Cuckoo Sandbox

Category	Started On	Completed On	Duration	Cuckoo Version
FILE	2024-03-27 14:01:17.245962	2024-03-27 14:03:10.057635	112 seconds	2.0-dev

Machine	Label	Manager	Started On	Shutdown On
win7cuckoo	win7 Clone 1	VirtualBox	2024-03-27 14:01:17	2024-03-27 14:03:09

File Details

File name	5701a3b4959b75a8d0b200b73f69b72b2a29b79d.zip
File size	1785016 bytes
File type	Zip archive data, at least v2.0 to extract
CRC32	84A37F45
MD5	113f4941877fca2387f0f3ead3b6259c
SHA1	5701a3b4959b75a8d0b200b73f69b72b2a29b79d
SHA256	ec7486d01afda8a229bd6c78d709acb85704c3b7fc899931b78489960cba63a3
SHA512	dc44be966694fed350f35c542d665154d54f56cd0df5e4e36794e3b59b4a02c516c96289373a8546f2c9ed8b54d2f1ca095dc80b82558e1df7dd9368957f09cb
Ssdeep	None
PEiD	None matched
Yara	contains_base64 (This rule finds for base64 strings) UPXv20MarkusLaszloReiser () UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser () UPX () Antivirus (Contains references to security software)
VirusTotal	File not found on VirusTotal

Signatures

openprocess_nonchild details

Attempt_to_open_VBA_AutoRun details

nolookup_communication details

allocates_rwx details

protection_rx details

Jalik_Trojan_Behavior details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

f5a86db0fbf2da73_dsmonitor.otf

File name	f5a86db0fbf2da73_dsmonitor.otf
File size	19236 bytes
File type	OpenType font data
MD5	08f66f10b63de3b7610e0f3d6f2cb455
SHA1	8ce5756db5bd16ead7cb197a9beb9bb195e6399c
SHA256	f5a86db0fbf2da7324f33e5f8ded3ad71180877c86845181569d407a907f2014
SHA512	8422a0437dd60db56521d88ad2f7772fe4a6c4eb4a5f6528f62ef9e34a893b749ac0cc57a4e621afda23548dbf8139069b6a9543a37f092c19ed84a84f51d8ee
Ssdeep	None
Yara	contains_base64 (This rule finds for base64 strings)
VirusTotal	Search for Analysis

Monitor.exe

File name	Monitor.exe
File size	627200 bytes
File type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	7cd7a7e970d4ca86fb943b76bd5b3c24
SHA1	733384063d81b328043cca7e5709a7a408c177f0
SHA256	44d440a6f888863d37c263025b26b9751686999b859a6619b9b40ab5b02c46bc
SHA512	3f8908ae882ccec6a378a7607c2a93e7e8a5b247c2b32235cbec4461af8dad0de721343577d15b2eb8b97b569587cb7b37e5b65aa87c5117688e77763a140c69
Ssdeep	None
Yara	contains_base64 (This rule finds for base64 strings) suspicious_packer_section (The packer/protector section names/keywords) IsPE32 () IsWindowsGUI () IsPacked (Entropy Check) HasRichSignature (Rich Signature Check) UPXv20MarkusLaszloReiser () UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser () UPX_v30_EXE_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional () UPX_302 () UPX_wwwupxsourceforgenet_additional () yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h () UPX_v30_EXE_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser () UPX_wwwupxsourceforgenet () UPX () Antivirus (Contains references to security software)
VirusTotal	Search for Analysis

Network Analysis

Hosts Involved

IP Address
104.75.133.129
192.229.211.108
23.101.14.229
23.204.146.152
23.73.128.183
23.99.109.44
70.186.27.24
70.186.27.9
8.8.8.8

DNS Requests

Domain	IP Address
armmf.adobe.com	23.36.116.175
dns.msftncsi.com	131.107.255.255
cacerts.digicert.com	192.229.211.108
teredo.ipv6.microsoft.com	54.156.11.120
nexus.officeapps.live.com	52.111.229.50
ipv6.msftncsi.com
nexusrules.officeapps.live.com	52.111.236.22
ctldl.windowsupdate.com	72.21.81.240

HTTP Requests

URL	Data
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt	GET /DigiCertGlobalRootG2.crt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: cacerts.digicert.com
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/3679CA35668772304D30A5FB873B0FA77BB70D54.crt?911320f9b04be75f	GET /msdownload/update/v3/static/trustedr/en/3679CA35668772304D30A5FB873B0FA77BB70D54.crt?911320f9b04be75f HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ctldl.windowsupdate.com
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?99597122bcf08015	GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?99597122bcf08015 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ctldl.windowsupdate.com

Behavior Summary

File-Written

C:\Users\Harry Dresden\AppData\Local\Temp\DSMonitor.otf

File-Opened

C:\Users\Harry Dresden\AppData\Local\Temp\dsynchronize\
C:\

Directory-Enumerated

C:\Users\Harry Dresden\AppData\Local\Temp\dsynchronize\Monitor.exe
C:\Users\Harry Dresden\AppData\Local\Temp
C:\Users\Harry Dresden\AppData
C:\Users\Harry Dresden\AppData\Local
C:\Users

Registry Key-Opened

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\Monitor.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_CURRENT_USER\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_CURRENT_USER\CLSID\{E3F2C26D-F0BA-4AED-8DED-8D0D88159B80}
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PropertyBag
HKEY_CURRENT_USER\CLSID\{4E55C00E-1A28-4880-96AB-75729B3B17E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{846EE342-7039-11DE-9D20-806E6F6E6963}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\CLSID\{9A5B4934-8EC6-4F4D-BC31-CFC91CD896A0}
HKEY_CURRENT_USER\CLSID\{2BBDA6B4-12CD-45A7-A946-FFF60D4C9C81}
HKEY_CURRENT_USER\CLSID\{4D34BEDA-EB9B-4585-922F-A5E8C49151CA}
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_CURRENT_USER\CLSID\{66267097-DDC1-498B-A9F2-42E758CC14AC}
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_CURRENT_USER\CLSID\{30B07C54-AAC6-4B27-9085-C04DCB25FFDA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}
HKEY_CURRENT_USER\CLSID\{91574163-27FF-4C06-A1CA-76E6AA75D37F}
HKEY_CURRENT_USER\CLSID\{AF99426E-C944-420C-A5A8-9FE7F200A253}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PropertyBag
HKEY_CURRENT_USER\CLSID\{37595134-022D-4C43-915E-DE227CD98FA2}
HKEY_CURRENT_USER\CLSID\{617BCFA5-DC4A-4E57-84F1-867865666790}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}
HKEY_CURRENT_USER\CLSID\{1EEE4DBF-4031-43F1-B5C3-FB09053291A1}
HKEY_CURRENT_USER\CLSID\{B0BA02E4-F957-4838-B078-9E3F43DCF09F}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979d8f-dbb2-48d6-a984-d5b3af417131}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{846EE342-7039-11DE-9D20-806E6F6E6963}
HKEY_CURRENT_USER\CLSID\{09107742-292E-47EB-8A23-FEECC7E9792A}
HKEY_CURRENT_USER\CLSID\{537A8CF2-C9AE-4D29-B77A-A101B9EB6764}

Registry Key-Read

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResourceType
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\FolderTypeID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\RegistrationEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Icon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\RegisterAdapterName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}\EnableDhcp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResourceType
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InfoTip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\610D998A
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\DhcpDomain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}\Domain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}\DhcpDomain
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InfoTip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}\RegistrationEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResource
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\EnableDhcp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Category
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\Dhcpv6Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParentFolder

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Users\Harry Dresden\AppData\Local\Temp\dsynchronize\Monitor.exe" PID: 3964, Parent PID: 2212

Volatility

Nothing to display.