'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-03-31 09:25:06.524019 2017-03-31 09:26:04.979956 58 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2017-03-31 09:25:06 2017-03-31 09:26:03

File Details

File name a1ee569819fb4eeb8df839cec8e5c48098b78707.zip
File size 306785 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 ED957238
MD5 7eca8d4986f3a3185999d83f1fe2a382
SHA1 a1ee569819fb4eeb8df839cec8e5c48098b78707
SHA256 422c7bae668a0c72fb62740d55db703f552ea1e8df336430695b331988277268
SHA512 392cc0dd482f92b1be38d7f07e0336d35cb8d00b6aaaf5394aecee6eca99abd54eac8f8708c5503def99e19c86fcd97bda6eb6d6c0946a8726068a6053fd8b77
Ssdeep 6144:YTM0uY1wjPiiWIiP2ZNlY1a1gxNH1VMbx4jbEIWZJXXAyH8jHjLdVx8oivSiTy:P0b1wLiTP2ZNdQH16tGb7WLgyHcDLdVl
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=125, Anomalies=0, PEiD=0, Yara=0, VT[1490952429]=0): Snort Events=4, AV Events=2
Total Score=125

SNORT EVENTS:
ET TROJAN Fareit/Pony Downloader Checkin 2
ET TROJAN Trojan Generic - POST To gate.php with no referer
ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
ET TROJAN Pony Downloader check-in response STATUS-IMPORT-OK

CLAMAV DETECTED:
Sanesecurity.Malware.20845.ZipHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.22205.ZipHeur.UNOFFICIAL FOUND

Signatures

antivm_queries_computername details
locates_browser details
antivm_memory_available details
dumped_buffer details
Security_Cache_Tampering details
infostealer_browser details
dumped_buffer2 details
banker_zeus_url details
infostealer_ftp details
MF_Heuristic details
dropper details
infostealer_ftp details
recon_programs details
infostealer_mail details
injection_runpe details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

936d9411d5226b7c_11359953.bat

fa514ea9a719779e_Purchase Order.exe

Purchase Order.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Windows\System32\mscoree.dll
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\signons.sqlite
  • \\?\PIPE\samr
  • C:\Windows\win.ini
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\AppData\Local\Temp\11359953.bat
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\11359953.bat
  • \\?\PIPE\samr
File-Deleted
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.3904.11343281
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3904.11343281
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3904.11343281
  • C:\Users\Harry Dresden\AppData\Local\Temp\11359953.bat
  • C:\Users\Harry Dresden\AppData\Local\Temp\Purchase Order.exe
File-Opened
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
  • C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
  • C:\Windows\System32\l_intl.nls
  • C:\Windows\AppPatch\sysmain.sdb
  • C:\Windows\System32\mscoree.dll
  • C:\Windows\assembly\pubpol40.dat
  • C:\Users\Harry Dresden\AppData\Local\Temp\Purchase Order.exe
  • C:\Windows\System32\
  • C:\Windows\assembly\NativeImages_v2.0.50727_32\index538.dat
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\
  • C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\signons.sqlite
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\win.ini
  • \\?\PIPE\samr
  • C:\Program Files (x86)\Mozilla Firefox
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\AppData\Local\Temp\11359953.bat
  • C:\
Network-Connects IP
  • 107.180.12.96
Directory-Created
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\History
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Cookies
  • C:\Users\Harry Dresden\AppData\Roaming
Directory-Enumerated
  • C:\Windows\Microsoft.NET\Framework\*
  • C:\Users
  • C:\Windows\System32\*.*
  • C:\Windows\System32\mscoree.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.INI
  • C:\Users\Harry Dresden\AppData\Local\Temp\Purchase Order.INI
  • C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
  • C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
  • C:\Windows
  • C:\Windows\winsxs
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\*.*
  • C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Users\Harry Dresden\AppData
  • C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
  • C:\Windows\System32
  • C:\Users\Harry Dresden\AppData\Roaming\Frigate3\*.*
  • C:\ProgramData\LeapWare\LeapFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Devcoin\*.*
  • C:\ProgramData\Devcoin\*.*
  • C:\ProgramData\Bitcoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\CuteFTP\*.*
  • C:\ProgramData\MapleStudio\ChromePlus\*.*
  • C:\Users\Harry Dresden\Documents\My Music\*.*
  • C:\Program Files (x86)\GlobalSCAPE\CuteFTP\*.*
  • C:\ProgramData\GlobalSCAPE\CuteFTP\*.*
  • C:\ProgramData\Frigate3\*.*
  • C:\Users\Harry Dresden\AppData\Local\CuteFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Visicom Media\*.*
  • C:\ProgramData\FTP Explorer\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Bitcoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Yacoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Chromium\*.*
  • C:\Users\Harry Dresden\AppData\Local\PPCoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Estsoft\ALFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Craftcoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Visicom Media\*.*
  • C:\ProgramData\Mincoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Terracoin\*.*
  • C:\Program Files (x86)\CuteFTP\*.*
  • C:\ProgramData\GlobalSCAPE\CuteFTP Pro\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\BBQcoin\*.*
  • C:\ProgramData\Cyberduck\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\LeapWare\LeapFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Crash Reports\*.*
  • C:\Users\Harry Dresden\AppData\Local\Florincoin\*.*
  • C:\ProgramData\NovaCoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Tagcoin\*.*
  • C:\ProgramData\Terracoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\NetSarang\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\The Bat!\*.*
  • C:\Users\Harry Dresden\AppData\Local\Namecoin\*.*
  • C:\ProgramData\Franko\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\FTP Explorer\*.*
  • C:\Users\Harry Dresden\AppData\Local\Franko\*.*
  • C:\Users\Harry Dresden\AppData\Local\Sites\*.*
  • C:\ProgramData\Craftcoin\*.*
  • C:\ProgramData\BatMail\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\BlazeFtp\*.*
  • C:\Users\Harry Dresden\AppData\Local\I0coin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\minidumps\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Maxprog\FTP Disk\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\GoldCoin (GLD)\*.*
  • C:\ProgramData\Google\Chrome\*.*
  • C:\ProgramData\Freicoin\*.*
  • C:\ProgramData\Worldcoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\GPSoftware\Directory Opus\*.*
  • C:\ProgramData\SiteDesigner\*.*
  • C:\Users\Harry Dresden\AppData\Local\FTP Explorer\*.*
  • C:\ProgramData\RhinoSoft.com\*.*
  • C:\Windows\winsxs
  • C:\Users\Harry Dresden\AppData\Roaming\SmartFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\RhinoSoft.com\*.*
  • C:\ProgramData\Namecoin\*.*
  • C:\ProgramData\Maxprog\FTP Disk\*.*
  • C:\Users\Harry Dresden\AppData\Local\Yandex\*.*
  • C:\Users\Harry Dresden\AppData\Local\GlobalSCAPE\CuteFTP Lite\*.*
  • C:\Users\Harry Dresden\AppData\Local\Ipswitch\*.*
  • C:\Users\Harry Dresden\AppData\Local\GlobalSCAPE\CuteFTP Pro\*.*
  • C:\Users\Harry Dresden\AppData\Local\Fastcoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Craftcoin\*.*
  • C:\ProgramData\AceBIT\*.*
  • C:\Users\Harry Dresden\AppData\Local\Digitalcoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\MapleStudio\ChromePlus\*.*
  • C:\Users\Harry Dresden\AppData\Local\Bromium\*.*
  • C:\ProgramData\*.*
  • C:\Users\Harry Dresden\AppData\Local\BBQcoin\*.*
  • C:\ProgramData\MultiBit\*.*
  • C:\Users\Harry Dresden\AppData\Local\Notepad++\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Fastcoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\FTPGetter\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Junkcoin\*.*
  • C:\ProgramData\Electrum\*.*
  • C:\Users\Harry Dresden\AppData\Local\Tagcoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Nichrome\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Quarkcoin\*.*
  • C:\ProgramData\Digitalcoin\*.*
  • C:\ProgramData\Luckycoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\ProtoShares\*.*
  • C:\ProgramData\GoldCoin (GLD)\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Litecoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\NetDrive\*.*
  • C:\Users\Harry Dresden\AppData\Local\Nichrome\*.*
  • C:\ProgramData\Zetacoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Bytecoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Infinitecoin\*.*
  • C:\ProgramData\CuteFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\Opera Software\*.*
  • C:\ProgramData\Infinitecoin\*.*
  • C:\Users\Harry Dresden\Documents\My Videos\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\RhinoSoft.com\*.*
  • C:\Users\Harry Dresden\AppData\Local\MultiBit\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\ProgramData\I0coin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\*.*
  • C:\ProgramData\Litecoin\*.*
  • C:\ProgramData\Yandex\*.*
  • C:\ProgramData\FTPGetter\*.*
  • C:\Users\Harry Dresden\AppData\Local\Worldcoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Megacoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Google\Chrome\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Phoenixcoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\NetDrive\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Pocomail\*.*
  • C:\ProgramData\Bromium\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\bookmarkbackups\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\AceBIT\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Electrum\*.*
  • C:\Users\Harry Dresden\AppData\Local\AceBIT\*.*
  • C:\Users\Harry Dresden\Desktop\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\FTPInfo\*.*
  • C:\ProgramData\Opera Software\*.*
  • C:\ProgramData\Armory\*.*
  • C:\Windows
  • C:\ProgramData\Comodo\*.*
  • C:\ProgramData\VanDyke\Config\Sessions\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\MultiBit\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Cyberduck\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Bromium\*.*
  • C:\Users\Harry Dresden\AppData\Local\FTPInfo\*.*
  • C:\ProgramData\SmartFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\MapleStudio\ChromePlus\*.*
  • C:\ProgramData\Bytecoin\*.*
  • C:\ProgramData\Fastcoin\*.*
  • C:\ProgramData\The Bat!\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Global Downloader\*.*
  • C:\ProgramData\PPCoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Anoncoin\*.*
  • C:\ProgramData\Visicom Media\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Notepad++\*.*
  • C:\Users\Harry Dresden\AppData\Local\Global Downloader\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\BatMail\*.*
  • C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\*.*
  • C:\Users\Harry Dresden\AppData\Local\Maxprog\FTP Disk\*.*
  • C:\ProgramData\Anoncoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Zetacoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Namecoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\*.*
  • C:\ProgramData\BulletProof Software\*.*
  • C:\Users\Harry Dresden\AppData\Local\BulletProof Software\*.*
  • C:\ProgramData\NetSarang\*.*
  • C:\Users\Harry Dresden\AppData\Local\Pocomail\*.*
  • C:\Users\Harry Dresden\AppData\Local\Bytecoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Cyberduck\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\I0coin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Feathercoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Yandex\*.*
  • C:\ProgramData\Chromium\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\BulletProof Software\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\FTPGetter\*.*
  • C:\ProgramData\ProtoShares\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Franko\*.*
  • C:\ProgramData\Junkcoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Comodo\*.*
  • C:\Users\Harry Dresden\AppData\Local\TurboFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\BatMail\*.*
  • C:\ProgramData\Notepad++\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Digitalcoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\GPSoftware\Directory Opus\*.*
  • C:\ProgramData\Ipswitch\*.*
  • C:\ProgramData\Tagcoin\*.*
  • C:\ProgramData\TurboFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Luckycoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\VanDyke\Config\Sessions\*.*
  • C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\*.*
  • C:\ProgramData\3D-FTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\Yacoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\NetSarang\*.*
  • C:\ProgramData\INSoftware\NovaFTP\*.*
  • C:\ProgramData\Feathercoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Feathercoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Ixcoin\*.*
  • C:\ProgramData\Megacoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\NovaCoin\*.*
  • C:\ProgramData\RockMelt\*.*
  • C:\Users\Harry Dresden\AppData\Local\Google\Chrome\*.*
  • C:\Users\Harry Dresden\AppData\Local\FTPRush\*.*
  • C:\Users\Harry Dresden\AppData\Local\The Bat!\*.*
  • C:\Users\Harry Dresden\AppData\Local\Junkcoin\*.*
  • C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
  • C:\Users\Harry Dresden\AppData\Local\NovaCoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Florincoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Worldcoin\*.*
  • C:\ProgramData\Pocomail\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Primecoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Megacoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\BitKinex\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Estsoft\ALFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\LeapWare\LeapFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\VanDyke\Config\Sessions\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\*.*
  • C:\ProgramData\Ixcoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\ChromePlus\*.*
  • C:\Users\Harry Dresden\AppData\Local\Primecoin\*.*
  • C:\ProgramData\Nichrome\*.*
  • C:\ProgramData\BitKinex\*.*
  • C:\Users\Harry Dresden\Documents\My Pictures\*.*
  • C:\Users\Harry Dresden\Documents\*.*
  • C:\Users\Harry Dresden\AppData\Local\Luckycoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\AppData\Roaming\ProtoShares\*.*
  • C:\ProgramData\Phoenixcoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\RockMelt\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Comodo\*.*
  • C:\Users\Harry Dresden\AppData\Local\Infinitecoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\BlazeFtp\*.*
  • C:\Users\Harry Dresden\AppData\Local\GlobalSCAPE\CuteFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Zetacoin\*.*
  • C:\ProgramData\ChromePlus\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\TurboFTP\*.*
  • C:\ProgramData\NetDrive\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\ProgramData\GPSoftware\Directory Opus\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Ixcoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\*.*
  • C:\ProgramData\Florincoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\FTPRush\*.*
  • C:\ProgramData\Global Downloader\*.*
  • C:\Users\Harry Dresden\AppData\Local\Freicoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Electrum\*.*
  • C:\ProgramData\Sites\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Opera Software\*.*
  • C:\Users\Harry Dresden\AppData\Local\Litecoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Phoenixcoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\INSoftware\NovaFTP\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\BitKinex\*.*
  • C:\Users\Harry Dresden\AppData\Local\SmartFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\Chromium\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\PPCoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Terracoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Anoncoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Armory\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Ipswitch\*.*
  • C:\Users\Harry Dresden\AppData\Local\Bitcoin\*.*
  • C:\ProgramData\FTPRush\*.*
  • C:\ProgramData\FTPInfo\*.*
  • C:\ProgramData\BlazeFtp\*.*
  • C:\Users\Harry Dresden\AppData\Local\GoldCoin (GLD)\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Sites\*.*
  • C:\Users\Harry Dresden\AppData\Local\Devcoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Mincoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Freicoin\*.*
  • C:\ProgramData\Yacoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\Mincoin\*.*
  • C:\ProgramData\Quarkcoin\*.*
  • C:\ProgramData\Primecoin\*.*
  • C:\Users\Harry Dresden\AppData\Local\Frigate3\*.*
  • C:\ProgramData\Estsoft\ALFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\Armory\*.*
  • C:\ProgramData\GlobalSCAPE\CuteFTP Lite\*.*
  • C:\Users\Harry Dresden\AppData\Local\ChromePlus\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\RockMelt\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\INSoftware\NovaFTP\*.*
  • C:\Program Files (x86)\Common Files\Ipswitch\WS_FTP\*.*
  • C:\ProgramData\BBQcoin\*.*
  • C:\Users\Harry Dresden\AppData\Roaming\GlobalSCAPE\CuteFTP\*.*
  • C:\Users\Harry Dresden\AppData\Local\Quarkcoin\*.*
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\Users\Harry Dresden\AppData\Local\Temp\Purchase Order.exe
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Users\Harry Dresden\AppData\Local\Temp\11359953.bat
  • C:\Users
  • C:\Users\Harry Dresden\AppData
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\40b284ba\f
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\Policy\Standards\v2.0.50727
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\b
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\Policy\v4.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index538
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\c
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Assemblies\Global
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\d
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
  • \Policy\Standards
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3416602863-1947377224-293699093-1003
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\3afc2ff2\6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\1c0fa883\2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3bceaf\4fb8b0b0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7052b446\22ccf39c
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Data.SqlXml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\Policy\AppPatch\v4.0.30319.00000
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Purchase Order.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\615f9e15\8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\4efd60f7\3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d1b2185\9e07e4f
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
  • HKEY_CURRENT_USER\Software\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Assemblies\C:|Users|Harry Dresden|AppData|Local|Temp|Purchase Order.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\3029020b\4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2077bef2\7
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\6a8005f1\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Harry Dresden|AppData|Local|Temp|Purchase Order.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\Security\Policy\Extensions\NamedPermissionSets\Internet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7052b446\41fdfe90
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\Policy\Standards
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Harry Dresden|AppData|Local|Temp|Purchase Order.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d1b2185\7c8f731d
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PerformanceTest 7_is1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader_is1
  • HKEY_CURRENT_USER\Software\Mozilla
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
  • HKEY_CURRENT_USER\Software\FTP Explorer\Profiles
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E2B51919-207A-43EB-AE78-733F9C6797C2}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
  • \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\VanDyke\SecureFX
  • HKEY_LOCAL_MACHINE\Software\RIT\The Bat!
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
  • HKEY_LOCAL_MACHINE\Software\FlashFXP\3
  • HKEY_LOCAL_MACHINE\Software\FlashFXP\4
  • HKEY_LOCAL_MACHINE\Software\South River Technologies\WebDrive\Connections
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
  • HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Options
  • HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
  • HKEY_CURRENT_USER\Software\IncrediMail
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
  • HKEY_LOCAL_MACHINE\Software\FlashFXP
  • HKEY_CURRENT_USER\Software\RIT\The Bat!
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{975C3A93-2491-3D44-A071-F6CBF153E46D}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PropertyBag
  • HKEY_CURRENT_USER\Software\FileZilla Client
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0371FF472F1B88D429B65186AF6ED17B\InstallProperties
  • HKEY_CURRENT_USER\Software\SoftX.org\FTPClient\Sites
  • HKEY_CURRENT_USER\SOFTWARE\Robo-FTP 3.7\FTPServers
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 12.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Robo-FTP 3.7\Scripts
  • HKEY_CURRENT_USER\Software\South River Technologies\WebDrive\Connections
  • HKEY_CLASSES_ROOT\FTP++.Link\shell\open\command
  • HKEY_CURRENT_USER\Software\WinRAR
  • HKEY_CURRENT_USER\Software\Far\SavedDialogHistory\FTPHost
  • HKEY_CURRENT_USER\Software\Sota\FFFTP\Options
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PropertyBag
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_CURRENT_USER\Software\ExpanDrive
  • HKEY_CLASSES_ROOT\Opera.HTML\shell\open\command
  • HKEY_CURRENT_USER\Software\LeechFTP
  • HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
  • HKEY_CURRENT_USER\Software\CoffeeCup Software
  • HKEY_CURRENT_USER\Software\FlashFXP
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3416602863-1947377224-293699093-1003\Components\0371FF472F1B88D429B65186AF6ED17B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0371FF472F1B88D429B65186AF6ED17B
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
  • HKEY_CURRENT_USER\Software\BPFTP
  • HKEY_LOCAL_MACHINE\SOFTWARE\NCH Software\Fling\Accounts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AB0000000001}
  • HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
  • HKEY_LOCAL_MACHINE\Software\Martin Prikryl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
  • HKEY_CURRENT_USER\SOFTWARE\NCH Software\Fling\Accounts
  • HKEY_CURRENT_USER\Software\Far Manager\SavedDialogHistory\FTPHost
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\mru\jobs
  • HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\FTP
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{95120000-003F-0409-0000-0000000FF1CE}
  • HKEY_CURRENT_USER\Software\Ghisler\Total Commander
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\12.0 (en-US)
  • HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander
  • HKEY_LOCAL_MACHINE\Software\RIT\The Bat!\Users depot
  • HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client\Options
  • HKEY_CURRENT_USER\Software\Adobe\Common
  • HKEY_CURRENT_USER\Software\Far Manager\Plugins\FTP\Hosts
  • HKEY_LOCAL_MACHINE\Software\TurboFTP
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\PropertyBag
  • HKEY_CURRENT_USER\Software\FTPClient\Sites
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 12.0\extensions
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
  • HKEY_CURRENT_USER\Software\FlashFXP\3
  • HKEY_CURRENT_USER\Identities
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • HKEY_CURRENT_USER\Software\FlashFXP\4
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{88603FC0-6B3C-442D-981E-E3D49F083548}_is1
  • HKEY_CLASSES_ROOT\CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
  • HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
  • HKEY_CURRENT_USER\Software\Opera Software
  • HKEY_LOCAL_MACHINE\Software\Nico Mak Computing\WinZip\FTP
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  • HKEY_CURRENT_USER\Software\FileZilla
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 9\QCToolbar
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757
  • HKEY_LOCAL_MACHINE\Software\FTPClient\Sites
  • HKEY_LOCAL_MACHINE\Software\FileZilla
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 12.0 (x86 en-US)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
  • HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
  • HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\Setup
  • HKEY_LOCAL_MACHINE\Software\RimArts\B2\Settings
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\0371FF472F1B88D429B65186AF6ED17B
  • HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
  • HKEY_LOCAL_MACHINE\Software\Poco Systems Inc
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\RIT\The Bat!\Users depot
  • HKEY_CURRENT_USER\Software\Far2\SavedDialogHistory\FTPHost
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824166751}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90850409-6000-11D3-8CFE-0150048383C9}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217067FF}
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox
  • HKEY_CURRENT_USER\Software\Martin Prikryl
  • HKEY_CURRENT_USER\Software\TurboFTP
  • HKEY_CURRENT_USER\SOFTWARE\LeapWare
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
  • HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{95140000-00AF-0409-0000-0000000FF1CE}
  • HKEY_CURRENT_USER\Software\Cryer\WebSitePublisher
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
  • HKEY_CURRENT_USER\Software\ExpanDrive\Sessions
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
  • HKEY_CURRENT_USER\Software\AceBIT
  • HKEY_CURRENT_USER\Software\Poco Systems Inc
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_CURRENT_USER\Identities\{E5E75BBD-C0F6-409E-8A00-7A537CA1DB81}\Software\Microsoft\Internet Account Manager\Accounts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-0000-0000000FF1CE}
  • HKEY_LOCAL_MACHINE\Software\IncrediMail
  • HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
  • HKEY_LOCAL_MACHINE\Software\FileZilla Client
  • HKEY_LOCAL_MACHINE\Software\Ghisler\Total Commander
  • HKEY_LOCAL_MACHINE\SOFTWARE\LeapWare
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
  • HKEY_LOCAL_MACHINE\Software\Mozilla
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1
  • HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Main
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\12.0 (en-US)\Uninstall
  • HKEY_CURRENT_USER\Software\RimArts\B2\Settings
  • HKEY_LOCAL_MACHINE\Software\Nico Mak Computing\WinZip\mru\jobs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Robo-FTP 3.7\FTPServers
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\Purchase Order.exe
  • HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\0371FF472F1B88D429B65186AF6ED17B
  • HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
  • HKEY_CURRENT_USER\Software\Sota\FFFTP
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 12.0\bin
  • HKEY_USERS\.DEFAULT
  • HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\12.0 (en-US)\Main
  • HKEY_LOCAL_MACHINE\Software\SoftX.org\FTPClient\Sites
  • HKEY_CURRENT_USER\Software\CoffeeCup Software\Internet\Profiles
  • HKEY_CURRENT_USER\Software\Ghisler\Windows Commander
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
  • HKEY_CURRENT_USER\Software\ChromePlus
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\0371FF472F1B88D429B65186AF6ED17B
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • HKEY_LOCAL_MACHINE\Software\AceBIT
  • HKEY_CURRENT_USER\SOFTWARE\Robo-FTP 3.7\Scripts
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
  • HKEY_LOCAL_MACHINE\Software\CoffeeCup Software
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\6a8005f1\a\Modules
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\615f9e15\8\LastModTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\615f9e15\8\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\CLRLoadLogDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\1c0fa883\2\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\9\SIG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\MVID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\6\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index40
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\9\LastModTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ConfigMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\3029020b\4\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\KERNELBASE.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\EvalationData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\3afc2ff2\6\LastModTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\c\EvalationData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\11\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\6\EvalationData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\b\MissingDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\b\ConfigString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\6a8005f1\a\LastModTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\11\SIG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\40b284ba\f\SIG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\1c0fa883\2\Modules
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2077bef2\7\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\b\ILDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\615f9e15\8\SIG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\6a8005f1\a\SIG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\9\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\GCStressStart
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\Windows\LoadAppInit_DLLs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\3afc2ff2\6\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\11\DisplayName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguageFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index538\ILUsageMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\6\ConfigMask
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\d\Modules
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\c\ConfigMask
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\EMPTY
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\6\ConfigString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\3029020b\4\LastModTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\6a8005f1\a\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2077bef2\7\Status
  • HKEY_CURRENT_USER\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\c\NIDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\4\MVID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\11\Modules
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US\Type
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\1c0fa883\2\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\c\MVID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\c\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\6\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\GCStressStartAtJit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\1c0fa883\2\LastModTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\11\LastModTime
  • HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\6\NIDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US\AlternateCodePage
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\6\MissingDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\4\ConfigMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\3afc2ff2\6\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\4efd60f7\3\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\b\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\c\MissingDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\40b284ba\f\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\4\ILDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ConfigString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\c\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\3029020b\4\Modules
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\b\NIDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\615f9e15\8\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\NIDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\3afc2ff2\6\SIG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\InstallRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\4efd60f7\3\LastModTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\MSCOREE.DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\40b284ba\f\Modules
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\d\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\3afc2ff2\6\Modules
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\UseLegacyV2RuntimeActivationPolicyDefaultValue
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\b\MVID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\6\MVID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\9\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\4\NIDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\d\SIG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\MissingDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\9\Modules
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\4\MissingDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\c\ConfigString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\b\ConfigMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\DisableConfigCache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\d\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\b\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2077bef2\7\LastModTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\4\ConfigString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\b\EvalationData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\615f9e15\8\Modules
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFRAMEWORK\OnlyUseLatestCLR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2077bef2\7\Modules
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\c\ILDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\8\ILDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\KERNEL32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\4\EvalationData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\40b284ba\f\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\4efd60f7\3\SIG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\75638fee\1c0fa883\2\SIG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\d\LastModTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\40b284ba\f\LastModTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\4efd60f7\3\Modules
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\2077bef2\7\SIG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\4\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\3029020b\4\SIG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\4efd60f7\3\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\6a8005f1\a\Status
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ntdll.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index538\NIUsageMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\3029020b\4\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\6\ILDependencies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6faf58\19ab8d57\4\Status
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824166751}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Account Manager\Outlook
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{95140000-00AF-0409-0000-0000000FF1CE}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\ParsingName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 12.0 (x86 en-US)\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PerformanceTest 7_is1\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\UninstallString
  • HKEY_CURRENT_USER\Software\WinRAR\Client Hash
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\12.0 (en-US)\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\AdminTabProcs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\ParentFolder
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-0000-0000000FF1CE}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\InfoTip
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}\UninstallString
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Attributes
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{975C3A93-2491-3D44-A071-F6CBF153E46D}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PerformanceTest 7_is1\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox 12.0\extensions\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E2B51919-207A-43EB-AE78-733F9C6797C2}\DisplayName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AB0000000001}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 12.0 (x86 en-US)\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-0000-0000000FF1CE}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Attributes
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{95120000-003F-0409-0000-0000000FF1CE}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{975C3A93-2491-3D44-A071-F6CBF153E46D}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{88603FC0-6B3C-442D-981E-E3D49F083548}_is1\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{88603FC0-6B3C-442D-981E-E3D49F083548}_is1\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{95140000-00AF-0409-0000-0000000FF1CE}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox 12.0\bin\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\12.0 (en-US)\Uninstall\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName
  • \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{95120000-003F-0409-0000-0000000FF1CE}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\TaskBarIDs\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\FolderTypeID
  • HKEY_CURRENT_USER\Software\WinRAR\HWID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\PublishExpandedPath
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90850409-6000-11D3-8CFE-0150048383C9}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173\UninstallString
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\UninstallString
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E2B51919-207A-43EB-AE78-733F9C6797C2}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AB0000000001}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217067FF}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\InfoTip
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
  • \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217067FF}\DisplayName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PreCreate
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90850409-6000-11D3-8CFE-0150048383C9}\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\12.0 (en-US)\Main\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\UninstallString
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Salt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Account Manager\Outlook
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824166751}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\StreamResource
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\History
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader_is1\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader_is1\DisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox 12.0\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\PathToExe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573\UninstallString
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
Registry Key-Written
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
  • HKEY_CURRENT_USER\Software\WinRAR\Client Hash
  • HKEY_CURRENT_USER\Software\WinRAR\HWID
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\Purchase Order.exe" PID: 3904, Parent PID: 2696

"C:\Users\Harry Dresden\AppData\Local\Temp\Purchase Order.exe " PID: 4724, Parent PID: 3904

C:\Windows\system32\cmd.exe /c ""C:\Users\HARRYD~1\AppData\Local\Temp\11359953.bat" "C:\Users\Harry Dresden\AppData\Local\Temp\Purchase Order.exe" " PID: 4700, Parent PID: 4724

Volatility

Nothing to display.