0xa9b1 SHCreateStdEnumFmtEtc-0x4b161 shell32+0x1b919c @ 0x75be919c
RegenerateUserEnvironment+0xf77 StrCmpNIW-0x1d9e shell32+0xbbd80 @ 0x75aebd80
SHEnableServiceObject+0x284d DoEnvironmentSubstW-0xf34 shell32+0x10cfe @ 0x75a40cfe
ShellExecuteExW+0x40c SHGetNameFromIDList-0x874f shell32+0x22279 @ 0x75a52279
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21558184
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21558196
registers.edx: 14007
registers.ebx: 21558432
registers.esi: 1
registers.ecx: 20521868
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoCreateInstanceEx+0xb77 CoFreeUnusedLibrariesEx-0xd9c ole32+0x4a875 @ 0x756ca875
CoCreateInstanceEx+0xd7e CoFreeUnusedLibrariesEx-0xb95 ole32+0x4aa7c @ 0x756caa7c
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoSetState+0xac4 IsValidInterface-0xb5a ole32+0x43181 @ 0x756c3181
PropVariantClear+0x14d7 CoGetComCatalog-0xb15 ole32+0x45208 @ 0x756c5208
CoCreateInstanceEx+0x157c CoFreeUnusedLibrariesEx-0x397 ole32+0x4b27a @ 0x756cb27a
CoCreateInstanceEx+0x21c CoFreeUnusedLibrariesEx-0x16f7 ole32+0x49f1a @ 0x756c9f1a
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
TF_CreateLangBarItemMgr+0x3053 CtfImeInquireExW-0x13ff msctf+0x116fa @ 0x753816fa
TF_CreateLangBarItemMgr+0x2c4b CtfImeInquireExW-0x1807 msctf+0x112f2 @ 0x753812f2
TF_CreateLangBarItemMgr+0x2e8f CtfImeInquireExW-0x15c3 msctf+0x11536 @ 0x75381536
TF_CreateLangBarItemMgr+0x29a9 CtfImeInquireExW-0x1aa9 msctf+0x11050 @ 0x75381050
TF_CreateLangBarItemMgr+0x2736 CtfImeInquireExW-0x1d1c msctf+0x10ddd @ 0x75380ddd
TF_CreateLangBarItemMgr+0x26bb CtfImeInquireExW-0x1d97 msctf+0x10d62 @ 0x75380d62
TF_CreateLangBarItemMgr+0x24ba CtfImeInquireExW-0x1f98 msctf+0x10b61 @ 0x75380b61
TF_CreateThreadMgr+0x39a CtfImeSelectEx-0x1232 msctf+0x800e @ 0x7537800e
TF_CreateLangBarItemMgr+0x265f CtfImeInquireExW-0x1df3 msctf+0x10d06 @ 0x75380d06
TF_CreateLangBarItemMgr+0x323d CtfImeInquireExW-0x1215 msctf+0x118e4 @ 0x753818e4
TrackMouseEvent+0x3e DrawEdge-0x2e user32+0x130bc @ 0x76c930bc
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x46bae @ 0x76e56bae
DrawStateW+0x59f GetActiveWindow-0xc user32+0x33af7 @ 0x76cb3af7
DialogBoxIndirectParamAorW+0x36 DialogBoxIndirectParamW-0x9 user32+0x33b46 @ 0x76cb3b46
DialogBoxIndirectParamW+0x1b EndDialog-0x9 user32+0x33b6a @ 0x76cb3b6a
DllInstall+0x1083f ImageList_SetBkColor-0x2c0f comctl32+0x7d504 @ 0x73d1d504
DllInstall+0x107cf ImageList_SetBkColor-0x2c7f comctl32+0x7d494 @ 0x73d1d494
ShellMessageBoxW+0x163 StrCpyW-0xf1 shlwapi+0x3df34 @ 0x7562df34
SHGetFileInfo+0xa9b1 SHCreateStdEnumFmtEtc-0x4b161 shell32+0x1b919c @ 0x75be919c
RegenerateUserEnvironment+0xf77 StrCmpNIW-0x1d9e shell32+0xbbd80 @ 0x75aebd80
SHEnableServiceObject+0x284d DoEnvironmentSubstW-0xf34 shell32+0x10cfe @ 0x75a40cfe
ShellExecuteExW+0x40c SHGetNameFromIDList-0x874f shell32+0x22279 @ 0x75a52279
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21558072
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21558084
registers.edx: 14007
registers.ebx: 21558320
registers.esi: 1
registers.ecx: 20521756
success 0 0
Jan. 21, 2019, 12:17 a.m.
__exception__
stacktrace:
CoCreateInstanceEx+0x502 CoFreeUnusedLibrariesEx-0x1411 ole32+0x4a200 @ 0x756ca200
CoCreateInstanceEx+0xb77 CoFreeUnusedLibrariesEx-0xd9c ole32+0x4a875 @ 0x756ca875
CoCreateInstanceEx+0xd7e CoFreeUnusedLibrariesEx-0xb95 ole32+0x4aa7c @ 0x756caa7c
CoCreateInstanceEx+0xc55 CoFreeUnusedLibrariesEx-0xcbe ole32+0x4a953 @ 0x756ca953
CoSetState+0xac4 IsValidInterface-0xb5a ole32+0x43181 @ 0x756c3181
PropVariantClear+0x1057 CoGetComCatalog-0xf95 ole32+0x44d88 @ 0x756c4d88
CoSetState+0x8e9 IsValidInterface-0xd35 ole32+0x42fa6 @ 0x756c2fa6
CoCreateInstanceEx+0xd7 CoFreeUnusedLibrariesEx-0x183c ole32+0x49dd5 @ 0x756c9dd5
CoCreateInstanceEx+0x38 CoFreeUnusedLibrariesEx-0x18db ole32+0x49d36 @ 0x756c9d36
New_ole32_CoCreateInstanceEx@24+0x5a New_ole32_CoGetClassObject@20-0x1c7 @ 0x63be2c5f
CoCreateInstance+0x34 CoCreateInstanceEx-0xf ole32+0x49cef @ 0x756c9cef
New_ole32_CoCreateInstance@20+0x123 New_ole32_CoCreateInstanceEx@24-0x7c @ 0x63be2b89
TF_CreateLangBarItemMgr+0x3053 CtfImeInquireExW-0x13ff msctf+0x116fa @ 0x753816fa
TF_CreateLangBarItemMgr+0x2c4b CtfImeInquireExW-0x1807 msctf+0x112f2 @ 0x753812f2
TF_CreateLangBarItemMgr+0x2e8f CtfImeInquireExW-0x15c3 msctf+0x11536 @ 0x75381536
TF_CreateLangBarItemMgr+0x29a9 CtfImeInquireExW-0x1aa9 msctf+0x11050 @ 0x75381050
TF_CreateLangBarItemMgr+0x2736 CtfImeInquireExW-0x1d1c msctf+0x10ddd @ 0x75380ddd
TF_CreateLangBarItemMgr+0x26bb CtfImeInquireExW-0x1d97 msctf+0x10d62 @ 0x75380d62
TF_CreateLangBarItemMgr+0x24ba CtfImeInquireExW-0x1f98 msctf+0x10b61 @ 0x75380b61
TF_CreateThreadMgr+0x39a CtfImeSelectEx-0x1232 msctf+0x800e @ 0x7537800e
TF_CreateLangBarItemMgr+0x265f CtfImeInquireExW-0x1df3 msctf+0x10d06 @ 0x75380d06
TF_CreateLangBarItemMgr+0x323d CtfImeInquireExW-0x1215 msctf+0x118e4 @ 0x753818e4
TrackMouseEvent+0x3e DrawEdge-0x2e user32+0x130bc @ 0x76c930bc
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x46bae @ 0x76e56bae
DrawStateW+0x59f GetActiveWindow-0xc user32+0x33af7 @ 0x76cb3af7
DialogBoxIndirectParamAorW+0x36 DialogBoxIndirectParamW-0x9 user32+0x33b46 @ 0x76cb3b46
DialogBoxIndirectParamW+0x1b EndDialog-0x9 user32+0x33b6a @ 0x76cb3b6a
DllInstall+0x1083f ImageList_SetBkColor-0x2c0f comctl32+0x7d504 @ 0x73d1d504
DllInstall+0x107cf ImageList_SetBkColor-0x2c7f comctl32+0x7d494 @ 0x73d1d494
ShellMessageBoxW+0x163 StrCpyW-0xf1 shlwapi+0x3df34 @ 0x7562df34
SHGetFileInfo+0xa9b1 SHCreateStdEnumFmtEtc-0x4b161 shell32+0x1b919c @ 0x75be919c
RegenerateUserEnvironment+0xf77 StrCmpNIW-0x1d9e shell32+0xbbd80 @ 0x75aebd80
SHEnableServiceObject+0x284d DoEnvironmentSubstW-0xf34 shell32+0x10cfe @ 0x75a40cfe
ShellExecuteExW+0x40c SHGetNameFromIDList-0x874f shell32+0x22279 @ 0x75a52279
ShellExecuteExW+0x4fa SHGetNameFromIDList-0x8661 shell32+0x22367 @ 0x75a52367
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x756043c0
BaseThreadInitThunk+0x12 OpenFileMappingA-0xc kernel32+0x4ef1c @ 0x7555ef1c
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x6367a @ 0x76e7367a
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x6364d @ 0x76e7364d

exception.instruction_r: 85 00 e9 20 4c 00 00 90 93 30 76 75 71 58 6c 75
exception.instruction: test eax, dword ptr [eax]
exception.exception_code: 0xc00000fd
exception.symbol: CoCreateInstanceEx+0x4a2 CoFreeUnusedLibrariesEx-0x1471 ole32+0x4a1a0
exception.address: 0x756ca1a0
registers.esp: 21556364
registers.edi: 0
registers.eax: 20520960
registers.ebp: 21556376
registers.edx: 14007
registers.ebx: 21556612
registers.esi: 1
registers.ecx: 20520044
success 0 0
Starts servers listening on {0} (6 events)
Time & API Arguments Status Return Repeated
Jan. 21, 2019, 12:17 a.m.
bind
ip_address: 127.0.0.1
socket: 456
port: 0
success 0 0
Jan. 21, 2019, 12:17 a.m.
listen
socket: 456
backlog: 5
success 0 0
Jan. 21, 2019, 12:17 a.m.
accept
ip_address: 127.0.0.1
socket: 456
port: 49171
success 472 0
Jan. 21, 2019, 12:17 a.m.
bind
ip_address: 127.0.0.1
socket: 884
port: 0
success 0 0
Jan. 21, 2019, 12:17 a.m.
listen
socket: 884
backlog: 5
success 0 0
Jan. 21, 2019, 12:17 a.m.
accept
ip_address: 127.0.0.1
socket: 884
port: 49174
success 904 0
Allocates read-write-execute memory (usually to unpack itself) (1 event)
Time & API Arguments Status Return Repeated
Jan. 21, 2019, 12:17 a.m.
NtAllocateVirtualMemory
process_identifier: 3076
region_size: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
success 0 0
Creates executable files on the filesystem (1 event)
file C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\sessionstore.js
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)
dead_host 192.168.12.22:2869
dead_host 192.168.12.14:2869

Network

Summary

Process firefox.exe (3284)

  • Opened files

    • C:\Windows\System32\ActionCenterCPL.dll
    • C:\Windows\System32\zipfldr.dll
    • C:\Program Files\Mozilla Firefox\chrome\classic.manifest
    • C:\Windows\System32\ACCTRES.dll
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\content-prefs.sqlite
    • C:\Program Files\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome\autocopy.jar
    • C:\Program Files\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome.manifest
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.dtd
    • C:\
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\extensions.rdf
    • C:\Program Files\Mozilla Firefox\browserconfig.properties
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\UserID
    • C:\Program Files\Mozilla Firefox\res\dtd\xhtml11.dtd
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\Cache\_CACHE_001_
    • C:\Windows\System32\accessibilitycpl.dll
    • C:\Windows\System32\WdsUnattendTemplate.xml
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\XUL.mfl
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\extensions.cache
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\localstore.rdf
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\mimeTypes.rdf
    • C:\Program Files\Mozilla Firefox\chrome\browser.jar
    • C:\Windows\System32\aclui.dll
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\cert8.db
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\modules\superadd.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js
    • C:\Program Files\Mozilla Firefox\res\charsetData.properties
    • C:\Windows\System32\KBDROPR.DLL
    • C:\Program Files\Mozilla Firefox\res\hiddenWindow.html
    • C:\Program Files\Mozilla Firefox\res\forms.css
    • C:\Program Files\Mozilla Firefox\chrome\reporter.manifest
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\key3.db
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\compatibility.ini
    • C:\Program Files\Mozilla Firefox\chrome\en-US.jar
    • C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab.css
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\formhistory.sqlite
    • C:\Windows\System32\ActionCenter.dll
    • C:\Windows\System32\acledit.dll
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.jar
    • C:\Windows\System32\msdxm.tlb
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\permissions.sqlite
    • C:\Program Files\Mozilla Firefox\res\html.css
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\Cache\_CACHE_003_
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\prefs.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\proxy.js
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini
    • C:\Windows\System32\12520437.cpx
    • C:\Program Files\Mozilla Firefox\greprefs\all.js
    • C:\Windows\System32\cofire.exe
    • C:\Windows\Fonts\staticcache.dat
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab-engine-fx.png
    • C:\Program Files\Mozilla Firefox\foxyproxy.xml
    • C:\Windows\System32\acppage.dll
    • C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\Cache\_CACHE_002_
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\XPC.mfl
    • C:\Program Files\Mozilla Firefox\blocklist.xml
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\search.sqlite
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\foxyproxy.css
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome\clrtabs.jar
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome\inbasicph.jar
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome.manifest
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\defaults.js
    • C:\Program Files\Mozilla Firefox\chrome\comm.manifest
    • C:\Program Files\Mozilla Firefox\res\ua.css
    • C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
    • C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\extensions.ini
    • C:\Windows\System32\help.exe
    • C:\Windows\System32\12520850.cpx
    • C:\Windows\System32\ssText3d.scr
    • C:\Windows\System32\NlsLexicons0416.dll
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\match.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\autoconf.js
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\xpti.dat
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\compreg.dat
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\urlclassifier3.sqlite
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\pluginreg.dat
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\secmod.db
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\strings.xml
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\places.sqlite
    • C:\Program Files\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files\Mozilla Firefox\res\charsetalias.properties
    • C:\Program Files\Mozilla Firefox\chrome\classic.jar
    • C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Program Files\Mozilla Firefox\chrome\browser.manifest
    • C:\Windows\System32\Display.dll
    • C:\Program Files\Mozilla Firefox\chrome\en-US.manifest
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\downloads.sqlite
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\cookies.sqlite
    • C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml
    • C:\Program Files\Mozilla Firefox\application.ini
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\pref.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\images\disabled.gif
    • C:\Program Files\Mozilla Firefox\searchplugins\google.xml
    • C:\Program Files\Mozilla Firefox\components\browser.xpt
    • C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
    • C:\Program Files\Mozilla Firefox\platform.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome.manifest
    • C:\Program Files\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Windows\System32\acproxy.dll
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\Cache\_CACHE_MAP_
    • C:\Windows\System32\rasphone.exe
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome.manifest
    • C:\Program Files\Mozilla Firefox\res\quirk.css
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.properties
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\ietab.js
    • C:\Windows\System32\aaclient.dll
  • Written files

    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\urlclassifier3.sqlite
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\formhistory.sqlite-journal
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\bookmarkbackups\bookmarks-2019-01-21.json
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\downloads.sqlite-journal
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\pluginreg.dat
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\cookies.sqlite-journal
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\Cache\_CACHE_MAP_
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\places.sqlite-journal
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\urlclassifier3.sqlite-journal
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\sessionstore.js
  • Files Read

    • C:\Windows\System32\ActionCenterCPL.dll
    • C:\Windows\System32\zipfldr.dll
    • C:\Program Files\Mozilla Firefox\chrome\classic.manifest
    • C:\Windows\System32\ACCTRES.dll
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\content-prefs.sqlite
    • C:\Program Files\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome\autocopy.jar
    • C:\Program Files\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome.manifest
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.dtd
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\extensions.rdf
    • C:\Program Files\Mozilla Firefox\browserconfig.properties
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\UserID
    • C:\Program Files\Mozilla Firefox\res\dtd\xhtml11.dtd
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\Cache\_CACHE_001_
    • C:\Windows\System32\accessibilitycpl.dll
    • C:\Windows\System32\WdsUnattendTemplate.xml
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\XUL.mfl
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\extensions.cache
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\localstore.rdf
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\mimeTypes.rdf
    • C:\Program Files\Mozilla Firefox\chrome\browser.jar
    • C:\Windows\System32\aclui.dll
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\cert8.db
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\modules\superadd.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js
    • C:\Program Files\Mozilla Firefox\res\charsetData.properties
    • C:\Windows\System32\KBDROPR.DLL
    • C:\Program Files\Mozilla Firefox\res\hiddenWindow.html
    • C:\Program Files\Mozilla Firefox\res\forms.css
    • C:\Program Files\Mozilla Firefox\chrome\reporter.manifest
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\key3.db
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\compatibility.ini
    • C:\Program Files\Mozilla Firefox\chrome\en-US.jar
    • C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab.css
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\formhistory.sqlite
    • C:\Windows\System32\ActionCenter.dll
    • C:\Windows\System32\acledit.dll
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.jar
    • C:\Windows\System32\msdxm.tlb
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\permissions.sqlite
    • C:\Program Files\Mozilla Firefox\res\html.css
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\Cache\_CACHE_003_
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\prefs.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\proxy.js
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini
    • C:\Windows\System32\12520437.cpx
    • C:\Program Files\Mozilla Firefox\greprefs\all.js
    • C:\Windows\System32\cofire.exe
    • C:\Windows\Fonts\staticcache.dat
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab-engine-fx.png
    • C:\Program Files\Mozilla Firefox\foxyproxy.xml
    • C:\Windows\System32\acppage.dll
    • C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\Cache\_CACHE_002_
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\XPC.mfl
    • C:\Program Files\Mozilla Firefox\blocklist.xml
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\search.sqlite
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\foxyproxy.css
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome\clrtabs.jar
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome\inbasicph.jar
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome.manifest
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\defaults.js
    • C:\Program Files\Mozilla Firefox\chrome\comm.manifest
    • C:\Program Files\Mozilla Firefox\res\ua.css
    • C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
    • C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\extensions.ini
    • C:\Windows\System32\help.exe
    • C:\Windows\System32\12520850.cpx
    • C:\Windows\System32\ssText3d.scr
    • C:\Windows\System32\NlsLexicons0416.dll
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\match.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\autoconf.js
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\xpti.dat
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\compreg.dat
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\urlclassifier3.sqlite
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\pluginreg.dat
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\secmod.db
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\strings.xml
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\places.sqlite
    • C:\Program Files\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files\Mozilla Firefox\res\charsetalias.properties
    • C:\Program Files\Mozilla Firefox\chrome\classic.jar
    • C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Program Files\Mozilla Firefox\chrome\browser.manifest
    • C:\Windows\System32\Display.dll
    • C:\Program Files\Mozilla Firefox\chrome\en-US.manifest
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\downloads.sqlite
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\cookies.sqlite
    • C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml
    • C:\Program Files\Mozilla Firefox\application.ini
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\pref.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\images\disabled.gif
    • C:\Program Files\Mozilla Firefox\searchplugins\google.xml
    • C:\Program Files\Mozilla Firefox\components\browser.xpt
    • C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
    • C:\Program Files\Mozilla Firefox\platform.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome.manifest
    • C:\Program Files\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Windows\System32\acproxy.dll
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\Cache\_CACHE_MAP_
    • C:\Windows\System32\rasphone.exe
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome.manifest
    • C:\Program Files\Mozilla Firefox\res\quirk.css
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.properties
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\ietab.js
    • C:\Windows\System32\aaclient.dll

Process cmd.exe (3076)

  • Opened files

    • C:\Windows\System32\imageres.dll
    • C:\Windows\System32\ieframe.dll
    • C:\Windows\Globalization\Sorting\sortdefault.nls

Process firefox.exe (3284)

  • Registry keys opened

    • HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Runtime Environment
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb377-1074-11e6-9643-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Suffixes
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Groove\Development
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\FileAssociations
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
    • HKEY_LOCAL_MACHINE\Software\Netscape\Netscape Navigator
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb372-1074-11e6-9643-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
    • HKEY_CLASSES_ROOT\.js
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
    • HKEY_CLASSES_ROOT\HTTP\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Interface\{00000134-0000-0000-C000-000000000046}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb376-1074-11e6-9643-806e6f6e6963}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\(Default)
    • HKEY_CLASSES_ROOT\MIME\Database\Content Type\
    • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
    • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CLASSES_ROOT\FirefoxURL\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb373-1074-11e6-9643-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\9.0\InstallPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\firefox.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\(Default)
    • HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\(Default)
    • HKEY_LOCAL_MACHINE\Software\MozillaPlugins
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp
    • HKEY_CURRENT_USER\SOFTWARE\Clients\StartMenuInternet
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\QuickTimePlayer.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\MIMEAssociations
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\URLAssociations
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm
    • HKEY_CLASSES_ROOT\HTTPS\DefaultIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications
    • HKEY_CLASSES_ROOT\FirefoxHTML\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
    • HKEY_CURRENT_USER\Software\MozillaPlugins
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\StartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
    • HKEY_LOCAL_MACHINE\Software\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
    • HKEY_CLASSES_ROOT\HTTPS\shell\open\command
    • HKEY_CLASSES_ROOT\.dtd
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_LOCAL_MACHINE\software\Adobe\Acrobat Reader
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice
    • HKEY_CLASSES_ROOT\HTTP\DefaultIcon
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\FirefoxHTML\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CYR,204
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb372-1074-11e6-9643-806e6f6e6963}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Progid
    • HKEY_CURRENT_USER\http\shell\open\command\(Default)
    • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Suffixes\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\9.0\InstallPath\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Greek,161
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\Progid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial
    • HKEY_CURRENT_USER\https\shell\open\command\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb376-1074-11e6-9643-806e6f6e6963}\Generation
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma Armenian
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Miriam Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Fixed Miriam Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Greek,161
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Baltic,186
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CE,238
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb377-1074-11e6-9643-806e6f6e6963}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\70F6B3D
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CYR,204
    • HKEY_CURRENT_USER\https\DefaultIcon\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Rod Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\Extension
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb373-1074-11e6-9643-806e6f6e6963}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\Content Type
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\FangSong_GB2312
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Baltic,186
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CYR,204
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb377-1074-11e6-9643-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\David Transparent
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\Progid
    • HKEY_CURRENT_USER\Software\Clients\StartMenuInternet\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Greek,161
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\1603
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CE,238
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb373-1074-11e6-9643-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent,0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\9999
    • HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications\Firefox
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice\Progid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb372-1074-11e6-9643-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb376-1074-11e6-9643-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helvetica
    • HKEY_CURRENT_USER\FirefoxURL\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dtd\Content Type
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helv
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Baltic,186
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tms Rmn
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold,0
    • HKEY_CURRENT_USER\http\DefaultIcon\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\KaiTi_GB2312

Process cmd.exe (3076)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\CallForAttributes
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb372-1074-11e6-9643-806e6f6e6963}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsFORPARSING
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\NoFileFolderJunction
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\HideOnDesktopPerUser
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb376-1074-11e6-9643-806e6f6e6963}\Generation
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{9343812e-1c37-4a49-a12e-4b2d810d956b}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\CallForAttributes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\QueryForOverlay
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\UseDropHandler
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\NoFileFolderJunction
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\MapNetDriveVerbs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\Attributes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\HasNavigationEnum
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsUniversalDelegate
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb377-1074-11e6-9643-806e6f6e6963}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HasNavigationEnum
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\SuppressionPolicy
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsParseDisplayName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\LoadWithoutCOM
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\QueryForInfoTip
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\RestrictedAttributes
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb373-1074-11e6-9643-806e6f6e6963}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirefoxURL\shell\open\NeverDefault
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{871C5380-42A0-1069-A2EA-08002B30309D}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\MapNetDriveVerbs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e345f35f-9397-435c-8f95-4e922c26259e}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\SuppressionPolicy
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb377-1074-11e6-9643-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsParseDisplayName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
    • HKEY_CURRENT_USER\FirefoxURL\shell\open\NeverDefault
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\PinToNameSpaceTree
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsUniversalDelegate
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\UseDropHandler
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideOnDesktopPerUser
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideFolderVerbs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{04731B67-D933-450a-90E6-4ACD2E9408FE}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsAliasedNotifications
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideInWebView
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{daf95313-e44d-46af-be1b-cbacea2c3065}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{F3F5824C-AD58-4728-AF59-A1EBE3392799}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb376-1074-11e6-9643-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\PinToNameSpaceTree
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\QueryForInfoTip
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb373-1074-11e6-9643-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{89D83576-6BD1-4c86-9454-BEB04E94C819}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{26EE0668-A00A-44D7-9371-BEB064C98683}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\HideInWebView
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\SuppressionPolicy
    • HKEY_CURRENT_USER\FirefoxURL\shell\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsFORPARSING
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{adfeb372-1074-11e6-9643-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{98D99750-0B8A-4c59-9151-589053683D73}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\RestrictedAttributes
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\HideFolderVerbs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirefoxURL\shell\(Default)
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsAliasedNotifications
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{8FD8B88D-30E1-4F25-AC2B-553D3D65F0EA}\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsFORDISPLAY
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\QueryForOverlay
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FirefoxURL\NoStaticDefaultVerb
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\WantsFORDISPLAY
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{208D2C60-3AEA-1069-A2D7-08002B30309D}
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
    • HKEY_CURRENT_USER\FirefoxURL\NoStaticDefaultVerb
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

Process firefox.exe (3284)

  • Mutexes accessed

    • Local\FirefoxStartupMutex

Process cmd.exe (3076)

Process firefox.exe (3284)

  • Directories created

    • C:\Users\admin\AppData\Roaming
    • C:\Users\admin\AppData\Local\Mozilla\Firefox
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox
    • C:\Users\admin\AppData\Local\Mozilla
    • C:\Program Files
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Mozilla Firefox\updates\0
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Mozilla Firefox\updates
    • C:\Users\admin\AppData
    • C:\Users\admin\AppData\Local
    • C:\Users
    • C:\Users\admin
    • C:\Program Files\Mozilla Firefox
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Mozilla Firefox
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\bookmarkbackups
    • C:\Users\admin\AppData\Roaming\Mozilla
  • Directories enumerated

    • C:\Windows\System32\ActionCenterCPL.dll
    • C:\Windows\System32\Display.dll
    • C:\Windows\System32\zipfldr.dll
    • C:\Windows\System32\*.*
    • C:\Users\admin\AppData\Local\Mozilla\Firefox\Mozilla Firefox\updates\*
    • C:\Windows\System32\acppage.dll
    • C:\Windows\System32\rasphone.exe
    • C:\Windows\System32\CodeIntegrity
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\key3.db
    • C:\Program Files\Mozilla Firefox\chrome\*
    • C:\Windows\System32\ActionCenter.dll
    • C:\Windows\System32\zh-TW
    • C:\Windows\System32
    • C:\Windows\System32\cofire.exe
    • C:\Program Files\Mozilla Firefox\extensions\*
    • C:\Windows\winsxs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c\ATL80.dll
    • C:\Windows\System32\zh-CN
    • C:\Windows\System32\acledit.dll
    • C:\Program Files\Mozilla Firefox\defaults\pref\*
    • C:\Windows\System32\help.exe
    • C:\Windows\System32\0409
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\*
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\*
    • C:\Windows\System32\ssText3d.scr
    • C:\Program Files\Mozilla Firefox\greprefs\*
    • C:\Windows\System32\12520850.cpx
    • C:\Windows\System32\msdxm.tlb
    • C:\Windows\System32\accessibilitycpl.dll
    • C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\*
    • C:\Windows\System32\WdsUnattendTemplate.xml
    • C:\Program Files\Adobe\Reader 9.0\Reader\Browser\*
    • C:\Program Files\Mozilla Firefox\searchplugins\*
    • C:\Windows\System32\acproxy.dll
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\bookmarkbackups\*
    • C:\Windows\System32\12520437.cpx
    • C:\Windows\System32\he-IL
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\secmod.db
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\extensions\*
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\components\*
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\*
    • C:\Program Files\Mozilla Firefox\components\*
    • C:\Windows\System32\aclui.dll
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\cert8.db
    • C:\Windows\System32\NlsLexicons0416.dll
    • C:\Users\admin\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\*
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\*
    • C:\Windows\System32\ACCTRES.dll
    • C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
    • C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    • C:\Windows\System32\KBDROPR.DLL
    • C:\Windows
    • C:\Windows\winsxs
    • C:\Program Files\Mozilla Firefox\plugins\*
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\*
    • C:\Windows\System32\aaclient.dll
    • C:\Windows\System32\zh-HK

Process cmd.exe (3076)

  • Directories enumerated

    • C:\Users\admin
    • C:\Users\admin\AppData\Local\Temp
    • C:\Users\admin\AppData
    • C:\Users\admin\AppData\Local
    • C:\Users

Process firefox.exe (3284)

  • DLLs Loaded

    • dbghelp.dll
    • C:\Windows\system32\pnrpnsp.dll
    • DNSAPI.dll
    • UXTHEME.DLL
    • C:\Windows\system32\ole32.dll
    • dwmapi.dll
    • C:\Windows\system32\napinsp.dll
    • C:\Program Files\Mozilla Firefox\nssckbi.dll
    • C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
    • API-MS-Win-Core-LocalRegistry-L1-1-0.dll
    • C:\Program Files\Mozilla Firefox\softokn3.dll
    • cryptbase.dll
    • advapi32.dll
    • CRYPTSP.dll
    • Comctl32.dll
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • C:\Program Files\Mozilla Firefox\freebl3.dll
    • Kernel32.DLL
    • uxtheme.dll
    • C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default/nssckbi.dll
    • C:\Windows\System32\mswsock.dll
    • Shell32.dll
    • msimg32
    • C:\Windows\System32\winrnr.dll
    • comctl32.dll
    • C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
    • C:\Windows\system32\NLAapi.dll
    • iphlpapi.dll
    • MSImg32.dll
    • RpcRtRemote.dll
    • C:\Program Files\Mozilla Firefox\nssdbm3.dll
    • ADVAPI32.dll
    • rpcrt4.dll
    • SETUPAPI.dll
    • WS2_32.dll
    • user32.dll
    • ws2_32.dll

Process cmd.exe (3076)

  • Processes created

    • http://nvipgfrdixwl.com/
    • "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "http://nvipgfrdixwl.com/"
  • DLLs Loaded

    • urlmon.dll
    • apphelp.dll
    • kernel32.dll
    • UxTheme.dll
    • C:\Windows\system32\ole32.dll
    • dwmapi.dll
    • ntdll.dll
    • api-ms-win-downlevel-advapi32-l1-1-0.dll
    • C:\Windows\system32\MSCTF.dll
    • PROPSYS.dll
    • API-MS-Win-Core-LocalRegistry-L1-1-0.dll
    • api-ms-win-downlevel-ole32-l1-1-0.dll
    • ole32.dll
    • C:\Windows\system32\xmllite.dll
    • OLEAUT32.dll
    • SHELL32.dll
    • DUser.dll
    • comctl32.dll
    • C:\Windows\System32\DUser.dll
    • api-ms-win-downlevel-shlwapi-l2-1-0.dll
    • ADVAPI32.dll
    • rpcrt4.dll
    • SETUPAPI.dll
    • user32.dll
No static analysis available.
No antivirus signatures available.

Process Tree


cmd.exe, PID: 3076, Parent PID: 3052

default registry file network process services synchronisation iexplore office pdf

firefox.exe, PID: 3284, Parent PID: 3076

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.128.102 1066 192.168.128.112 139
192.168.128.102 1071 192.168.128.112 139
192.168.128.102 1072 192.168.128.112 139

UDP

Source Source Port Destination Destination Port
192.168.128.102 137 192.168.128.112 137
192.168.128.112 138 192.168.128.102 138
192.168.128.112 49254 192.168.128.111 53
192.168.128.112 50804 192.168.128.111 53
192.168.128.112 53921 192.168.128.111 53
192.168.128.112 56984 192.168.128.111 53
192.168.128.112 58297 192.168.128.111 53
192.168.128.112 62873 192.168.128.111 53
192.168.128.112 137 192.168.128.255 137
192.168.128.112 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 74e9908401c44f72_sessionstore.js
Filepath C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\sessionstore.js
Size 262.0B
Processes 3284 (firefox.exe)
Type ASCII text, with no line terminators
MD5 46ec3cd9ba31460730949a8eddfd6dc5
SHA1 029f4072b61e23a0ef1c33a60382393c732e125d
SHA256 74e9908401c44f725fef2cebc71d0ab1baf8d8c9412d591778d394962c5e423a
CRC32 FB3BE3B1
ssdeep 6:0XzguGXq9u4RnqxLWHpIfR09UHRvVGHu/Lqpkxh:0f9uPxLWHE09UHR9GHqOpa
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name d400df4c54b17156_pluginreg.dat
Filepath C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\pluginreg.dat
Size 1.8KB
Processes 3284 (firefox.exe)
Type ASCII text
MD5 1a08497f2f0c96fe12372830221650bf
SHA1 c80f1bc612a435814fdbaf2a7dd8a15a8d57a8e2
SHA256 d400df4c54b171561cee14798f764ec093b99d56e7ea54c90c4ad73d137f3a5f
CRC32 06D1AF39
ssdeep 48:Z7R0doz5T9wnwPmv4+M33I8l3huYPkov4+M33r:P0yzB9wnw28lx58v
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 2cf7e5e31dbf0483_downloads.sqlite-journal
Filepath C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\downloads.sqlite-journal
Size 1.0KB
Processes 3284 (firefox.exe)
Type data
MD5 4571a36eefe7b41883d001f9b9c74742
SHA1 ac021af62850fc00275e05a2dd13dffb0ed3a162
SHA256 2cf7e5e31dbf048385b584680117e79dabdbe437606a6d7dbd674ad3209130c0
CRC32 B130C014
ssdeep 3:7FEG2l/aVlv/h//ll:7+/l/Cv
Yara None matched
VirusTotal Search for analysis
Name 6d56e5d4051af376_bookmarks-2019-01-21.json
Filepath C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\bookmarkbackups\bookmarks-2019-01-21.json
Size 7.7KB
Processes 3284 (firefox.exe)
Type ASCII text, with very long lines, with no line terminators
MD5 f78393b403f0ec5579efd92cf649f8a3
SHA1 529453aa60309ebb44e5471a3c12eb3c49df0d8b
SHA256 6d56e5d4051af37601a8b117770c28b80a3f896a3e0aafb32004e29d394ebdb8
CRC32 299F3D3B
ssdeep 96:0vubTdrZjXa6SjXANZOdnbl9sk8kHEYUR8frRjDfOzBcvGS2cgXwTVXPnO4YRLOa:0vctjXa6SjXAZOdbQcXp4SeuyrtB
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e3b0c44298fc1c14_update.test
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 11df7df5266595c8__cache_map_
Filepath C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\Cache\_CACHE_MAP_
Size 8.3KB
Processes 3284 (firefox.exe)
Type raw G3 data, byte-padded
MD5 098287abf96b3e986ddd0b25beef4e8f
SHA1 2fbeec524e8f7874743ceac2b72af028d4cea6ab
SHA256 11df7df5266595c8c458538f79e0e0f9fa95e7bce9d64e7627efe31e2ef00706
CRC32 5093B51C
ssdeep 3:rK/4atuY1MlMlbgCjVxllUntjvL/0:5euIkkzb/+FL
Yara None matched
VirusTotal Search for analysis
Name dec93286f70ca429_cookies.sqlite-journal
Filepath C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\cookies.sqlite-journal
Size 1.0KB
Processes 3284 (firefox.exe)
Type data
MD5 5e23449abbd6d4d15b1cad4650f13125
SHA1 efad5bb06425ee4c7d3e57cb092057439e470fba
SHA256 dec93286f70ca4291821d191e79b2d1c9e07f30ce019c69ce07822dab94a1fd3
CRC32 2CBFBFD1
ssdeep 3:7FEGURvP7//ll:7+/J
Yara None matched
VirusTotal Search for analysis
Name 19583774feee8d8f_downloads.sqlite-journal
Filepath C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\downloads.sqlite-journal
Size 1.0KB
Processes 3284 (firefox.exe)
Type data
MD5 d2f2df541a6d0fbb57e3477bec83ba28
SHA1 eb889eac389f8fbdfc366ab247ea4c9c59fccb78
SHA256 19583774feee8d8fa6f7081b9d04ec0f66231f1a29ac5884c5a1a88d1aef503e
CRC32 FB7871C3
ssdeep 3:7FEG2l/jx0v/h//ll:7+/l/jY
Yara None matched
VirusTotal Search for analysis
Name 2d65c4895722dcfc_urlclassifier3.sqlite-journal
Filepath C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\urlclassifier3.sqlite-journal
Size 24.0KB
Processes 3284 (firefox.exe)
Type data
MD5 1e7df9d308d5f45cac3566e99d1e37c1
SHA1 ba641723e32f8b429d8010b81f3df6640d48bffd
SHA256 2d65c4895722dcfc985875def755575936821f200198a948c32fc69f89ce4b21
CRC32 B1DF8291
ssdeep 48:7eaxiyRdgKFqZ5MYNe0Itr56DlkEqWERlDNG:7eBilFWSj4
Yara
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name d8ca0b90399551ef_urlclassifier3.sqlite
Filepath C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\himsiwrn.default\urlclassifier3.sqlite
Size 32.0KB
Processes 3284 (firefox.exe)
Type SQLite 3.x database, user version 5
MD5 00c17c25a4d6eeb05c64d7867b1e869a
SHA1 7d04a142bb5ff71539d0bd9aebf5ae16b6b33320
SHA256 d8ca0b90399551effaeb96ebe9c0e5d296265d061d4ee62cbc31346da2d39fa1
CRC32 2B4E8157
ssdeep 24:TLu24+zdjrgZH5MjbTENe0SHGES456DlHEEqWERlSTENoR7gKfepC:TC5MYNe0Itr56DlkEqWERlDNoR7gKmU
Yara
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name fd0734b2ed5d7549_formhistory.sqlite-journal
Filepath C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\formhistory.sqlite-journal
Size 1.0KB
Processes 3284 (firefox.exe)
Type data
MD5 84238c9f856fa74f5d28033ea50e0481
SHA1 3c99580a9b6d8627e1a6eb95e44992e92b1a747b
SHA256 fd0734b2ed5d75497813eca0a832cd9445df5df5e27293afdf47e9c849279888
CRC32 EDF47221
ssdeep 3:7FEG2l/Uitzlztll:7+/l/Lt
Yara None matched
VirusTotal Search for analysis
Name 53a8e9bc9aadbf09_downloads.sqlite-journal
Filepath C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\himsiwrn.default\downloads.sqlite-journal
Size 1.0KB
Processes 3284 (firefox.exe)
Type data
MD5 8a1a70606e727c65b03059327a08e7e7
SHA1 65767c054ae279ae9f046aaa3de3ef7646b6013e
SHA256 53a8e9bc9aadbf09044d48273b2efab399782141fcdb670c191430cc1cc1c633
CRC32 7B83CAA0
ssdeep 3:7FEG2l/QsJ/lnllh//ll:7+/l/nb
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 1188
Mongo ID 5c459e1411d30812ab71ef47
Cuckoo release 2.0-dev