Hello Reader,
Continuing on from last nights test kitchen I've had another broadcast today trying to monitor the changes to the registry with Sysmon. What I saw in Sysmon showed me the key was being created each time Explorer exits and then set the values of the url keys, however it did not ever show the key being deleted.
So we did some exploration into the TxR regtrans files and the LOG1/LOG2 transactional registry files in an attempt to find the changing keys. We may have found references to the keys but now we need more tools to decode the transactional logs, so ewe will continue another night.
You can watch the video here:
You can watch the video here:
Also Read: Daily Blog #484
Post a Comment