'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-08-04 09:02:40.287890 2018-08-04 09:04:48.005461 127 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2018-08-04 09:02:42 2018-08-04 09:04:47

File Details

File name eb36ce4a68593d638d6a5248fdf49003759b7661.zip
File size 17743365 bytes
File type Zip archive data, at least v1.0 to extract
CRC32 3BD781BF
MD5 a8fce6f93ef18c1497b6e2f475f3606d
SHA1 eb36ce4a68593d638d6a5248fdf49003759b7661
SHA256 1f528b82024e3753844a68a1b51aed7bc8c402e1817c2940472e10e2d528b008
SHA512 7f5d1a62a50879353df24b2a589a7ca8bc54eb6cca86c0236ff810a74dcabba5f520549266cdb81a4a1f231444a78b421fdee1aeeac8d8174b6df7c7fb1e6779
Ssdeep None
PEiD None matched
Yara
  • shellcode (Matched shellcode byte patterns)
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1533387955]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

antivm_queries_computername details
antivm_memory_available details
openprocess_nonchild details
allocates_rwx details
antivm_disk_size details
suspicious_process details
antivm_network_adapters details
nolookup_communication details
exploit_heapspray details
ransomware_extensions details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

e3b0c44298fc1c14_Ultracopier.conf.qHp948

73fed9b99a0a8605_Ultracopier.conf.lock

4707b48a6dd96177_ultracopier.conf

ultracopier.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\PluginLoader\catchcopy-v0002\catchcopy64.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\es\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\hu\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\el\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\it\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\th\informations.xml
  • \\?\PIPE\srvsvc
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\it\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ru\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ja\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ar\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ja\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ko\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ko\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\pt\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\nl\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\CopyEngine\Ultracopier\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\zh\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\el\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\no\flag.png
  • \\?\PIPE\wkssvc
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\tr\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ru\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\zh_TW\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\es\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Themes\Oxygen\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\fr\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\hu\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\no\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\th\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\tr\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\id\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\hi\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\id\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\zh\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\zh_TW\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\PluginLoader\catchcopy-v0002\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\de\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\nl\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\pt\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Listener\catchcopy-v0002\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ar\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\pl\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\de\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\fr\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\pl\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\hi\flag.png
File-Written
  • \\?\PIPE\wkssvc
  • \\?\PIPE\srvsvc
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Ultracopier.conf.aem948
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Ultracopier.conf.lock
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Ultracopier.conf.qHp948
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Ultracopier.conf.Uhg948
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Ultracopier.conf.lock
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\PluginLoader\catchcopy-v0002\catchcopy64.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Listener\catchcopy-v0002\listener.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\es\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\hu\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\PluginLoader\catchcopy-v0002\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\el\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\it\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\th\informations.xml
  • \\?\PIPE\srvsvc
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\it\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\qt-plugins\platforms\qwindows.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ru\informations.xml
  • C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ja\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ar\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ja\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ko\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\tr\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\pt\flag.png
  • C:\
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\nl\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\CopyEngine\Ultracopier\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\zh\informations.xml
  • \\?\pipe\qt-26E9
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\el\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\no\flag.png
  • \\?\pipe\qt-1649
  • \\?\PIPE\wkssvc
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\PluginLoader\catchcopy-v0002\pluginLoader.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\tr\flag.png
  • D:\
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ru\flag.png
  • \\?\pipe\qt-6DF1
  • \\?\pipe\qt-41BB
  • \\?\pipe\qt-5AF1
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\zh_TW\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\es\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Themes\Oxygen\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\fr\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\hu\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\th\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\no\informations.xml
  • C:\Windows\Fonts\tahomabd.ttf
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ko\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\id\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\hi\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\id\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\zh\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\zh_TW\informations.xml
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\de\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\nl\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\pt\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Listener\catchcopy-v0002\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\ar\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Themes\Oxygen\interface.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\CopyEngine\Ultracopier\copyEngine.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\pl\informations.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\de\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\fr\informations.xml
  • \\?\pipe\qt-5F90
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\pl\flag.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\hi\flag.png
File-Moved
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Ultracopier.conf.aem948 -> C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Ultracopier.conf
Directory-Enumerated
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Listener\*
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\qt-plugins\platforms\*
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\PluginLoader\*
  • C:\Users
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Languages\*
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\Themes\*
  • C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\CopyEngine\*
  • C:\Users\Harry Dresden\AppData
Registry Key-Opened
  • HKEY_CLASSES_ROOT\.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\AutoRegister
  • HKEY_CLASSES_ROOT\dllfile
  • HKEY_CLASSES_ROOT\.dll
  • HKEY_CLASSES_ROOT\dllfile
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}\InprocServer32
  • HKEY_CURRENT_USER\Software\Classes\textfile\shellex\DragDropHandlers\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}
  • HKEY_CURRENT_USER\Software\Classes\Directory\shellex\DragDropHandlers\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\AutoRegister
  • HKEY_CURRENT_USER\Software\Classes\Drive\shellex\DragDropHandlers\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}
  • HKEY_CURRENT_USER\Software\Classes\Folder\shellex\DragDropHandlers\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LsaExtensionConfig\SspiCli
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PropertyBag
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PropertyBag
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\Service
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Avalon.Graphics
  • HKEY_CURRENT_USER\Interface\{00000134-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PropertyBag
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
  • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PropertyBag
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\ultracopier.exe
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PeerDist\Service
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
  • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PropertyBag
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache
  • HKEY_CLASSES_ROOT\.dll
  • HKEY_CLASSES_ROOT\dllfile
  • HKEY_CURRENT_USER\Software\Classes\Drive\shellex\DragDropHandlers\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\AutoRegister
  • HKEY_CURRENT_USER\Software\Classes\textfile\shellex\DragDropHandlers\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}
  • HKEY_CURRENT_USER\Software\Classes\Folder\shellex\DragDropHandlers\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}
  • HKEY_CURRENT_USER\Software\Classes\Directory\shellex\DragDropHandlers\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\eu-ES
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Parameters\ClientCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParentFolder
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cs-CZ
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SecurityProviders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fr-CA
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sk-SK
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Description
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pt-BR
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ca-ES
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\vi-VN
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\nb-NO
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\hu-HU
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pt-PT
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sv-SE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\hu-HU
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Attributes
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\tr-TR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sl-SI
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fr-FR
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sk-SK
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\de-DE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pl-PL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Comment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fi-FI
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Icon
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\sv-SE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-ES_tradnl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\vi-VN
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\pt-PT
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\RelativePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Type
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\819BDAE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LsaExtensionConfig\SspiCli\CheckSignatureRoutine
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParsingName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\nb-NO
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\da-DK
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ca-ES
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\el-GR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Stream
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LsaExtensionConfig\SspiCli\CheckSignatureDll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Attributes
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Category
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\da-DK
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\eu-ES
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\de-DE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cs-CZ
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pt-BR
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\TokenSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Capabilities
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-ES_tradnl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-ES
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fr-FR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\fi-FI
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Category
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\el-GR
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\es-MX
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PreCreate
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\nl-NL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\tr-TR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-ES
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InfoTip
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\fr-CA
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Version
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\es-MX
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Roamable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\pl-PL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sl-SI
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\RpcId
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParentFolder
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\nl-NL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\(Default)
Registry Key-Written
  • HKEY_CURRENT_USER\Directory\shellex\DragDropHandlers\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}\(Default)
  • HKEY_CURRENT_USER\CLSID\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}\InprocServer32\(Default)
  • HKEY_CURRENT_USER\Drive\shellex\DragDropHandlers\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}\(Default)
  • HKEY_CURRENT_USER\CLSID\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}\(Default)
  • HKEY_CURRENT_USER\CLSID\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}\InprocServer32\ThreadingModel
  • HKEY_CURRENT_USER\textfile\shellex\DragDropHandlers\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}\(Default)
  • HKEY_CURRENT_USER\Folder\shellex\DragDropHandlers\{68D44A27-FFB6-4B89-A3E5-7B0E50A7AB33}\(Default)
  • HKEY_CURRENT_USER\CLSID\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}\InprocServer32\(Default)
  • HKEY_CURRENT_USER\Drive\shellex\DragDropHandlers\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}\(Default)
  • HKEY_CURRENT_USER\textfile\shellex\DragDropHandlers\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}\(Default)
  • HKEY_CURRENT_USER\Folder\shellex\DragDropHandlers\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}\(Default)
  • HKEY_CURRENT_USER\Directory\shellex\DragDropHandlers\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}\(Default)
  • HKEY_CURRENT_USER\CLSID\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}\(Default)
  • HKEY_CURRENT_USER\CLSID\{68FF37C4-51BC-4C2A-A992-7E39BC0E706F}\InprocServer32\ThreadingModel

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Users\Harry Dresden\AppData\Local\Temp\ultracopier-ultimate-portable-windows-x86\ultracopier.exe" PID: 948, Parent PID: 2860

regsvr32 /s "C:/Users/Harry Dresden/AppData/Local/Temp/ultracopier-ultimate-portable-windows-x86\PluginLoader\catchcopy-v0002\catchcopy64.dll" PID: 3908, Parent PID: 948

/s "C:/Users/Harry Dresden/AppData/Local/Temp/ultracopier-ultimate-portable-windows-x86\PluginLoader\catchcopy-v0002\catchcopy64.dll" PID: 3300, Parent PID: 3908

regsvr32 /s "C:/Users/Harry Dresden/AppData/Local/Temp/ultracopier-ultimate-portable-windows-x86\PluginLoader\catchcopy-v0002\catchcopy32.dll" PID: 2528, Parent PID: 948

Volatility

Nothing to display.